diff options
author | Daniel Robinson <danrobinson010@gmail.com> | 2018-01-15 22:39:05 +0000 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2018-01-15 22:39:18 +0000 |
commit | 2a4b0356bf43b3f0e474ea208850749cf92d99e4 (patch) | |
tree | a715ef118c88b697f0c83b67e9c708c12340a93b | |
parent | f79dfb0f0aaaf7e9c89b954fc8ac71e087845721 (diff) | |
download | pi-bitcoindev-2a4b0356bf43b3f0e474ea208850749cf92d99e4.tar.gz pi-bitcoindev-2a4b0356bf43b3f0e474ea208850749cf92d99e4.zip |
Re: [bitcoin-dev] Ivy: a higher-level language targeting Bitcoin Script
-rw-r--r-- | 45/9009171050a5191b6ad29d80a07bc5ed5311df | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/45/9009171050a5191b6ad29d80a07bc5ed5311df b/45/9009171050a5191b6ad29d80a07bc5ed5311df new file mode 100644 index 000000000..3cbc21c84 --- /dev/null +++ b/45/9009171050a5191b6ad29d80a07bc5ed5311df @@ -0,0 +1,207 @@ +Return-Path: <danrobinson010@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id A7138E8E + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 15 Jan 2018 22:39:18 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-ua0-f179.google.com (mail-ua0-f179.google.com + [209.85.217.179]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D729B5AA + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 15 Jan 2018 22:39:17 +0000 (UTC) +Received: by mail-ua0-f179.google.com with SMTP id j23so4153596uak.13 + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 15 Jan 2018 14:39:17 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=mime-version:references:in-reply-to:from:date:message-id:subject:to + :cc; bh=unPV/fbsGqPnav6uRlaVgTxWt9zSGrW2H/vXGEQR3WM=; + b=ElAdagI93TQu5ZHw52PzAU1evYOm7nQ/SGcFbSOWMF9PO2wNIdeqPnrvXw4jzww3DV + HUuUYyQdtWcOq5AUk5AVWkrKSKqmS4NPmC27uIShNJcmo5ZtNpHXKPJxfjgGs0wJZsWP + oRtq6cIqC22YhHKI1/4dzvjp+VQeTDJkwIhNat5v26o8f9QV2+XK+butNYpxtedDZD+t + PFKkD23JC89CMzTNKTkdQwiusfbkif6Pnw0Mzfdi+VsjACeXqfPYQnlDJ0GaSyuAAm/s + PCzVOYvgbLhrFhx+NGaefWqhtNGRK2AuCt376z2nfMrkV0HC86n5d/Dzfm8Yi9XkL8Ev + U+Zg== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:mime-version:references:in-reply-to:from:date + :message-id:subject:to:cc; + bh=unPV/fbsGqPnav6uRlaVgTxWt9zSGrW2H/vXGEQR3WM=; + b=GTsm/m5BVdn4nUokl4tl7jrmgQKufjoi+SknhzX/6lfkYCMQr3/UMVn8fO5/49eION + y39Vo/bA+d1wHr5sepISIfn+o5L49lOxKXx7HF1B8BgtGM6qeMjXMC88TpIvtBHleL9F + iONeOOI74HwwzGYPiHCLTj6FdxrTtpaXvhgV0dc5nZZf3UXstIE/ZWwFxn3/QyxD5gAr + pGKTSsD4bivSe1vWPlEckcf79a4FTUD5Yb7Cs3mWjmkM5e2vMQE9NHPlwjLOKYJTnAAz + 4Br8rl6wjV9ipStAvNkKAscZa5QV5OBXIxezWFS0EkwRWSOJNPLXRm2skvR0fKCVxbFO + z9Hw== +X-Gm-Message-State: AKwxyteJ447KdC9tDd9I4Iu47Oq55iWXnqDZQFUpyPpkKWEuQnL5T9Sh + fokTDXyeKd11YofA+BmjEuolaqYBK51pqF2sV2l/8Q== +X-Google-Smtp-Source: ACJfBotum2rhoDAizptWpfNkQ+n8828Ty7sBHFfWl5zManVhaeT/L1hdnA/+YUZCJuhlyOJ6PwgFBdcTrRvl8QLaUIs= +X-Received: by 10.176.19.107 with SMTP id h40mr33845189uae.173.1516055956771; + Mon, 15 Jan 2018 14:39:16 -0800 (PST) +MIME-Version: 1.0 +References: <CAD438HvzYAMVTU8A0OiNnj2nvYgMApdS8NNfzE86Ae_OsTfuaA@mail.gmail.com> + <1CCF3C59-64DB-462F-AC62-AEA77FA01571@mattcorallo.com> +In-Reply-To: <1CCF3C59-64DB-462F-AC62-AEA77FA01571@mattcorallo.com> +From: Daniel Robinson <danrobinson010@gmail.com> +Date: Mon, 15 Jan 2018 22:39:05 +0000 +Message-ID: <CAD438Ht8x5-v8NsC7O=D7Oo5EZ56q5E3LKuVt033as-8iqtd=Q@mail.gmail.com> +To: Matt Corallo <lf-lists@mattcorallo.com> +Content-Type: multipart/alternative; boundary="001a11495608c3591e0562d848af" +X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, + HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +X-Mailman-Approved-At: Mon, 15 Jan 2018 22:42:12 +0000 +Cc: Daniel Robinson via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> +Subject: Re: [bitcoin-dev] Ivy: a higher-level language targeting Bitcoin + Script +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Mon, 15 Jan 2018 22:39:18 -0000 + +--001a11495608c3591e0562d848af +Content-Type: text/plain; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +Hi Matt, + +Thanks for raising this. Since the compiler only produces SegWit addresses, +I hadn't worried at all about malleability, but as you pointed out +out-of-band, malleability in the length of an argument can allow an +attacker to deflate the feerate of a transaction. + +There was in fact a minor witness malleability problem with how the +compiler was handling clause selection. It's now been fixed in version +0.0.7 of the compiler. + +As far as I can tell (and I haven't looked all that carefully), any +sensible Ivy contract won't have any witness malleability problem. (A funny +exception is the RevealCollision contract, since you can length-extend the +arguments to get another collision. But without a signature check, that one +has a more serious transaction malleability problem anyway.) But the +compiler currently doesn't prevent you from doing dumb unconstrained stuff +like: + +``` +clause spend(a: Bytes, b: Bytes, sig: Signature) { + verify a =3D=3D b + verify checkSig(publicKey, sig) + unlock val +} +``` + +Maybe it should, particularly since there's no reason to include a trivial +condition like that anyway. But I think it would probably be about as easy +(and more generally useful) to build a static analyzer that solved this +problem for low-level Bitcoin Script. + +On Sun, Jan 14, 2018 at 5:42 PM Matt Corallo <lf-lists@mattcorallo.com> +wrote: + +> I'm curious if you've considered adding some form of compiler-time +> enforcement to prevent witness malleability? With that, Ivy could help to +> resolve for it's users one of the things that can make Bitcoin scripts mo= +re +> complicated to write, instead of simply type-checking and providing a +> high-level language mapped 1-to-1 with Bitcoin script. +> +> +> On December 18, 2017 8:32:17 PM UTC, Daniel Robinson via bitcoin-dev < +> bitcoin-dev@lists.linuxfoundation.org> wrote: +>> +>> Today, we=E2=80=99re releasing Ivy, a prototype higher-level language an= +d +>> development environment for creating custom Bitcoin Script programs. You +>> can see the full announcement here +>> <https://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-c= +ompiles-to-bitcoin-script-bec06377141a>, +>> or check out the docs <https://docs.ivy-lang.org/bitcoin/> and source +>> code <https://github.com/ivy-lang/ivy-bitcoin>. +>> +>> Ivy is a simple smart contract language that can compile to Bitcoin +>> Script. It aims to improve on the useability of Bitcoin Script by adding +>> affordances like named variables and clauses, static (and domain-specifi= +c) +>> types, and familiar syntax for function calls. +>> +>> To try out Ivy, you can use the Ivy Playground for Bitcoin +>> <https://ivy-lang.org/bitcoin/>, which allows you to create and test +>> simulated contracts in a sandboxed environment. +>> +>> This is prototype software intended for educational and research purpose= +s +>> only. Please don't try to use Ivy to control real or testnet Bitcoins. +>> +>> + +--001a11495608c3591e0562d848af +Content-Type: text/html; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +<div dir=3D"ltr">Hi Matt,<div><br></div><div>Thanks for raising this. Since= + the compiler only produces SegWit addresses, I hadn't worried at all a= +bout malleability, but as you pointed out out-of-band, malleability in the = +length of an argument can allow an attacker to deflate the feerate of a tra= +nsaction.=C2=A0</div><div><br></div><div>There was in fact a minor witness = +malleability problem with how the compiler was handling clause selection. I= +t's now been fixed in version 0.0.7 of the compiler.</div><div><br></di= +v><div>As far as I can tell (and I haven't looked all that carefully), = +any sensible Ivy contract won't have any witness malleability problem. = +(A funny exception is the RevealCollision contract, since you can length-ex= +tend the arguments to get another collision. But without a signature check,= + that one has a more serious transaction malleability problem anyway.) But = +the compiler currently doesn't prevent you from doing dumb unconstraine= +d stuff like:</div><div><br></div><div>```</div><div>clause spend(a: Bytes,= + b: Bytes, sig: Signature) {</div><div>=C2=A0 verify a =3D=3D b</div><div>= +=C2=A0 verify checkSig(publicKey, sig)</div><div>=C2=A0 unlock val</div><di= +v>}</div><div>```</div><div><br></div><div>Maybe it should, particularly si= +nce there's no reason to include a trivial condition like that anyway. = +But I think it would probably be about as easy (and more generally useful) = +to build a static analyzer that solved this problem for low-level Bitcoin S= +cript.</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Sun, J= +an 14, 2018 at 5:42 PM Matt Corallo <<a href=3D"mailto:lf-lists@mattcora= +llo.com">lf-lists@mattcorallo.com</a>> wrote:<br></div><blockquote class= +=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd= +ing-left:1ex"><div>I'm curious if you've considered adding some for= +m of compiler-time enforcement to prevent witness malleability? With that, = +Ivy could help to resolve for it's users one of the things that can mak= +e Bitcoin scripts more complicated to write, instead of simply type-checkin= +g and providing a high-level language mapped 1-to-1 with Bitcoin script.</d= +iv><div><br><br><div class=3D"gmail_quote">On December 18, 2017 8:32:17 PM = +UTC, Daniel Robinson via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@list= +s.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.= +org</a>> wrote:<blockquote class=3D"gmail_quote" style=3D"margin:0pt 0pt= + 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> +<div dir=3D"ltr"><div dir=3D"auto">Today, we=E2=80=99re releasing Ivy, a pr= +ototype higher-level language and development environment for creating cust= +om Bitcoin Script programs. You can see the full announcement <a href=3D"ht= +tps://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-compile= +s-to-bitcoin-script-bec06377141a" target=3D"_blank">here</a>, or check out = +the <a href=3D"https://docs.ivy-lang.org/bitcoin/" target=3D"_blank">docs</= +a>=C2=A0and=C2=A0<a href=3D"https://github.com/ivy-lang/ivy-bitcoin" target= +=3D"_blank">source code</a>.</div><div dir=3D"auto"><br></div><div dir=3D"a= +uto">Ivy is a simple smart contract language that can compile to Bitcoin Sc= +ript. It aims to improve on the useability of Bitcoin Script by adding affo= +rdances like named variables and clauses, static (and domain-specific) type= +s, and familiar syntax for function calls.</div><div dir=3D"auto"><br></div= +><div dir=3D"auto">To try out Ivy, you can use the <a href=3D"https://ivy-l= +ang.org/bitcoin/" target=3D"_blank">Ivy Playground for Bitcoin</a>, which a= +llows you to create and test simulated contracts in a sandboxed environment= +.</div><div dir=3D"auto"><br></div><div dir=3D"auto">This is prototype soft= +ware intended for educational and research purposes only. Please don't = +try to use Ivy to control real or testnet Bitcoins.</div><div dir=3D"auto">= +<br></div></div> +</blockquote></div></div></blockquote></div> + +--001a11495608c3591e0562d848af-- + |