Enforcing Low S Values to Eliminate a Bitcoin Network Attack

Some Signatures Are No Longer Accepted with BlockCypher’s Transaction API; Read On For More Detail

*Nope, this is not a curve of bitcoin adoption, it’s the curve bitcoin adopted*

It’s been said that Bitcoin is the largest bug bounty program in the world; people short-selling bitcoin can profit from finding breaks in the code, while people who hold bitcoin can profit from fixing them. The inherent incentives have resulted in an antifragile, aggressively evolving, yet permissionless financial system.

Recently, one such user decided to “break” Bitcoin, but only succeeded in causing a rather annoying DDoS, taking advantage of transaction malleability to spam the network. Transaction malleability is a known issue, which BlockCypher has been following closely (and we’re especially hopeful for full BIP62 implementation soon).

The Bitcoin Core developers acted swiftly in light of the attack, releasing a non-consensus-breaking bugfix that — by default — only relays “Low S Value”-signed transactions throughout the network. Miners can still accept higher S Value-signed transactions, but they will be harder to propagate around the network; most nodes stick to the default behavior.

It would take a long (but fascinating!) cryptology lesson to go into detail about S Values, what part they play in ECDSA cryptography, and why this eliminates a major DDoS opportunity, but in summary: this change prevents a malleability vector, which prevents spam in the network, which makes everyone happier (except perhaps the spammer).

We are following the core developers’ lead, and even going a little bit further by rejecting transactions in the API that do not contain Low S Value-signatures. If you’re using our local signer, or any up-to-date bitcoin signing library, this change will likely not affect you. If we detect a higher S value signature when you attempt to send or push a transaction via our API, we will return an error and not propagate the transaction. If you’re using an older crypto library and receive this error, you can follow the BIP62 pseudocode to fix your signatures.

This may break some implementations, but we know it’s the right path forward for the good of the network. Your move, spammer.