diff options
author | Cameron Garnham <da2ce7@gmail.com> | 2017-05-19 10:32:36 +0300 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2017-05-19 07:32:45 +0000 |
commit | 46b35e4fb924247f020b3656c389511ca2cfdb78 (patch) | |
tree | 77c08b4a055b3faaa668b93e38ac2385c88e56bf /d7 | |
parent | 18022cd60b346403d8a431f93b13039f42b1d6c1 (diff) | |
download | pi-bitcoindev-46b35e4fb924247f020b3656c389511ca2cfdb78.tar.gz pi-bitcoindev-46b35e4fb924247f020b3656c389511ca2cfdb78.zip |
Re: [bitcoin-dev] Treating ‘ASICBOOST’ as a Security Vulnerability
Diffstat (limited to 'd7')
-rw-r--r-- | d7/87aa2e98fb1d210771a78688d905c819b95464 | 231 |
1 files changed, 231 insertions, 0 deletions
diff --git a/d7/87aa2e98fb1d210771a78688d905c819b95464 b/d7/87aa2e98fb1d210771a78688d905c819b95464 new file mode 100644 index 000000000..5c91681a8 --- /dev/null +++ b/d7/87aa2e98fb1d210771a78688d905c819b95464 @@ -0,0 +1,231 @@ +Return-Path: <da2ce7@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id E424EB2F + for <bitcoin-dev@lists.linuxfoundation.org>; + Fri, 19 May 2017 07:32:45 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com + [209.85.128.170]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 35BC0151 + for <bitcoin-dev@lists.linuxfoundation.org>; + Fri, 19 May 2017 07:32:45 +0000 (UTC) +Received: by mail-wr0-f170.google.com with SMTP id z52so11019211wrc.2 + for <bitcoin-dev@lists.linuxfoundation.org>; + Fri, 19 May 2017 00:32:45 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=from:message-id:mime-version:subject:date:in-reply-to:cc:to + :references; bh=gwFSPkL/IEvTHVJwh5XGf2/ElLEu4N5QoUDy+7SDGXU=; + b=p9WiUo5VykOI7fRB4zcDF9BxWHlsP4ejylBna9NPMvYHV+GgYJatTPRRoZOwAPaGbz + 28zDvC2lSycSlhHlqJV9FKoDooKvAn5/yQc+oF1kcMoLARVDSWPsFa4JYTBq6sOWSvZz + iRwX3JwfTZlCgvFc8ejYFkFXpLUxku9b6PMYbmWT4q+HDDTIOAkAl/25gX8KBvEsYTLE + d/VO61pPFxRiAm1vq/2vrrMJQyeXBeWbgz87LDGWMeuR3frikmESuBehQgOrpFPIGfBz + E0sjMYKm7efvp9jVwFYUhZuKIsUtdj9CxiPKE2ci5w4GSgw8AfIz2F+zR9fBkGSux7Di + y+UA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:message-id:mime-version:subject:date + :in-reply-to:cc:to:references; + bh=gwFSPkL/IEvTHVJwh5XGf2/ElLEu4N5QoUDy+7SDGXU=; + b=Bvi8f3jl+VewBYGVebZAsq5FYymhPC0vdrANUNnabaXBY2xeOLpmISiPqbj9M4O9sC + UvB+n5JK4wUO+YFs64cjG3/eSdqjJ46rsLfVDQNGKInNAWnbJfXqh7HIFRmmhNrCz9Zn + 5kfXn1Muv+1SuvuzNPAtrza2CgUGCuBTHsimcnqb7YpqY9V4ejzxiQnxOGQnwMdl9T/1 + PkmsodVsek5ZPL7lfPh/w7MRQNGUXnCU/SzZ6lMN6ApPBnM6S2rTfxnYmkA8hJC33ObS + 2hksqc2r6qh1XLaoJqn/+mrwR3Jit811YZS3yaaUa8S4YHZXivS8hHLrJWUTTa/tvMTb + WPlw== +X-Gm-Message-State: AODbwcCAffaYCvCyIAYqZn1cjYu6sF2ACsb2T1+//fWYH6j0+hfGPPEa + 3SLHDqPXK1Hd6Q== +X-Received: by 10.46.82.144 with SMTP id n16mr1948047lje.0.1495179163765; + Fri, 19 May 2017 00:32:43 -0700 (PDT) +Received: from [172.20.10.2] ([213.87.145.226]) + by smtp.gmail.com with ESMTPSA id + l135sm792179lfb.43.2017.05.19.00.32.41 + (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 19 May 2017 00:32:42 -0700 (PDT) +From: Cameron Garnham <da2ce7@gmail.com> +Message-Id: <B3FCB9B3-3E0F-48A4-82D9-61019B4672B5@gmail.com> +Content-Type: multipart/alternative; + boundary="Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D" +Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) +Date: Fri, 19 May 2017 10:32:36 +0300 +In-Reply-To: <CAE-z3OX2b4V+ERAYszokAUrSRPqpOCd2TovxBiqfeRTj4yuVpw@mail.gmail.com> +To: Tier Nolan <tier.nolan@gmail.com> +References: <4BA0FA5D-7B29-4A7F-BC5B-361ED00D5CB2@gmail.com> + <CAE-z3OX2b4V+ERAYszokAUrSRPqpOCd2TovxBiqfeRTj4yuVpw@mail.gmail.com> +X-Mailer: Apple Mail (2.3273) +X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, + HTML_MESSAGE, RCVD_IN_DNSWL_NONE, + RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org> +Subject: Re: [bitcoin-dev] + =?utf-8?b?VHJlYXRpbmcg4oCYQVNJQ0JPT1NU4oCZIGFzIGEg?= + =?utf-8?q?Security_Vulnerability?= +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Fri, 19 May 2017 07:32:46 -0000 + + +--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D +Content-Transfer-Encoding: quoted-printable +Content-Type: text/plain; + charset=utf-8 + +(message was originally sent off-list by mistake). + +Hello Tier, + +Thank-you for your insightful reply, + +Am I correct that this suggest is that you think it is an optimisation = +to find some nonces having lower difficulty than other nonces? + +I would agree with you if this was limited to a dedicated nonce area of = +the Bitcoin System. + +However, in the case of Bitcoin it is a layer violation that the PoW = +function difficulty could be affected by the choice the transaction = +ordering, or the content of the Coinbase Transaction, etc. Possibly = +giving unnatural and unintended incentives to other parts of the Bitcoin = +System. + +I can see two issues at play here: + +1. The choice of input, outside of the dedicated nonce area, fed = +the PoW function should not change it=E2=80=99s difficulty to evaluate. +2. Every PoW function execution should be independent. + +I think that both of these are security assumptions of the Bitcoin PoW = +function. + +I consider ASICBOOST as an attack upon both accounts. + +Cameron. + +>=20 +> On 18 May 2017, at 17:59 , Tier Nolan via bitcoin-dev = +<bitcoin-dev@lists.linuxfoundation.org> wrote: +>=20 +> On Thu, May 18, 2017 at 2:44 PM, Cameron Garnham via bitcoin-dev = +<bitcoin-dev@lists.linuxfoundation.org> wrote: +> 1. Significant deviations from the Bitcoin Security Model have = +been acknowledged as security vulnerabilities. +>=20 +> The Bitcoin Security Model assumes that every input into the = +Proof-of-Work function should have the same difficulty of producing a = +desired output. +>=20 +> This isn't really that clear. +>=20 +> Arguably as long as the effort to find a block is proportional to the = +block difficulty parameter, then it isn't an exploit. It is just an = +optimisation. +>=20 +> A quantum computer, for example, could find a block with effort = +proportional to the square root of the difficulty parameter, so that = +would count as an attack. Though in that case, the fix would likely be = +to tweak the difficulty parameter update calculation. +>=20 +> A better definition would be something like "when performing work, = +each hash should be independent". =20 +>=20 +> ASICBOOST does multiple checks in parallel, so would violate that. + + +--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D +Content-Transfer-Encoding: quoted-printable +Content-Type: text/html; + charset=utf-8 + +<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = +charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = +-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = +class=3D""><div class=3D"">(message was originally sent off-list by = +mistake).</div><div class=3D""><br class=3D""></div>Hello Tier,<br = +class=3D""><div><font color=3D"#5856d6" class=3D""><br = +class=3D""></font>Thank-you for your insightful reply,<br class=3D""><font= + color=3D"#5856d6" class=3D""><br class=3D""></font>Am I correct that = +this suggest is that you think it is an optimisation to find some nonces = +having lower difficulty than other nonces?<br class=3D""><font = +color=3D"#5856d6" class=3D""><br class=3D""></font>I would agree with = +you if this was limited to a dedicated nonce area of the Bitcoin = +System.<br class=3D""><font color=3D"#5856d6" class=3D""><br = +class=3D""></font>However, in the case of Bitcoin it is a layer = +violation that the PoW function difficulty could be affected by the = +choice the transaction ordering, or the content of the Coinbase = +Transaction, etc. Possibly giving unnatural and unintended = +incentives to other parts of the Bitcoin System.<br class=3D""><font = +color=3D"#5856d6" class=3D""><br class=3D""></font>I can see two issues = +at play here:<br class=3D""><font color=3D"#5856d6" class=3D""><br = +class=3D""></font><span class=3D"" style=3D"float: none; display: inline = +!important;">1.</span><span class=3D"Apple-tab-span" style=3D"white-space:= + pre;"> </span><span class=3D"" style=3D"float: none; display: inline = +!important;">The choice of input, outside of the dedicated nonce area, = +fed the PoW function should not change it=E2=80=99s difficulty to = +evaluate.</span><br class=3D""><span class=3D"" style=3D"float: none; = +display: inline !important;">2.</span><span class=3D"Apple-tab-span" = +style=3D"white-space: pre;"> </span><span class=3D"" style=3D"float: = +none; display: inline !important;">Every PoW function execution should = +be independent.</span><br class=3D""><font color=3D"#5856d6" = +class=3D""><br class=3D""></font>I think that both of these are security = +assumptions of the Bitcoin PoW function.<br class=3D""><font = +color=3D"#5856d6" class=3D""><br class=3D""></font>I consider ASICBOOST = +as an attack upon both accounts.<br class=3D""><font color=3D"#5856d6" = +class=3D""><br class=3D""></font>Cameron.</div><div><br = +class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" = +class=3D""></blockquote><font color=3D"#00afcd" class=3D""><br = +class=3D""></font><blockquote type=3D"cite" class=3D""></blockquote>On = +18 May 2017, at 17:59 , Tier Nolan via bitcoin-dev <<a = +href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" = +class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br = +class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font = +color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote = +type=3D"cite" class=3D""></blockquote>On Thu, May 18, 2017 at 2:44 PM, = +Cameron Garnham via bitcoin-dev <<a = +href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" = +class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br = +class=3D""><blockquote type=3D"cite" class=3D""></blockquote>1. = + Significant deviations from the Bitcoin Security = +Model have been acknowledged as security vulnerabilities.<br = +class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font = +color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote = +type=3D"cite" class=3D""></blockquote>The Bitcoin Security Model assumes = +that every input into the Proof-of-Work function should have the same = +difficulty of producing a desired output.<br class=3D""><blockquote = +type=3D"cite" class=3D""></blockquote><font color=3D"#00afcd" = +class=3D""><br class=3D""></font><blockquote type=3D"cite" = +class=3D""></blockquote>This isn't really that clear.<br = +class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font = +color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote = +type=3D"cite" class=3D""></blockquote>Arguably as long as the effort to = +find a block is proportional to the block difficulty parameter, then it = +isn't an exploit. It is just an optimisation.<br = +class=3D""><blockquote type=3D"cite" class=3D""></blockquote><font = +color=3D"#00afcd" class=3D""><br class=3D""></font><blockquote = +type=3D"cite" class=3D""></blockquote>A quantum computer, for example, = +could find a block with effort proportional to the square root of the = +difficulty parameter, so that would count as an attack. Though in = +that case, the fix would likely be to tweak the difficulty parameter = +update calculation.<br class=3D""><blockquote type=3D"cite" = +class=3D""></blockquote><font color=3D"#00afcd" class=3D""><br = +class=3D""></font><blockquote type=3D"cite" class=3D""></blockquote>A = +better definition would be something like "when performing work, each = +hash should be independent". <br class=3D""><blockquote = +type=3D"cite" class=3D""></blockquote><font color=3D"#00afcd" = +class=3D""><br class=3D""></font>ASICBOOST does multiple checks in = +parallel, so would violate that.<br class=3D""></blockquote><div = +class=3D""><br class=3D""></div></div></body></html>= + +--Apple-Mail=_AF54D3AA-121C-4FFE-A42F-37EA69BF0C7D-- + |