1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
Return-Path: <danrobinson010@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id A7138E8E
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Jan 2018 22:39:18 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f179.google.com (mail-ua0-f179.google.com
[209.85.217.179])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D729B5AA
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Jan 2018 22:39:17 +0000 (UTC)
Received: by mail-ua0-f179.google.com with SMTP id j23so4153596uak.13
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Jan 2018 14:39:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=unPV/fbsGqPnav6uRlaVgTxWt9zSGrW2H/vXGEQR3WM=;
b=ElAdagI93TQu5ZHw52PzAU1evYOm7nQ/SGcFbSOWMF9PO2wNIdeqPnrvXw4jzww3DV
HUuUYyQdtWcOq5AUk5AVWkrKSKqmS4NPmC27uIShNJcmo5ZtNpHXKPJxfjgGs0wJZsWP
oRtq6cIqC22YhHKI1/4dzvjp+VQeTDJkwIhNat5v26o8f9QV2+XK+butNYpxtedDZD+t
PFKkD23JC89CMzTNKTkdQwiusfbkif6Pnw0Mzfdi+VsjACeXqfPYQnlDJ0GaSyuAAm/s
PCzVOYvgbLhrFhx+NGaefWqhtNGRK2AuCt376z2nfMrkV0HC86n5d/Dzfm8Yi9XkL8Ev
U+Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=unPV/fbsGqPnav6uRlaVgTxWt9zSGrW2H/vXGEQR3WM=;
b=GTsm/m5BVdn4nUokl4tl7jrmgQKufjoi+SknhzX/6lfkYCMQr3/UMVn8fO5/49eION
y39Vo/bA+d1wHr5sepISIfn+o5L49lOxKXx7HF1B8BgtGM6qeMjXMC88TpIvtBHleL9F
iONeOOI74HwwzGYPiHCLTj6FdxrTtpaXvhgV0dc5nZZf3UXstIE/ZWwFxn3/QyxD5gAr
pGKTSsD4bivSe1vWPlEckcf79a4FTUD5Yb7Cs3mWjmkM5e2vMQE9NHPlwjLOKYJTnAAz
4Br8rl6wjV9ipStAvNkKAscZa5QV5OBXIxezWFS0EkwRWSOJNPLXRm2skvR0fKCVxbFO
z9Hw==
X-Gm-Message-State: AKwxyteJ447KdC9tDd9I4Iu47Oq55iWXnqDZQFUpyPpkKWEuQnL5T9Sh
fokTDXyeKd11YofA+BmjEuolaqYBK51pqF2sV2l/8Q==
X-Google-Smtp-Source: ACJfBotum2rhoDAizptWpfNkQ+n8828Ty7sBHFfWl5zManVhaeT/L1hdnA/+YUZCJuhlyOJ6PwgFBdcTrRvl8QLaUIs=
X-Received: by 10.176.19.107 with SMTP id h40mr33845189uae.173.1516055956771;
Mon, 15 Jan 2018 14:39:16 -0800 (PST)
MIME-Version: 1.0
References: <CAD438HvzYAMVTU8A0OiNnj2nvYgMApdS8NNfzE86Ae_OsTfuaA@mail.gmail.com>
<1CCF3C59-64DB-462F-AC62-AEA77FA01571@mattcorallo.com>
In-Reply-To: <1CCF3C59-64DB-462F-AC62-AEA77FA01571@mattcorallo.com>
From: Daniel Robinson <danrobinson010@gmail.com>
Date: Mon, 15 Jan 2018 22:39:05 +0000
Message-ID: <CAD438Ht8x5-v8NsC7O=D7Oo5EZ56q5E3LKuVt033as-8iqtd=Q@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>
Content-Type: multipart/alternative; boundary="001a11495608c3591e0562d848af"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 15 Jan 2018 22:42:12 +0000
Cc: Daniel Robinson via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Ivy: a higher-level language targeting Bitcoin
Script
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 22:39:18 -0000
--001a11495608c3591e0562d848af
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Matt,
Thanks for raising this. Since the compiler only produces SegWit addresses,
I hadn't worried at all about malleability, but as you pointed out
out-of-band, malleability in the length of an argument can allow an
attacker to deflate the feerate of a transaction.
There was in fact a minor witness malleability problem with how the
compiler was handling clause selection. It's now been fixed in version
0.0.7 of the compiler.
As far as I can tell (and I haven't looked all that carefully), any
sensible Ivy contract won't have any witness malleability problem. (A funny
exception is the RevealCollision contract, since you can length-extend the
arguments to get another collision. But without a signature check, that one
has a more serious transaction malleability problem anyway.) But the
compiler currently doesn't prevent you from doing dumb unconstrained stuff
like:
```
clause spend(a: Bytes, b: Bytes, sig: Signature) {
verify a =3D=3D b
verify checkSig(publicKey, sig)
unlock val
}
```
Maybe it should, particularly since there's no reason to include a trivial
condition like that anyway. But I think it would probably be about as easy
(and more generally useful) to build a static analyzer that solved this
problem for low-level Bitcoin Script.
On Sun, Jan 14, 2018 at 5:42 PM Matt Corallo <lf-lists@mattcorallo.com>
wrote:
> I'm curious if you've considered adding some form of compiler-time
> enforcement to prevent witness malleability? With that, Ivy could help to
> resolve for it's users one of the things that can make Bitcoin scripts mo=
re
> complicated to write, instead of simply type-checking and providing a
> high-level language mapped 1-to-1 with Bitcoin script.
>
>
> On December 18, 2017 8:32:17 PM UTC, Daniel Robinson via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Today, we=E2=80=99re releasing Ivy, a prototype higher-level language an=
d
>> development environment for creating custom Bitcoin Script programs. You
>> can see the full announcement here
>> <https://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-c=
ompiles-to-bitcoin-script-bec06377141a>,
>> or check out the docs <https://docs.ivy-lang.org/bitcoin/> and source
>> code <https://github.com/ivy-lang/ivy-bitcoin>.
>>
>> Ivy is a simple smart contract language that can compile to Bitcoin
>> Script. It aims to improve on the useability of Bitcoin Script by adding
>> affordances like named variables and clauses, static (and domain-specifi=
c)
>> types, and familiar syntax for function calls.
>>
>> To try out Ivy, you can use the Ivy Playground for Bitcoin
>> <https://ivy-lang.org/bitcoin/>, which allows you to create and test
>> simulated contracts in a sandboxed environment.
>>
>> This is prototype software intended for educational and research purpose=
s
>> only. Please don't try to use Ivy to control real or testnet Bitcoins.
>>
>>
--001a11495608c3591e0562d848af
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Matt,<div><br></div><div>Thanks for raising this. Since=
the compiler only produces SegWit addresses, I hadn't worried at all a=
bout malleability, but as you pointed out out-of-band, malleability in the =
length of an argument can allow an attacker to deflate the feerate of a tra=
nsaction.=C2=A0</div><div><br></div><div>There was in fact a minor witness =
malleability problem with how the compiler was handling clause selection. I=
t's now been fixed in version 0.0.7 of the compiler.</div><div><br></di=
v><div>As far as I can tell (and I haven't looked all that carefully), =
any sensible Ivy contract won't have any witness malleability problem. =
(A funny exception is the RevealCollision contract, since you can length-ex=
tend the arguments to get another collision. But without a signature check,=
that one has a more serious transaction malleability problem anyway.) But =
the compiler currently doesn't prevent you from doing dumb unconstraine=
d stuff like:</div><div><br></div><div>```</div><div>clause spend(a: Bytes,=
b: Bytes, sig: Signature) {</div><div>=C2=A0 verify a =3D=3D b</div><div>=
=C2=A0 verify checkSig(publicKey, sig)</div><div>=C2=A0 unlock val</div><di=
v>}</div><div>```</div><div><br></div><div>Maybe it should, particularly si=
nce there's no reason to include a trivial condition like that anyway. =
But I think it would probably be about as easy (and more generally useful) =
to build a static analyzer that solved this problem for low-level Bitcoin S=
cript.</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Sun, J=
an 14, 2018 at 5:42 PM Matt Corallo <<a href=3D"mailto:lf-lists@mattcora=
llo.com">lf-lists@mattcorallo.com</a>> wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex"><div>I'm curious if you've considered adding some for=
m of compiler-time enforcement to prevent witness malleability? With that, =
Ivy could help to resolve for it's users one of the things that can mak=
e Bitcoin scripts more complicated to write, instead of simply type-checkin=
g and providing a high-level language mapped 1-to-1 with Bitcoin script.</d=
iv><div><br><br><div class=3D"gmail_quote">On December 18, 2017 8:32:17 PM =
UTC, Daniel Robinson via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@list=
s.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.=
org</a>> wrote:<blockquote class=3D"gmail_quote" style=3D"margin:0pt 0pt=
0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"auto">Today, we=E2=80=99re releasing Ivy, a pr=
ototype higher-level language and development environment for creating cust=
om Bitcoin Script programs. You can see the full announcement <a href=3D"ht=
tps://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-compile=
s-to-bitcoin-script-bec06377141a" target=3D"_blank">here</a>, or check out =
the <a href=3D"https://docs.ivy-lang.org/bitcoin/" target=3D"_blank">docs</=
a>=C2=A0and=C2=A0<a href=3D"https://github.com/ivy-lang/ivy-bitcoin" target=
=3D"_blank">source code</a>.</div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">Ivy is a simple smart contract language that can compile to Bitcoin Sc=
ript. It aims to improve on the useability of Bitcoin Script by adding affo=
rdances like named variables and clauses, static (and domain-specific) type=
s, and familiar syntax for function calls.</div><div dir=3D"auto"><br></div=
><div dir=3D"auto">To try out Ivy, you can use the <a href=3D"https://ivy-l=
ang.org/bitcoin/" target=3D"_blank">Ivy Playground for Bitcoin</a>, which a=
llows you to create and test simulated contracts in a sandboxed environment=
.</div><div dir=3D"auto"><br></div><div dir=3D"auto">This is prototype soft=
ware intended for educational and research purposes only. Please don't =
try to use Ivy to control real or testnet Bitcoins.</div><div dir=3D"auto">=
<br></div></div>
</blockquote></div></div></blockquote></div>
--001a11495608c3591e0562d848af--
|
