1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
Return-Path: <da2ce7@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E424EB2F
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 May 2017 07:32:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com
[209.85.128.170])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 35BC0151
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 May 2017 07:32:45 +0000 (UTC)
Received: by mail-wr0-f170.google.com with SMTP id z52so11019211wrc.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 May 2017 00:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
:references; bh=gwFSPkL/IEvTHVJwh5XGf2/ElLEu4N5QoUDy+7SDGXU=;
b=p9WiUo5VykOI7fRB4zcDF9BxWHlsP4ejylBna9NPMvYHV+GgYJatTPRRoZOwAPaGbz
28zDvC2lSycSlhHlqJV9FKoDooKvAn5/yQc+oF1kcMoLARVDSWPsFa4JYTBq6sOWSvZz
iRwX3JwfTZlCgvFc8ejYFkFXpLUxku9b6PMYbmWT4q+HDDTIOAkAl/25gX8KBvEsYTLE
d/VO61pPFxRiAm1vq/2vrrMJQyeXBeWbgz87LDGWMeuR3frikmESuBehQgOrpFPIGfBz
E0sjMYKm7efvp9jVwFYUhZuKIsUtdj9CxiPKE2ci5w4GSgw8AfIz2F+zR9fBkGSux7Di
y+UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:message-id:mime-version:subject:date
:in-reply-to:cc:to:references;
bh=gwFSPkL/IEvTHVJwh5XGf2/ElLEu4N5QoUDy+7SDGXU=;
b=Bvi8f3jl+VewBYGVebZAsq5FYymhPC0vdrANUNnabaXBY2xeOLpmISiPqbj9M4O9sC
UvB+n5JK4wUO+YFs64cjG3/eSdqjJ46rsLfVDQNGKInNAWnbJfXqh7HIFRmmhNrCz9Zn
5kfXn1Muv+1SuvuzNPAtrza2CgUGCuBTHsimcnqb7YpqY9V4ejzxiQnxOGQnwMdl9T/1
PkmsodVsek5ZPL7lfPh/w7MRQNGUXnCU/SzZ6lMN6ApPBnM6S2rTfxnYmkA8hJC33ObS
2hksqc2r6qh1XLaoJqn/+mrwR3Jit811YZS3yaaUa8S4YHZXivS8hHLrJWUTTa/tvMTb
WPlw==
X-Gm-Message-State: AODbwcCAffaYCvCyIAYqZn1cjYu6sF2ACsb2T1+//fWYH6j0+hfGPPEa
3SLHDqPXK1Hd6Q==
X-Received: by 10.46.82.144 with SMTP id n16mr1948047lje.0.1495179163765;
Fri, 19 May 2017 00:32:43 -0700 (PDT)
Received: from [172.20.10.2] ([213.87.145.226])
by smtp.gmail.com with ESMTPSA id
l135sm792179lfb.43.2017.05.19.00.32.41
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 19 May 2017 00:32:42 -0700 (PDT)
From: Cameron Garnham <da2ce7@gmail.com>
Message-Id: <B3FCB9B3-3E0F-48A4-82D9-61019B4672B5@gmail.com>
Content-Type: multipart/alternative;
boundary="Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 19 May 2017 10:32:36 +0300
In-Reply-To: <CAE-z3OX2b4V+ERAYszokAUrSRPqpOCd2TovxBiqfeRTj4yuVpw@mail.gmail.com>
To: Tier Nolan <tier.nolan@gmail.com>
References: <4BA0FA5D-7B29-4A7F-BC5B-361ED00D5CB2@gmail.com>
<CAE-z3OX2b4V+ERAYszokAUrSRPqpOCd2TovxBiqfeRTj4yuVpw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
HTML_MESSAGE, RCVD_IN_DNSWL_NONE,
RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev]
=?utf-8?b?VHJlYXRpbmcg4oCYQVNJQ0JPT1NU4oCZIGFzIGEg?=
=?utf-8?q?Security_Vulnerability?=
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 07:32:46 -0000
--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
(message was originally sent off-list by mistake).
Hello Tier,
Thank-you for your insightful reply,
Am I correct that this suggest is that you think it is an optimisation =
to find some nonces having lower difficulty than other nonces?
I would agree with you if this was limited to a dedicated nonce area of =
the Bitcoin System.
However, in the case of Bitcoin it is a layer violation that the PoW =
function difficulty could be affected by the choice the transaction =
ordering, or the content of the Coinbase Transaction, etc. Possibly =
giving unnatural and unintended incentives to other parts of the Bitcoin =
System.
I can see two issues at play here:
1. The choice of input, outside of the dedicated nonce area, fed =
the PoW function should not change it=E2=80=99s difficulty to evaluate.
2. Every PoW function execution should be independent.
I think that both of these are security assumptions of the Bitcoin PoW =
function.
I consider ASICBOOST as an attack upon both accounts.
Cameron.
>=20
> On 18 May 2017, at 17:59 , Tier Nolan via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>=20
> On Thu, May 18, 2017 at 2:44 PM, Cameron Garnham via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> 1. Significant deviations from the Bitcoin Security Model have =
been acknowledged as security vulnerabilities.
>=20
> The Bitcoin Security Model assumes that every input into the =
Proof-of-Work function should have the same difficulty of producing a =
desired output.
>=20
> This isn't really that clear.
>=20
> Arguably as long as the effort to find a block is proportional to the =
block difficulty parameter, then it isn't an exploit. It is just an =
optimisation.
>=20
> A quantum computer, for example, could find a block with effort =
proportional to the square root of the difficulty parameter, so that =
would count as an attack. Though in that case, the fix would likely be =
to tweak the difficulty parameter update calculation.
>=20
> A better definition would be something like "when performing work, =
each hash should be independent". =20
>=20
> ASICBOOST does multiple checks in parallel, so would violate that.
--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div class=3D"">(message was originally sent off-list by =
mistake).</div><div class=3D""><br class=3D""></div>Hello Tier,<br =
class=3D""><div><font color=3D"#5856d6" class=3D""><br =
class=3D""></font>Thank-you for your insightful reply,<br class=3D""><font=
color=3D"#5856d6" class=3D""><br class=3D""></font>Am I correct that =
this suggest is that you think it is an optimisation to find some nonces =
having lower difficulty than other nonces?<br class=3D""><font =
color=3D"#5856d6" class=3D""><br class=3D""></font>I would agree with =
you if this was limited to a dedicated nonce area of the Bitcoin =
System.<br class=3D""><font color=3D"#5856d6" class=3D""><br =
class=3D""></font>However, in the case of Bitcoin it is a layer =
violation that the PoW function difficulty could be affected by the =
choice the transaction ordering, or the content of the Coinbase =
Transaction, etc. Possibly giving unnatural and unintended =
incentives to other parts of the Bitcoin System.<br class=3D""><font =
color=3D"#5856d6" class=3D""><br class=3D""></font>I can see two issues =
at play here:<br class=3D""><font color=3D"#5856d6" class=3D""><br =
class=3D""></font><span class=3D"" style=3D"float: none; display: inline =
!important;">1.</span><span class=3D"Apple-tab-span" style=3D"white-space:=
pre;"> </span><span class=3D"" style=3D"float: none; display: inline =
!important;">The choice of input, outside of the dedicated nonce area, =
fed the PoW function should not change it=E2=80=99s difficulty to =
evaluate.</span><br class=3D""><span class=3D"" style=3D"float: none; =
display: inline !important;">2.</span><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;"> </span><span class=3D"" style=3D"float: =
none; display: inline !important;">Every PoW function execution should =
be independent.</span><br class=3D""><font color=3D"#5856d6" =
class=3D""><br class=3D""></font>I think that both of these are security =
assumptions of the Bitcoin PoW function.<br class=3D""><font =
color=3D"#5856d6" class=3D""><br class=3D""></font>I consider ASICBOOST =
as an attack upon both accounts.<br class=3D""><font color=3D"#5856d6" =
class=3D""><br class=3D""></font>Cameron.</div><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D""></blockquote><font color=3D"#00afcd" class=3D""><br =
class=3D""></font><blockquote type=3D"cite" class=3D""></blockquote>On =
18 May 2017, at 17:59 , Tier Nolan via bitcoin-dev <<a =
href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br =
class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font =
color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote =
type=3D"cite" class=3D""></blockquote>On Thu, May 18, 2017 at 2:44 PM, =
Cameron Garnham via bitcoin-dev <<a =
href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br =
class=3D""><blockquote type=3D"cite" class=3D""></blockquote>1. =
Significant deviations from the Bitcoin Security =
Model have been acknowledged as security vulnerabilities.<br =
class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font =
color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote =
type=3D"cite" class=3D""></blockquote>The Bitcoin Security Model assumes =
that every input into the Proof-of-Work function should have the same =
difficulty of producing a desired output.<br class=3D""><blockquote =
type=3D"cite" class=3D""></blockquote><font color=3D"#00afcd" =
class=3D""><br class=3D""></font><blockquote type=3D"cite" =
class=3D""></blockquote>This isn't really that clear.<br =
class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font =
color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote =
type=3D"cite" class=3D""></blockquote>Arguably as long as the effort to =
find a block is proportional to the block difficulty parameter, then it =
isn't an exploit. It is just an optimisation.<br =
class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font =
color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote =
type=3D"cite" class=3D""></blockquote>A quantum computer, for example, =
could find a block with effort proportional to the square root of the =
difficulty parameter, so that would count as an attack. Though in =
that case, the fix would likely be to tweak the difficulty parameter =
update calculation.<br class=3D""><blockquote type=3D"cite" =
class=3D""></blockquote><font color=3D"#00afcd" class=3D""><br =
class=3D""></font><blockquote type=3D"cite" class=3D""></blockquote>A =
better definition would be something like "when performing work, each =
hash should be independent". <br class=3D""><blockquote =
type=3D"cite" class=3D""></blockquote><font color=3D"#00afcd" =
class=3D""><br class=3D""></font>ASICBOOST does multiple checks in =
parallel, so would violate that.<br class=3D""></blockquote><div =
class=3D""><br class=3D""></div></div></body></html>=
--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D--
|
