Abstraction of transaction origin and signature.md #208
Conversation
Implements a set of changes that serve the combined purpose of "abstracting out" signature verification and nonce checking, allowing users to create "account contracts" that perform any desired signature/nonce checks instead of using the mechanism that is currently hard-coded into transaction processing.
|
Can we make the title more descriptive? How about something like "Abstraction of transaction origin and signature" |
|
I see a change about nonce increment in https://github.com/ethcore/parity/pull/4697 (line: https://github.com/ethcore/parity/blob/027b0446efa48622ce166a561dd274332dac96a0/ethcore/src/executive.rs#L178 ) but not in this PR. |
|
@yann300 is also working on this. |
EIPS/abstraction.md
Outdated
| If `block.number >= METROPOLIS_FORK_BLKNUM`, then: | ||
| 1. If the signature of a transaction is `(CHAIN_ID, 0, 0)` (ie. `r = s = 0`, `v = CHAIN_ID`), then treat it as valid and set the sender address to `NULL_SENDER` | ||
| 2. Set the address of any contract created through a creation transaction to equal `sha3(NULL_SENDER + sha3(init code)) % 2**160`, where `+` represents concatenation, replacing the earlier address formula of `sha3(rlp.encode([sender, nonce]))` | ||
| 3. Create a new opcode at `0xfb`, `CREATE_P2SH`, which sets the creation address to `sha3(sender + sha3(init code)) % 2**160`. If a contract at that address already exists, fails and returns 0 as if the init code had run out of gas. |
There was a problem hiding this comment.
Does the last sentence ("If a contract at that address already exists,...") apply to CREATE opcode and creation by external accounts?
Yes, absolutely. We'll also have to make it work with the dust protection EIP. |
EIPS/abstraction.md
Outdated
| ### Specification | ||
|
|
||
| If `block.number >= METROPOLIS_FORK_BLKNUM`, then: | ||
| 1. If the signature of a transaction is `(CHAIN_ID, 0, 0)` (ie. `r = s = 0`, `v = CHAIN_ID`), then treat it as valid and set the sender address to `NULL_SENDER` |
There was a problem hiding this comment.
Was v = CHAIN_ID really the intention here?
Currently according to #155 v = CHAIN_ID * 2 + 35 or v = CHAIN_ID * 2 + 36
(implemented only as v = CHAIN_ID * 2 + 35 in cpp-ethereum)
So do we really need additional v rule for zero signature instead of following EIP155 here, too?
There was a problem hiding this comment.
There are two ways in which v is set in EIP 155. The first is the v value which appears in the actual transaction. This is set according to that formula. The second is the value which is put into the v slot when computing the hash. This is set to equal the CHAIN_ID, just as here.
There was a problem hiding this comment.
So v here in this EIP refers not to the actual value in Tx RLP, but to the one extracted from it using EIP155 formula, right?
There was a problem hiding this comment.
Aah! I see what you mean, sorry I take back my previous comment. I would still prefer v in the transaction being equal to the chain ID, as that's the easiest thing to do. There is no need to set the v value to 35 + chain_id * 2 here.
|
Some questions about zero-sig transaction: what should be the standart transaction fields (gas, gasPrice, nonce) encoded in RLP? |
EIPS/abstraction.md
Outdated
| ### Specification | ||
|
|
||
| If `block.number >= METROPOLIS_FORK_BLKNUM`, then: | ||
| 1. If the signature of a transaction is `(CHAIN_ID, 0, 0)` (ie. `r = s = 0`, `v = CHAIN_ID`), then treat it as valid and set the sender address to `NULL_SENDER` |
There was a problem hiding this comment.
This is not formatted correctly.
There was a problem hiding this comment.
How? I'm not seeing anything wrongly formatted https://github.com/ethereum/EIPs/blob/4120d2180a1cf62151066d9fb16742867315d649/EIPS/abstraction.md#specification
EIPS/abstraction.md
Outdated
|
|
||
| If `block.number >= METROPOLIS_FORK_BLKNUM`, then: | ||
| 1. If the signature of a transaction is `(CHAIN_ID, 0, 0)` (ie. `r = s = 0`, `v = CHAIN_ID`), then treat it as valid and set the sender address to `NULL_SENDER` | ||
| 2. Set the address of any contract created through a creation transaction to equal `sha3(NULL_SENDER + sha3(init code)) % 2**160`, where `+` represents concatenation, replacing the earlier address formula of `sha3(rlp.encode([sender, nonce]))` |
There was a problem hiding this comment.
I assume this only applies to transactions with r = s = 0. Is that correct? So we have:
If such a transaction has a to value of zero (i.e is a creation transaction), set the address of the created contract to sha3(NULL_SENDER + sha3(txdata)) % 2**160, .... If an account at that address already exists (TODO correctly specify existence), the transaction is considered invalid.
There was a problem hiding this comment.
- I understood that this applies to all contract creations.
- I think we should keep allowing creating contracts on existing accounts (e.g. with positive balance).
|
Do we want to lower the gas costs for such transactions (i.e. the transaction itself) since ecrecover does not have to be called to check the signature. |
|
So there are two paths to resolving this:
EIP 86 transactions can create new contracts if the "to" field is empty. This looks ugly in either case, as we have useless vestigial fields that hang around like an appendix, but IMO we should make a future HF which modifies TX formats more substantially and makes them more logical, for example including a proper field for the network ID and the transaction version number, and past the HF making old-style transactions no longer valid. IMO we have to do this eventually, as if we do not, then every time we make new tx formats or change tx formats we incur more and more technical debt. If we really feel daring, I can make an EIP for doing this now, so we can just not do EIP 86 at all. |
|
@winsvega miners can, for example, whitelist contracts that pay the current miner (by calling |
|
if it has gasprice of 0 and can create contracts would not it mean that such transaction could spam contracts? lets define YP rules for zero sig transactions so we could define the concrete tests for that |
|
It is not the gas price that limits the spam, it is the block gas limit. |
|
So anyone will be able to create contracts for free? |
|
@winsvega That's already the case before this EIP if you mine a block that includes your transactions with gas price being zero. |
|
right. but miniers would most likely refuse such transactions. |
|
@winsvega it is the same thing. If the zero-sig transaction does not send money to the miner, miners will likely refuse to include it. |
|
I am confused. so the gasPrice needs to be > 0 ? |
|
zero-sig transactions send money to the miner as part of their execution and not as part of the surrounding framework, so gas price should be zero. |
|
@winsvega When a miner is constructing a block, the miner can freely exclude transactions. One strategy is doing nothing special about EIP86 transactions (then For somebody sending an EIP86 transaction, it does not make much sense to set When this kind of coordination takes place between the transaction senders and the miners, we will see EIP86 transactions in blocks. This coordination between the senders and the miners is not part of the protocol. Even local agreements can exist. |
|
so the actual payment for the transaction will be done by a contract that decode data of the zero sig transaction, is that right? we still have the nonce problem that Andrei mentioned if we do not implement nonce = 0 rule. or like we already did we could just drop nonce checking for zero sig transactions. what I mean by YP rules is that we have to define for zero sig transaction
|
|
1 and 2: I think Vitalik's two options both work (but the first option with never-increasing nonce) 3 Disallowing the value transfer would enable an undesired course of events. The null sender receives some large amount by accident, but nobody can send it anywhere, so everyone starts using the null sender's wealth to pay for gas. That's undesired. I prefer allowing value transfer from the null sender because the null sender's wealth will be there only for a short period. I think the point of this EIP is to specify less and less in the protocol and let the transaction senders and the miners decide. |
|
Here's my EIP for fully "cleaning house" and making new tx types. It's much more work, but in the long run IMO something like this will be necessary. |
|
What if the transaction goes OOG or uses EDIT: |
EIPS/abstraction.md
Outdated
| prev_nonce = ~sload(-1) | ||
| assert tx_nonce == prev_nonce + 1 | ||
| assert self.balance >= tx_value + tx_gasprice * tx.startgas | ||
| assert ~ecrecover(signing_hash, sig_v, sig_r, sig_s) == <pubkey hash here> |
There was a problem hiding this comment.
Should we also abstract the pubkey verification? It could even be abstracted internally, by having a number of precompile contracts where you can call one with an opcode sigVerify. The opcode could even have a default option (where you can call it without any argument). However, I guess that there is not as much benefit to abstract the signature verification algorithm compared to abstracting the signature generation algorithm.
|
Should we include EIP 86 in the title? |
|
Discussion of account abstraction proposals has continued here https://ethresear.ch/t/tradeoffs-in-account-abstraction-proposals/263 |
|
This EIP is mentioned as an example EIP in EIP-1. Can we merge it as a draft? @vbuterin, can you add the copyright assignment clause, please? |
Rename abstraction.md to eip-86.md, add copyright clause, fix header.
|
This is a courtesy notice to let you know that the format for EIPs has been modified slightly. If you want your draft merged, you will need to make some small changes to how your EIP is formatted:
If your PR is editing an existing EIP rather than creating a new one, this has already been done for you, and you need only rebase your PR. In addition, a continuous build has been setup, which will check your PR against the rules for EIP formatting automatically once you update your PR. This build ensures all required headers are present, as well as performing a number of other checks. Please rebase your PR against the latest master, and edit your PR to use the above format for frontmatter. For convenience, here's a sample header you can copy and adapt: |
* Create abstraction.md Implements a set of changes that serve the combined purpose of "abstracting out" signature verification and nonce checking, allowing users to create "account contracts" that perform any desired signature/nonce checks instead of using the mechanism that is currently hard-coded into transaction processing. * Update abstraction.md * Update abstraction.md * Update abstraction.md * Update abstraction.md * Update abstraction.md * Update abstraction.md * Update abstraction.md * Rename abstraction.md to eip-86.md, add copyright clause, fix header.
|
Implements a set of changes that serve the combined purpose of "abstracting out" signature verification and nonce checking, allowing users to create "account contracts" that perform any desired signature/nonce checks instead of using the mechanism that is currently hard-coded into transaction processing.