Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E96F1B1E for ; Thu, 6 Apr 2017 12:11:37 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 53636D0 for ; Thu, 6 Apr 2017 12:11:37 +0000 (UTC) Received: by mail-oi0-f52.google.com with SMTP id r203so48561370oib.3 for ; Thu, 06 Apr 2017 05:11:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ns7KYZSTsVV1sMiVsWzGgc52Ckr0xc+7G3Pq9ba/dmg=; b=N48u7x9XF0xDH70Dd/X1na9fN2O+3ZIH1I/Jp9Bm47wcN7OJ9SI8ZWK7co+RDt1axA FdXhW2rpRKUFZKl2wqqGV05Q+GBF6RM53ZEFKCyLV3pVTlpXtg+r6swZLZey4ri602NJ Tzds+9RLg9P35TvQI0th2AWOOBNNFJD5Ec9zYSnw3hllQPWjsk1eABF2pAdweNJlIb4M 8SrSRsHduPkhR/l9zKADNSWS0yvddik7I3TQM4nhEhUJLm7en6OsbDMWn3MM5aROb3bR +filP1flgODBBnFieOxN1Vl/6jekpjXIqXh9GW1f6LUSxZdFRgyiv2EsoR+aVLFcIeO/ sJdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ns7KYZSTsVV1sMiVsWzGgc52Ckr0xc+7G3Pq9ba/dmg=; b=YTBLX62EhKiwDMt4OW7nqrM1f9cQOizxS+qiB+8d/W1ArH9OBxUcbwKIwh5husFpqi vBtXSsykO+UWc7+WndJTe26UaL3611E5jKIai1CYYaOL/NeVaqGrEBCqDEa+tR/F/vmY fOgqgitM2y56wB2q8N28C45a2ZMMSMWPeG0BFa3LdqSDs9aNc1F9aUXqQf7fm7GZvu/z I1v7NugFGuM5mcyHkCZm6smUbMzgInGCEE8jK3TMoHeR25EauP3ovuhNsXDwHBjim4Mx norRPQrM5G+lYaEbC0QQJ7wvek+Q5h5o32US4DCBq0ar0UMyzWLHvmfloWgCvU+Tot9r HQGQ== X-Gm-Message-State: AN3rC/44stBXB7aBrug2GnqRIa9bw/TUoNNPPMDinLU8tNifTi37LXN3WBRJ/epBNN7GAY4ru/gh1dJt5Szasg== X-Received: by 10.202.69.195 with SMTP id s186mr928919oia.99.1491480696550; Thu, 06 Apr 2017 05:11:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.47.220 with HTTP; Thu, 6 Apr 2017 05:11:35 -0700 (PDT) In-Reply-To: References: From: Bryan Bishop Date: Thu, 6 Apr 2017 07:11:35 -0500 Message-ID: To: Luv Khemani , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary=001a113dd4621b7b03054c7e6940 X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP proposal: Inhibiting a covert attack on the Bitcoin POW function X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 12:11:38 -0000 --001a113dd4621b7b03054c7e6940 Content-Type: text/plain; charset=UTF-8 On Thu, Apr 6, 2017 at 7:02 AM, Luv Khemani via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Could you elaborate on why you consider ASICBOOST to be an attack? Attack > here implies ill-intent by the practitioner towards the network as a > primary motivating factor. > > See https://www.reddit.com/r/Bitcoin/comments/63otrp/gregory_maxwell_major_asic_manufacturer_is/dfwcki3/ """ I think that it is an attack is a completely unambiguous technical description of what it is. If a signature is supposed to resist forgery against 2^128 operations, but you find a way to do it with 2^80 instead, this is an attack. It is, perhaps, not a very concerning attack and you may or may not change your signature scheme to avoid it or may just instead say the scheme has 2^80 security. But there is no doubt that it would be called an attack, especially if it was not described in the original proposal. In Bitcoin's Proof of Work, you are attempting to prove a certain amount of work has been done. This shortcut significantly reduces the amount of work. It's an attack. Normally it wouldn't be a serious attack-- it would just get appended to the defacto definition of what the Bitcoin Proof of work is-- similar to the signature system just getting restarted as having 2^80 security-- but in it's covert form it cannot just be adopted because it blocks many further improvements (not just segwit, but the vast majority of other proposals), and additional the licensing restrictions inhibit adoption. The proposal I posted does not prevent the technique, only the covert form: That is, it doesn't even attempt to solve the patented tech eventually will centralize the system problem. It is narrowly targeted at the interference with upgrades. Taking a step back-- even ignoring my geeking out about the technical definition of 'attack' in crypographic contexts, we have a set of issues here that left addressed will seriously harm the system going forward for the the significant monetary benefit of an exploiting party. I think that also satisfies a lay definition of the term: Something someone does, that none one expected, that makes them money at everyone elses expense. """ - Bryan http://heybryan.org/ 1 512 203 0507 --001a113dd4621b7b03054c7e6940 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= hu, Apr 6, 2017 at 7:02 AM, Luv Khemani via bitcoin-dev &= lt;bitcoin-dev@lists.linuxfoundation.org> wrote:

Could you elaborate on why you consider= ASICBOOST to be an attack? Attack here implies ill-intent by the practitioner=C2=A0towards the networ= k as a primary motivating factor.


See htt= ps://www.reddit.com/r/Bitcoin/comments/63otrp/gregory_maxwell_major_asic_ma= nufacturer_is/dfwcki3/

"""
I think that it is an attack is a completely unambi= guous technical description of what it is. If a signature is supposed to re= sist forgery against 2^128 operations, but you find a way to do it with 2^8= 0 instead, this is an attack. It is, perhaps, not a very concerning attack = and you may or may not change your signature scheme to avoid it or may just= instead say the scheme has 2^80 security. But there is no doubt that it wo= uld be called an attack, especially if it was not described in the original= proposal.

In Bitcoin's Proof of Work, you are attempting to prove a certain = amount of work has been done. This shortcut significantly reduces the amoun= t of work. It's an attack. Normally it wouldn't be a serious attack= -- it would just get appended to the defacto definition of what the Bitcoin= Proof of work is-- similar to the signature system just getting restarted = as having 2^80 security-- but in it's covert form it cannot just be ado= pted because it blocks many further improvements (not just segwit, but the = vast majority of other proposals), and additional the licensing restriction= s inhibit adoption.

The proposal I posted does not prevent the technique, only th= e covert form: That is, it doesn't even attempt to solve the patented t= ech eventually will centralize the system problem. It is narrowly targeted = at the interference with upgrades.

Taking a step back-- even ignoring my geeking = out about the technical definition of 'attack' in crypographic cont= exts, we have a set of issues here that left addressed will seriously harm = the system going forward for the the significant monetary benefit of an exp= loiting party. I think that also satisfies a lay definition of the term: So= mething someone does, that none one expected, that makes them money at ever= yone elses expense.
"""= ;

- Bryan
http://heybryan.org/
1 512 203= 0507
--001a113dd4621b7b03054c7e6940--