Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0567AB78 for ; Thu, 18 May 2017 19:29:12 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.161.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 707F015B for ; Thu, 18 May 2017 19:29:09 +0000 (UTC) Received: by mail-yw0-f171.google.com with SMTP id l74so25742775ywe.2 for ; Thu, 18 May 2017 12:29:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rgrant-org.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-transfer-encoding; bh=PUNvqSvy8lQf3TlIjYRS09hVMu55hEPImZrp5MZc6yI=; b=KYo3g3tYbFsk3wWr6k6p2oZhRNuRdqwv36tvZcbKmIPKBXA33A5UH2aJgyBn6yuBIA 0l9s6hVVmu/YvbfmklST/6Rkm6HOY29Ng8BwQlnjCJ3zkjKLnESc8YUSMYHXGN83FHsB /ZZjmPQp8pSKCAf1uIVUnxb8qGXMxqvgdfXr3RDJcnRsKTCsIBmdhhaKdVFODBGdwp6p yzGMG5iOa4wn/7/jg5sUwHE7OzExcvYDlnNmMyBm076oe/eVbuJKM8hbPtPqKKERBJC9 gBPKwj0I99t29nu6ms+FaRTJYW1MA3TKk962NoPETSrbxLmpx1/PsnhH6IV/JglSVfdr Qvew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-transfer-encoding; bh=PUNvqSvy8lQf3TlIjYRS09hVMu55hEPImZrp5MZc6yI=; b=p2ElEEJUkJ6SYdfz+qPFxH4oomknj8NsTnRRKR6A2sqDozZwrkU9QGT53ymugGx51N J1OyhpMI6WsLm40zC+Tg/Hjbs4ck8OioIvIlwd/OdHw4Exl2xXYVDIA6bwiOwu+UcpcF yRNsbGIABOcOXGV3aR+VfINSBDyTlAR+Lk0b38ccoc515rC6q1ULnYfTld2sGmGhOA9/ K6YB/zi+AvO/+g3JeVfkHcXNDSfyMtjFnjqflNO3a5ljtEsNJ2xphT7tFl/V/lMymo6w 7fjQQ2qpCzwtOQGX+1BYwptExpsbHH5YG5S6dnk/BjQ/5dvs97yCgX98ygF7xWQyKgV+ j6AQ== X-Gm-Message-State: AODbwcA3ehPN2bgS1MNJcBC6kVRLKWsnNSgxrcSqh+wTQnXrQEchPfGn O0M7cjyStg6RfaxrSXQwVZtF4IutIhyAOGKe8g== X-Received: by 10.129.153.8 with SMTP id q8mr4772147ywg.134.1495135748846; Thu, 18 May 2017 12:29:08 -0700 (PDT) MIME-Version: 1.0 Sender: rgrant@rgrant.org Received: by 10.37.63.65 with HTTP; Thu, 18 May 2017 12:28:38 -0700 (PDT) In-Reply-To: <4BA0FA5D-7B29-4A7F-BC5B-361ED00D5CB2@gmail.com> References: <4BA0FA5D-7B29-4A7F-BC5B-361ED00D5CB2@gmail.com> From: Ryan Grant Date: Thu, 18 May 2017 15:28:38 -0400 X-Google-Sender-Auth: 6jClIHIeNV9a0dGWfQRrHT5_8CA Message-ID: To: bitcoin-dev@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] =?utf-8?b?VHJlYXRpbmcg4oCYQVNJQ0JPT1NU4oCZIGFzIGEg?= =?utf-8?q?Security_Vulnerability?= X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 May 2017 19:29:12 -0000 On Thu, May 18, 2017 at 9:44 AM, Cameron Garnham via bitcoin-dev wrote: > 3. We should assign a CVE to the vulnerability exploited by =E2=80=98= ASICBOOST=E2=80=99. > > =E2=80=98ASICBOOST=E2=80=99 is an attack on this Bitcoin=E2=80=99s securi= ty assumptions and > should be considered an exploit of the Bitcoin Proof-of-Work > Function. On Thu, May 18, 2017 at 10:59 AM, Tier Nolan via bitcoin-dev wrote: > Arguably as long as the effort to find a block is proportional to the blo= ck > difficulty parameter, then it isn't an exploit. It is just an optimisati= on. One principled way to proceed would be to fault not the exploit, but the protocol design. Bits in the block header have been discovered which could be used for dual meanings, and at least one meaning does not preserve the incentive balances intended and assumed by others. This unexpectedly creates an incentive to block protocol improvements. The protocol must be repaired. In this view, which focuses on covert-ASICBOOST, how work is done is up to the implementation. But if the hashing work specified possibly could gain from blocking development work, then we have a vulnerability. I believe this is clear grounds for taking action without any delay.