Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 986C6B3F for ; Wed, 24 May 2017 17:59:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f65.google.com (mail-lf0-f65.google.com [209.85.215.65]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id AA8B322C for ; Wed, 24 May 2017 17:59:33 +0000 (UTC) Received: by mail-lf0-f65.google.com with SMTP id h4so11540400lfj.3 for ; Wed, 24 May 2017 10:59:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=D19yaEoCqjRgRLWoAkstij7tWJ4FYasNhHeSh1YD9io=; b=DUHwLovPgKYLLooZnhm4JroG8BobHEl+2nc4ZJGjUPAgQ3XJRnDOWpAcIQaVm1KKei z61nq7ZJOugrTDQwwM02mpe6zIEGqFkdh9/tAb8Y3vGn4y8kIAmQe28sw5E4meVozPHH 4kXvBPXP5QoNf5FcSKBRcTs7o5d/Rc3FBEfHMloH8vOxfkUcyRtjY8CvJj0ppVMrdKn3 JufhqiosMkFhuvdkNCCpI6d9j2tdIHq93Wcju5/FVRtTmfi02LxAISuwtyyn8Yq7NBL1 SuXPcrZA7etvkoL0DGuPTgYEWHhoTQVsVgURc1kAizt2qHW4snoGgU7hF/WTtpKwav17 1AEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=D19yaEoCqjRgRLWoAkstij7tWJ4FYasNhHeSh1YD9io=; b=ucT1X1HnWtlVEymwcmKK2iPPadJOE0bkVEZsTvrTmbBCow+gelk7W+I/aRXDm73PTw 6x/RewatkjoWvWkP2kpHMGneaeNEdHVzklxqcGp29B5/bN6AvJlfPTTTTJTBDax1W1bA b4Ojy/DQlUXixCk1jkiif9VFbtFnOQXu33cpA8PSJNnb62+UUlIfMTEyVCuucXvagnoC 8WwtwFFJoxIdgTWNfTwEHiByHcwL7aq8zdzX6ylbLaNwXjbndfDg/3ZW++7VzrCPSomB bC3unkXWLAd8Ay1tkifU/GXD/G3JiO2csWxrRNS5Te46KdqzCHCq1PfQK2GkCENiJ0c9 y9oA== X-Gm-Message-State: AODbwcCIlQb6/BZJIqXmFbPyFpdwPiQKRegNBMZsijexzCglTxVDZmbe d2kvQbDwAFwY9g== X-Received: by 10.46.76.18 with SMTP id z18mr8379477lja.9.1495648771929; Wed, 24 May 2017 10:59:31 -0700 (PDT) Received: from [10.5.32.121] ([95.131.180.190]) by smtp.gmail.com with ESMTPSA id f82sm944769lff.40.2017.05.24.10.59.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2017 10:59:30 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Cameron Garnham In-Reply-To: Date: Wed, 24 May 2017 20:59:28 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4BA0FA5D-7B29-4A7F-BC5B-361ED00D5CB2@gmail.com> To: Bitcoin Protocol Discussion X-Mailer: Apple Mail (2.3273) X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: cve-request@mitre.org, Jeremy Rubin Subject: Re: [bitcoin-dev] =?utf-8?b?VHJlYXRpbmcg4oCYQVNJQ0JPT1NU4oCZIGFzIGEg?= =?utf-8?q?Security_Vulnerability?= X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2017 17:59:34 -0000 Hello Bitcoin-Dev, A quick update that CVE-2017-9230 has been assigned for the security = vulnerability commonly called =E2=80=98ASICBOOST=E2=80=99: "The Bitcoin Proof-of-Work algorithm does not consider a certain attack = methodology related to 80-byte block headers with a variety of initial = 64-byte chunks followed by the same 16-byte chunk, multiple candidate = root values ending with the same 4 bytes, and calculations involving = sqrt numbers. This violates the security assumptions of (1) the choice = of input, outside of the dedicated nonce area, fed into the = Proof-of-Work function should not change its difficulty to evaluate and = (2) every Proof-of-Work function execution should be independent.=E2=80=9D= I would like to especially thank the CVE team at Mitre for their = suggested description that was more appropriate than my proposed text. https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D+CVE-2017-9230 Cameron. > Begin forwarded message: >=20 > From: > Subject: Re: [scr-xxxxx] Bitcoin - All > Date: 24 May 2017 at 18:52:22 GMT+3 > To: > Cc: >=20 > Signed PGP part > > [Suggested description] > > The Bitcoin Proof-of-Work algorithm does not consider a certain = attack > > methodology related to 80-byte block headers with a variety of = initial > > 64-byte chunks followed by the same 16-byte chunk, multiple = candidate > > root values ending with the same 4 bytes, and calculations involving > > sqrt numbers. This violates the security assumptions of (1) the = choice > > of input, outside of the dedicated nonce area, fed into the > > Proof-of-Work function should not change its difficulty to evaluate > > and (2) every Proof-of-Work function execution should be = independent. > > > > ------------------------------------------ > > > > [Additional Information] > > ASICBOOST, originality promoted as a patented mining = optimisation(1). > > Has under detailed study (2), become regarded as an actively = exploited > > (3), security vulnerability (4), of Bitcoin. > > > > The Bitcoin Proof-of-Work Algorithm is dependent on the following = two > > security assumptions that are both broken by 'ASICBOOST': > > 1. The choice of input, outside of the dedicated nonce area, fed = into > > the Proof-of-Work function should not change it's difficulty to > > evaluate. > > 2. Every Proof-of-Work function execution should be independent. > > > > 'ASICBOOST' creates a layer-violation where the structure of the = input > > outside of the dedicated nonce area will change the performance of = the > > mining calculations (5). 'ASICBOOST' exploits a vulnerability where > > the Proof-of-Work function execution is not independent (6). > > > > References: > > (1) Original Whitepaper by Dr. Timo Hanke: = https://arxiv.org/ftp/arxiv/papers/1604/1604.00575.pdf > > (2) Academic Write-up by Jeremy Rubin: = http://www.mit.edu/~jlrubin//public/pdfs/Asicboost.pdf > > (3) Evidence of Active Exploit by Gregory Maxwell: > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-April/013996.= html > > (4) Discussion to assign a CVE Number, by Cameron Garnham: > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014349.ht= ml > > (5) Discussion of the perverse incentives created by 'ASICBOOST' by = Ryan Grant: > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014352.ht= ml > > (6) Discussion of ASICBOOST's non-independent PoW calculation by = Tier Nolan: > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014351.ht= ml > > > > The patent holder of this particular security vulnerability has a = dedicated website: https://www.asicboost.com/ > > > > ------------------------------------------ > > > > [VulnerabilityType Other] > > Cryptocurrency Mining Algorithm Weakness > > > > ------------------------------------------ > > > > [Vendor of Product] > > Bitcoin > > > > ------------------------------------------ > > > > [Affected Product Code Base] > > Bitcoin - All > > > > ------------------------------------------ > > > > [Affected Component] > > Bitcoin > > > > ------------------------------------------ > > > > [Attack Type Other] > > Cryptocurrency Proof-of-Work Algorithm Weakness > > > > ------------------------------------------ > > > > [CVE Impact Other] > > Creation of Perverse Incentives in a Cryptocurrency > > > > ------------------------------------------ > > > > [Attack Vectors] > > Bitcoin Mining Unfair Advantage > > Bitcoin Layer-Violations Creating Perverse System Incentives > > > > ------------------------------------------ > > > > [Reference] > > https://arxiv.org/ftp/arxiv/papers/1604/1604.00575.pdf > > http://www.mit.edu/~jlrubin//public/pdfs/Asicboost.pdf > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-April/013996.= html > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014349.ht= ml > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014352.ht= ml > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014351.ht= ml > > > > ------------------------------------------ > > > > [Has vendor confirmed or acknowledged the vulnerability?] > > true > > > > ------------------------------------------ > > > > [Discoverer] > > Original Discovery: Dr. Timo Hanke and Sergio Lerner. Proof of = Active > > Exploit: Gregory Maxwell. CVE Reporter: Cameron Garnham >=20 > Use CVE-2017-9230. >=20 >=20 > -- > CVE Assignment Team > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA > [ A PGP key is available for encrypted communications at > http://cve.mitre.org/cve/request_id.html ] >=20