1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
|
Return-Path: <luvb@hotmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 405A098C
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 Apr 2017 12:02:41 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from APC01-PU1-obe.outbound.protection.outlook.com
(mail-oln040092254026.outbound.protection.outlook.com [40.92.254.26])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5DBE9A4
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 Apr 2017 12:02:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=9t5pBT59nlcwQ5Uv3OzKFuSvNTKIdYz+TgFMLBhfQ2Y=;
b=NvLyBbmAmfTYOG0K2t3K7ziSTVXDWM1sY+ArdMlm/oDmtxu5pNk7Tgr0EphhWfTZoYXMKvFNmQAhErbJO6iEl6ngYLxs8wW/E9igN1v5QvPc/ZcFtwvNjxOA5kY+iz+h8zegCkOk509ELmc/GIQ8xl2RZkCclhjMKFyDwM0K/a+yJ4OEDE7NU4ryElEreNiOMFKQwF+KSDN3uQ3fRsnGwLSq0wxy/x8dg9FisCpNdK7zpEY+Jrkt25gfDh0yOy+x0SVXgAaPoWf+bkUzAVoM7BjZA6aO8B5DMIjmGv7Zwn2AXlAV4pY9bS36+Cjm6XJqNGlH8wcmjt9Z9qTPF+sa6A==
Received: from PU1APC01FT039.eop-APC01.prod.protection.outlook.com
(10.152.252.51) by PU1APC01HT240.eop-APC01.prod.protection.outlook.com
(10.152.252.254) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1019.14;
Thu, 6 Apr 2017 12:02:32 +0000
Received: from SINPR04MB1949.apcprd04.prod.outlook.com (10.152.252.58) by
PU1APC01FT039.mail.protection.outlook.com (10.152.253.127) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.14 via
Frontend Transport; Thu, 6 Apr 2017 12:02:32 +0000
Received: from SINPR04MB1949.apcprd04.prod.outlook.com
([fe80::478:e8f6:541:de19]) by SINPR04MB1949.apcprd04.prod.outlook.com
([fe80::478:e8f6:541:de19%18]) with mapi id 15.01.1019.014;
Thu, 6 Apr 2017 12:02:32 +0000
From: Luv Khemani <luvb@hotmail.com>
To: Gregory Maxwell <greg@xiph.org>, Bitcoin Protocol Discussion
<bitcoin-dev@lists.linuxfoundation.org>
Thread-Topic: [bitcoin-dev] BIP proposal: Inhibiting a covert attack on the
Bitcoin POW function
Thread-Index: AQHSrlUf0BQ3K7r65ESU9KTSZsKj06G4NI5W
Date: Thu, 6 Apr 2017 12:02:32 +0000
Message-ID: <SINPR04MB19493BB6268FBC75F107C2BAC20D0@SINPR04MB1949.apcprd04.prod.outlook.com>
References: <CAAS2fgR84898xD0nyq7ykJnB7qkdoCJYnFg6z5WZEUu0+-=mMA@mail.gmail.com>
In-Reply-To: <CAAS2fgR84898xD0nyq7ykJnB7qkdoCJYnFg6z5WZEUu0+-=mMA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: xiph.org; dkim=none (message not signed)
header.d=none; xiph.org; dmarc=none action=none header.from=hotmail.com;
x-incomingtopheadermarker: OriginalChecksum:F8AEFF9E2DA08F6451B5609D5B730D6D251AC4489FB53D56A0F02D8CA94A4331;
UpperCasedChecksum:6C64495D57302D4D1727C8B364FA54435750B58F2CB48AE6120834D42A7F86E5;
SizeAsReceived:8170; Count:42
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [V6H6LcmKJHgXvOGKUhURkKzvnLizTBGb]
x-microsoft-exchange-diagnostics: 1; PU1APC01HT240;
5:wFdnSMGkFpVRtPqO/4o+lKo9hbl7xL+AWgZEtY9Ow678KLkKY4n28AegU8zZee/yK3fdw4DbOkG62fb2b0vmfwIIESVzSKoToTNm/3Twb36cl9/P0pnNSbvf2VAC/+fyyALWV6atbaeR2vM57+ygzA==;
24:PxFUKp2FsNYi5f/J1P/32uU4lSpJ8DzXlRO/NqfL2U1QfFvEGtvHW1AX2OC125FWlj/IfRBVAXCjRSaAopbypht5PycCPandW+9QItgnJbk=;
7:WoBz+A7k2NfA3u2CNoBR4CCmkBn25NcfBKOL+p2R3lBlHO5UiXW3O5kfO634tLlAWj9Bl8MP6buJoAWq2m7IYodjzR6ikL8RYYzdEK4zmC0e4h22mt8k6XujG/KwnzeW2ICguV9qbhdVI4EF7SWHverdwFEogV7IQ4bMbHca+Sudl+kJoAzYrQlkqagwZ3rDW1WlpnHwMH7yKUz8qk++JI60RMHmGejhIMAUv2ISkjTnegXIpghqHGLkPXi6b43V5DX1CJvI+nyIgPi13dpy93Eo8IxSb510fFT3kYANq3vyLHyzYHh7G5lcNQfpGWum
x-incomingheadercount: 42
x-eopattributedmessage: 0
x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(7070007)(98901004);
DIR:OUT; SFP:1901; SCL:1; SRVR:PU1APC01HT240;
H:SINPR04MB1949.apcprd04.prod.outlook.com; FPR:; SPF:None;
LANG:en;
x-ms-office365-filtering-correlation-id: 9fcb4475-d70f-478b-b7ae-08d47ce4ce93
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031322274)(1603101448)(1601125374)(1701031045);
SRVR:PU1APC01HT240;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031);
SRVR:PU1APC01HT240; BCL:0; PCL:0; RULEID:; SRVR:PU1APC01HT240;
x-forefront-prvs: 02698DF457
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
boundary="_000_SINPR04MB19493BB6268FBC75F107C2BAC20D0SINPR04MB1949apcp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2017 12:02:32.5476 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT240
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOTS_OF_MONEY,
RCVD_IN_DNSWL_NONE,T_MONEY_PERCENT autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 06 Apr 2017 12:10:10 +0000
Subject: Re: [bitcoin-dev] BIP proposal: Inhibiting a covert attack on
the Bitcoin POW function
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 12:02:41 -0000
--_000_SINPR04MB19493BB6268FBC75F107C2BAC20D0SINPR04MB1949apcp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Greg
Great work in discovering this!
> A month ago I was explaining the attack on Bitcoin's SHA2 hashcash which
is exploited by ASICBOOST and the various steps which could be used to
block it in the network if it became a problem.
Could you elaborate on why you consider ASICBOOST to be an attack? Attack h=
ere implies ill-intent by the practitioner towards the network as a primary=
motivating factor.
Personally, i see this as a miner acting in his self-interest and had i bee=
n a miner and knew about the covert method, i would use it too.
So while i'm no fan of Bitmain/Jihan, i do not condone the vilification he =
has received over the use of ASICBOOST to gain an edge.
I know i'm griping over semantics, but in the current political climate, th=
ey can be amplified by some to cause more drama than is healthy.
Other thoughts:
Several people have commented that blocking the use of this covert techniqu=
e is unethical or "wrong".
To quote Emin:
>Taking action to block this is similar to the government taking measures t=
o block Elon Musk's more efficient electric cars. Specifically prosecuting =
a chosen miner, in the current political climate, would send a terrible mes=
sage of absolute centralization in the hands of one particular developer gr=
oup, and it would severely damage Bitcoin mining and the coin's security.
This is a poor analogy and extremely misleading as the the basis for blocki=
ng has nothing to do with efficiency and more to do with the following:
1) Blocking upgrades to the protocol that are deemed by the vast majority o=
f the technical community/Bitcoin Businesses as being the best way forward
2) An advantage by a miner/group, especially one with majority hashrate is =
a threat to decentralisation and security of the network and it is entirely=
justifiable for devs to nullify such an advantage.
You can see it as an arms race where miners are always finding ways to gain=
an edge and devs trying to discover such edges and nullify them to level t=
he playing field.
This is how the game works and it should not be viewed in a political angle=
or taken personally by either party. Miners are acting in their self-inter=
est and Devs are trying to secure the network and increase decentralisation=
.
Both are doing their job.
Just by revealing the info, you have effectively ensured the nullification =
of any edge enjoyed by miners using the covert technique in the medium to l=
ong term.
Either miners not using the technique will all start signalling for SegWit =
to nullify their competitors edge or they will procure hardware which has t=
he edge.
Given the threat to decentralisation, i also believe UASF will gain more mo=
mentum as users seek to protect the network from further miner centralisati=
on.
________________________________
From: bitcoin-dev-bounces@lists.linuxfoundation.org <bitcoin-dev-bounces@li=
sts.linuxfoundation.org> on behalf of Gregory Maxwell via bitcoin-dev <bitc=
oin-dev@lists.linuxfoundation.org>
Sent: Thursday, April 6, 2017 5:37 AM
To: Bitcoin Dev
Subject: [bitcoin-dev] BIP proposal: Inhibiting a covert attack on the Bitc=
oin POW function
A month ago I was explaining the attack on Bitcoin's SHA2 hashcash which
is exploited by ASICBOOST and the various steps which could be used to
block it in the network if it became a problem.
While most discussion of ASICBOOST has focused on the overt method
of implementing it, there also exists a covert method for using it.
As I explained one of the approaches to inhibit covert ASICBOOST I
realized that my words were pretty much also describing the SegWit
commitment structure.
The authors of the SegWit proposal made a specific effort to not be
incompatible with any mining system and, in particular, changed the
design at one point to accommodate mining chips with forced payout
addresses.
Had there been awareness of exploitation of this attack an effort
would have been made to avoid incompatibility-- simply to separate
concerns. But the best methods of implementing the covert attack
are significantly incompatible with virtually any method of
extending Bitcoin's transaction capabilities; with the notable
exception of extension blocks (which have their own problems).
An incompatibility would go a long way to explain some of the
more inexplicable behavior from some parties in the mining
ecosystem so I began looking for supporting evidence.
Reverse engineering of a particular mining chip has demonstrated
conclusively that ASICBOOST has been implemented
in hardware.
On that basis, I offer the following BIP draft for discussion.
This proposal does not prevent the attack in general, but only
inhibits covert forms of it which are incompatible with
improvements to the Bitcoin protocol.
I hope that even those of us who would strongly prefer that
ASICBOOST be blocked completely can come together to support
a protective measure that separates concerns by inhibiting
the covert use of it that potentially blocks protocol improvements.
The specific activation height is something I currently don't have
a strong opinion, so I've left it unspecified for the moment.
<pre>
BIP: TBD
Layer: Consensus
Title: Inhibiting a covert attack on the Bitcoin POW function
Author: Greg Maxwell <greg@xiph.org>
Status: Draft
Type: Standards Track
Created: 2016-04-05
License: PD
</pre>
=3D=3DAbstract=3D=3D
This proposal inhibits the covert exploitation of a known
vulnerability in Bitcoin Proof of Work function.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
=3D=3DMotivation=3D=3D
Due to a design oversight the Bitcoin proof of work function has a potentia=
l
attack which can allow an attacking miner to save up-to 30% of their energy
costs (though closer to 20% is more likely due to implementation overheads)=
.
Timo Hanke and Sergio Demian Lerner claim to hold a patent on this attack,
which they have so far not licensed for free and open use by the public.
They have been marketing their patent licenses under the trade-name
ASICBOOST. The document takes no position on the validity or enforceabilit=
y
of the patent.
There are two major ways of exploiting the underlying vulnerability: One
obvious way which is highly detectable and is not in use on the network
today and a covert way which has significant interaction and potential
interference with the Bitcoin protocol. The covert mechanism is not
easily detected except through its interference with the protocol.
In particular, the protocol interactions of the covert method can block the
implementation of virtuous improvements such as segregated witness.
Exploitation of this vulnerability could result in payoff of as much as
$100 million USD per year at the time this was written (Assuming at
50% hash-power miner was gaining a 30% power advantage and that mining
was otherwise at profit equilibrium). This could have a phenomenal
centralizing effect by pushing mining out of profitability for all
other participants, and the income from secretly using this
optimization could be abused to significantly distort the Bitcoin
ecosystem in order to preserve the advantage.
Reverse engineering of a mining ASIC from a major manufacture has
revealed that it contains an undocumented, undisclosed ability
to make use of this attack. (The parties claiming to hold a
patent on this technique were completely unaware of this use.)
On the above basis the potential for covert exploitation of this
vulnerability and the resulting inequality in the mining process
and interference with useful improvements presents a clear and
present danger to the Bitcoin system which requires a response.
=3D=3DBackground=3D=3D
The general idea of this attack is that SHA2-256 is a merkle damgard hash
function which consumes 64 bytes of data at a time.
The Bitcoin mining process repeatedly hashes an 80-byte 'block header' whil=
e
incriminating a 32-bit nonce which is at the end of this header data. This
means that the processing of the header involves two runs of the compressio=
n
function run-- one that consumes the first 64 bytes of the header and a
second which processes the remaining 16 bytes and padding.
The initial 'message expansion' operations in each step of the SHA2-256
function operate exclusively on that step's 64-bytes of input with no
influence from prior data that entered the hash.
Because of this if a miner is able to prepare a block header with
multiple distinct first 64-byte chunks but identical 16-byte
second chunks they can reuse the computation of the initial
expansion for multiple trials. This reduces power consumption.
There are two broad ways of making use of this attack. The obvious
way is to try candidates with different version numbers. Beyond
upsetting the soft-fork detection logic in Bitcoin nodes this has
little negative effect but it is highly conspicuous and easily
blocked.
The other method is based on the fact that the merkle root
committing to the transactions is contained in the first 64-bytes
except for the last 4 bytes of it. If the miner finds multiple
candidate root values which have the same final 32-bit then they
can use the attack.
To find multiple roots with the same trailing 32-bits the miner can
use efficient collision finding mechanism which will find a match
with as little as 2^16 candidate roots expected, 2^24 operations to
find a 4-way hit, though low memory approaches require more
computation.
An obvious way to generate different candidates is to grind the
coinbase extra-nonce but for non-empty blocks each attempt will
require 13 or so additional sha2 runs which is very inefficient.
This inefficiency can be avoided by computing a sqrt number of
candidates of the left side of the hash tree (e.g. using extra
nonce grinding) then an additional sqrt number of candidates of
the right side of the tree using transaction permutation or
substitution of a small number of transactions. All combinations
of the left and right side are then combined with only a single
hashing operation virtually eliminating all tree related
overhead.
With this final optimization finding a 4-way collision with a
moderate amount of memory requires ~2^24 hashing operations
instead of the >2^28 operations that would be require for
extra-nonce grinding which would substantially erode the
benefit of the attack.
It is this final optimization which this proposal blocks.
=3D=3DNew consensus rule=3D=3D
Beginning block X and until block Y the coinbase transaction of
each block MUST either contain a BIP-141 segwit commitment or a
correct WTXID commitment with ID 0xaa21a9ef.
(See BIP-141 "Commitment structure" for details)
Existing segwit using miners are automatically compatible with
this proposal. Non-segwit miners can become compatible by simply
including an additional output matching a default commitment
value returned as part of getblocktemplate.
Miners SHOULD NOT automatically discontinue the commitment
at the expiration height.
=3D=3DDiscussion=3D=3D
The commitment in the left side of the tree to all transactions
in the right side completely prevents the final sqrt speedup.
A stronger inhibition of the covert attack in the form of
requiring the least significant bits of the block timestamp
to be equal to a hash of the first 64-bytes of the header. This
would increase the collision space from 32 to 40 or more bits.
The root value could be required to meet a specific hash prefix
requirement in order to increase the computational work required
to try candidate roots. These change would be more disruptive and
there is no reason to believe that it is currently necessary.
The proposed rule automatically sunsets. If it is no longer needed
due to the introduction of stronger rules or the acceptance of the
version-grinding form then there would be no reason to continue
with this requirement. If it is still useful at the expiration
time the rule can simply be extended with a new softfork that
sets longer date ranges.
This sun-setting avoids the accumulation of technical debt due
to retaining enforcement of this rule when it is no longer needed
without requiring a hard fork to remove it.
=3D=3D Overt attack =3D=3D
The non-covert form can be trivially blocked by requiring that
the header version match the coinbase transaction version.
This proposal does not include this block because this method
may become generally available without restriction in the future,
does not generally interfere with improvements in the protocol,
and because it is so easily detected that it could be blocked if
it becomes an issue in the future.
=3D=3DBackward compatibility=3D=3D
=3D=3DImplementation=3D=3D
=3D=3DAcknowledgments=3D=3D
=3D=3DCopyright=3D=3D
This document is placed in the public domain.
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
bitcoin-dev -- Bitcoin Protocol Discussion - Linux Foundation<https://lists=
.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
lists.linuxfoundation.org
Bitcoin development and protocol discussion. This list is lightly moderated=
. - No offensive posts, no personal attacks. - Posts must concern developme=
nt of bitcoin ...
--_000_SINPR04MB19493BB6268FBC75F107C2BAC20D0SINPR04MB1949apcp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Arial,Helvetica,sans-serif;" dir=3D"ltr">
<p>Hi Greg</p>
<p><br>
</p>
<p>Great work in discovering this!</p>
<p><br>
</p>
<p>> <span style=3D"font-family: Calibri, Arial, Helvetica, sans-se=
rif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEm=
oji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; =
font-size: 13.3333px;">A month ago I was explaining the attack on Bitcoin's=
SHA2 hashcash
which</span><br style=3D"font-family: Calibri, Arial, Helvetica, sans-seri=
f, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoj=
i, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; fo=
nt-size: 13.3333px;">
<span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, "Ap=
ple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Se=
goe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 13=
.3333px;">is exploited by ASICBOOST and the various steps which could be us=
ed
to</span><br style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, =
"Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, =
"Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-=
size: 13.3333px;">
<span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, "Ap=
ple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Se=
goe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 13=
.3333px;">block it in the network if it became a problem.</span></p>
<p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, "=
;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "=
;Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size:=
13.3333px;"><br>
</span></p>
<p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, "=
;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "=
;Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size:=
16px;">Could you elaborate on why you consider ASICBOOST to be an attack?
Attack here implies ill-intent by the practitioner towards the networ=
k as a primary motivating factor.</span><br>
</p>
<p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif, "=
;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "=
;Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size:=
16px;">Personally, i see this as a miner acting in his self-interest and
had i been a miner and knew about the covert method, i would use it too.</=
span></p>
<p>So while i'm no fan of Bitmain/Jihan, i do not condone the vilification =
he has received over the use of ASICBOOST to gain an edge.</p>
<p>I know i'm griping over semantics, but in the current political climate,=
they can be amplified by some to cause more drama than is healthy.</p>
<p><br>
</p>
<p>Other thoughts:</p>
<p><br>
</p>
Several people have commented that blocking the use of this covert techniqu=
e is unethical or "wrong".
<div>To quote Emin:</div>
<div><br>
</div>
<div><i></i><span><i>>Taking action to block this is similar to the gove=
rnment taking measures to block Elon Musk's more efficient electric cars. S=
pecifically prosecuting a chosen miner, in the current political climate, w=
ould send a terrible message of absolute
centralization in the hands of one particular developer group, and it woul=
d severely damage Bitcoin mining and the coin's security.</i></span><br>
<br>
This is a poor analogy and extremely misleading as the the basis for b=
locking has nothing to do with efficiency and more to do with the following=
:</div>
<div><br>
</div>
<div>1) Blocking upgrades to the protocol that are deemed by the vast major=
ity of the technical community/Bitcoin Businesses as being the best wa=
y forward</div>
<div><br>
</div>
<div>2) An advantage by a miner/group, especially one with majority hashrat=
e is a threat to decentralisation and security of the network and it is ent=
irely justifiable for devs to nullify such an advantage.</div>
<div>You can see it as an arms race where miners are always findi=
ng ways to gain an edge and devs trying to discover such edges and nullify =
them to level the playing field. </div>
<div>This is how the game works and it should not be viewed in a political =
angle or taken personally by either party. Miners are acting in their self-=
interest and Devs are trying to secure the network and increase decentralis=
ation.</div>
<div>Both are doing their job.</div>
<div><br>
</div>
<div>Just by revealing the info, you have effectively ensured the null=
ification of any edge enjoyed by miners using the covert techniqu=
e in the medium to long term.</div>
<div>Either miners not using the technique will all start signalling for Se=
gWit to nullify their competitors edge or they will procure hardware w=
hich has the edge. </div>
<div><br>
</div>
<div>Given the threat to decentralisation, i also believe UASF will gain mo=
re momentum as users seek to protect the network from further miner central=
isation.</div>
<div><br>
</div>
<div><br>
<div style=3D"color: rgb(0, 0, 0);">
<div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" =
color=3D"#000000" style=3D"font-size:11pt"><b>From:</b> bitcoin-dev-bounces=
@lists.linuxfoundation.org <bitcoin-dev-bounces@lists.linuxfoundation.or=
g> on behalf of Gregory Maxwell via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org><br>
<b>Sent:</b> Thursday, April 6, 2017 5:37 AM<br>
<b>To:</b> Bitcoin Dev<br>
<b>Subject:</b> [bitcoin-dev] BIP proposal: Inhibiting a covert attack on t=
he Bitcoin POW function</font>
<div> </div>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText">A month ago I was explaining the attack on Bitcoin=
's SHA2 hashcash which<br>
is exploited by ASICBOOST and the various steps which could be used to<br>
block it in the network if it became a problem.<br>
<br>
While most discussion of ASICBOOST has focused on the overt method<br>
of implementing it, there also exists a covert method for using it.<br>
<br>
As I explained one of the approaches to inhibit covert ASICBOOST I<br>
realized that my words were pretty much also describing the SegWit<br>
commitment structure.<br>
<br>
The authors of the SegWit proposal made a specific effort to not be<br>
incompatible with any mining system and, in particular, changed the<br>
design at one point to accommodate mining chips with forced payout<br>
addresses.<br>
<br>
Had there been awareness of exploitation of this attack an effort<br>
would have been made to avoid incompatibility-- simply to separate<br>
concerns. But the best methods of implementing the covert attack<br>
are significantly incompatible with virtually any method of<br>
extending Bitcoin's transaction capabilities; with the notable<br>
exception of extension blocks (which have their own problems).<br>
<br>
An incompatibility would go a long way to explain some of the<br>
more inexplicable behavior from some parties in the mining<br>
ecosystem so I began looking for supporting evidence.<br>
<br>
Reverse engineering of a particular mining chip has demonstrated<br>
conclusively that ASICBOOST has been implemented<br>
in hardware.<br>
<br>
On that basis, I offer the following BIP draft for discussion.<br>
This proposal does not prevent the attack in general, but only<br>
inhibits covert forms of it which are incompatible with<br>
improvements to the Bitcoin protocol.<br>
<br>
I hope that even those of us who would strongly prefer that<br>
ASICBOOST be blocked completely can come together to support<br>
a protective measure that separates concerns by inhibiting<br>
the covert use of it that potentially blocks protocol improvements.<br>
<br>
The specific activation height is something I currently don't have<br>
a strong opinion, so I've left it unspecified for the moment.<br>
<br>
<pre><br>
BIP: TBD<br>
Layer: Consensus<br>
Title: Inhibiting a covert attack on the Bitcoin POW function<br>
Author: Greg Maxwell <greg@xiph.org><br>
Status: Draft<br>
Type: Standards Track<br>
Created: 2016-04-05<br>
License: PD<br>
</pre><br>
<br>
=3D=3DAbstract=3D=3D<br>
<br>
This proposal inhibits the covert exploitation of a known<br>
vulnerability in Bitcoin Proof of Work function.<br>
<br>
The key words "MUST", "MUST NOT", "REQUIRED",=
"SHALL", "SHALL NOT",<br>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "=
MAY", and "OPTIONAL" in this<br>
document are to be interpreted as described in RFC 2119.<br>
<br>
=3D=3DMotivation=3D=3D<br>
<br>
Due to a design oversight the Bitcoin proof of work function has a potentia=
l<br>
attack which can allow an attacking miner to save up-to 30% of their energy=
<br>
costs (though closer to 20% is more likely due to implementation overheads)=
.<br>
<br>
Timo Hanke and Sergio Demian Lerner claim to hold a patent on this attack,<=
br>
which they have so far not licensed for free and open use by the public.<br=
>
They have been marketing their patent licenses under the trade-name<br>
ASICBOOST. The document takes no position on the validity or enforcea=
bility<br>
of the patent.<br>
<br>
There are two major ways of exploiting the underlying vulnerability: One<br=
>
obvious way which is highly detectable and is not in use on the network<br>
today and a covert way which has significant interaction and potential<br>
interference with the Bitcoin protocol. The covert mechanism is not<b=
r>
easily detected except through its interference with the protocol.<br>
<br>
In particular, the protocol interactions of the covert method can block the=
<br>
implementation of virtuous improvements such as segregated witness.<br>
<br>
Exploitation of this vulnerability could result in payoff of as much as<br>
$100 million USD per year at the time this was written (Assuming at<br>
50% hash-power miner was gaining a 30% power advantage and that mining<br>
was otherwise at profit equilibrium). This could have a phenomenal<br=
>
centralizing effect by pushing mining out of profitability for all<br>
other participants, and the income from secretly using this<br>
optimization could be abused to significantly distort the Bitcoin<br>
ecosystem in order to preserve the advantage.<br>
<br>
Reverse engineering of a mining ASIC from a major manufacture has<br>
revealed that it contains an undocumented, undisclosed ability<br>
to make use of this attack. (The parties claiming to hold a<br>
patent on this technique were completely unaware of this use.)<br>
<br>
On the above basis the potential for covert exploitation of this<br>
vulnerability and the resulting inequality in the mining process<br>
and interference with useful improvements presents a clear and<br>
present danger to the Bitcoin system which requires a response.<br>
<br>
=3D=3DBackground=3D=3D<br>
<br>
The general idea of this attack is that SHA2-256 is a merkle damgard hash<b=
r>
function which consumes 64 bytes of data at a time.<br>
<br>
The Bitcoin mining process repeatedly hashes an 80-byte 'block header' whil=
e<br>
incriminating a 32-bit nonce which is at the end of this header data. This<=
br>
means that the processing of the header involves two runs of the compressio=
n<br>
function run-- one that consumes the first 64 bytes of the header and a<br>
second which processes the remaining 16 bytes and padding.<br>
<br>
The initial 'message expansion' operations in each step of the SHA2-256<br>
function operate exclusively on that step's 64-bytes of input with no<br>
influence from prior data that entered the hash.<br>
<br>
Because of this if a miner is able to prepare a block header with<br>
multiple distinct first 64-byte chunks but identical 16-byte<br>
second chunks they can reuse the computation of the initial<br>
expansion for multiple trials. This reduces power consumption.<br>
<br>
There are two broad ways of making use of this attack. The obvious<br>
way is to try candidates with different version numbers. Beyond<br>
upsetting the soft-fork detection logic in Bitcoin nodes this has<br>
little negative effect but it is highly conspicuous and easily<br>
blocked.<br>
<br>
The other method is based on the fact that the merkle root<br>
committing to the transactions is contained in the first 64-bytes<br>
except for the last 4 bytes of it. If the miner finds multiple<br>
candidate root values which have the same final 32-bit then they<br>
can use the attack.<br>
<br>
To find multiple roots with the same trailing 32-bits the miner can<br>
use efficient collision finding mechanism which will find a match<br>
with as little as 2^16 candidate roots expected, 2^24 operations to<br>
find a 4-way hit, though low memory approaches require more<br>
computation.<br>
<br>
An obvious way to generate different candidates is to grind the<br>
coinbase extra-nonce but for non-empty blocks each attempt will<br>
require 13 or so additional sha2 runs which is very inefficient.<br>
<br>
This inefficiency can be avoided by computing a sqrt number of<br>
candidates of the left side of the hash tree (e.g. using extra<br>
nonce grinding) then an additional sqrt number of candidates of<br>
the right side of the tree using transaction permutation or<br>
substitution of a small number of transactions. All combinations<br>
of the left and right side are then combined with only a single<br>
hashing operation virtually eliminating all tree related<br>
overhead.<br>
<br>
With this final optimization finding a 4-way collision with a<br>
moderate amount of memory requires ~2^24 hashing operations<br>
instead of the >2^28 operations that would be require for<br>
extra-nonce grinding which would substantially erode the<br>
benefit of the attack.<br>
<br>
It is this final optimization which this proposal blocks.<br>
<br>
=3D=3DNew consensus rule=3D=3D<br>
<br>
Beginning block X and until block Y the coinbase transaction of<br>
each block MUST either contain a BIP-141 segwit commitment or a<br>
correct WTXID commitment with ID 0xaa21a9ef.<br>
<br>
(See BIP-141 "Commitment structure" for details)<br>
<br>
Existing segwit using miners are automatically compatible with<br>
this proposal. Non-segwit miners can become compatible by simply<br>
including an additional output matching a default commitment<br>
value returned as part of getblocktemplate.<br>
<br>
Miners SHOULD NOT automatically discontinue the commitment<br>
at the expiration height.<br>
<br>
=3D=3DDiscussion=3D=3D<br>
<br>
The commitment in the left side of the tree to all transactions<br>
in the right side completely prevents the final sqrt speedup.<br>
<br>
A stronger inhibition of the covert attack in the form of<br>
requiring the least significant bits of the block timestamp<br>
to be equal to a hash of the first 64-bytes of the header. This<br>
would increase the collision space from 32 to 40 or more bits.<br>
The root value could be required to meet a specific hash prefix<br>
requirement in order to increase the computational work required<br>
to try candidate roots. These change would be more disruptive and<br>
there is no reason to believe that it is currently necessary.<br>
<br>
The proposed rule automatically sunsets. If it is no longer needed<br>
due to the introduction of stronger rules or the acceptance of the<br>
version-grinding form then there would be no reason to continue<br>
with this requirement. If it is still useful at the expiration<br>
time the rule can simply be extended with a new softfork that<br>
sets longer date ranges.<br>
<br>
This sun-setting avoids the accumulation of technical debt due<br>
to retaining enforcement of this rule when it is no longer needed<br>
without requiring a hard fork to remove it.<br>
<br>
=3D=3D Overt attack =3D=3D<br>
<br>
The non-covert form can be trivially blocked by requiring that<br>
the header version match the coinbase transaction version.<br>
<br>
This proposal does not include this block because this method<br>
may become generally available without restriction in the future,<br>
does not generally interfere with improvements in the protocol,<br>
and because it is so easily detected that it could be blocked if<br>
it becomes an issue in the future.<br>
<br>
=3D=3DBackward compatibility=3D=3D<br>
<br>
<br>
=3D=3DImplementation=3D=3D<br>
<br>
<br>
=3D=3DAcknowledgments=3D=3D<br>
<br>
<br>
=3D=3DCopyright=3D=3D<br>
<br>
This document is placed in the public domain.<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
bitcoin-dev@lists.linuxfoundation.org<br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
id=3D"LPlnk519544" previewremoved=3D"true">https://lists.linuxfoundation.or=
g/mailman/listinfo/bitcoin-dev</a>
<div id=3D"LPBorder_GT_14914779708460.1275889041172491" style=3D"margin-bot=
tom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id=3D"LPContainer_14914779708430.6391837727881977" role=3D"presentat=
ion" cellspacing=3D"0" style=3D"width: 90%; background-color: rgb(255, 255,=
255); position: relative; overflow: auto; padding-top: 20px; padding-botto=
m: 20px; margin-top: 20px; border-top: 1px dotted rgb(200, 200, 200); borde=
r-bottom: 1px dotted rgb(200, 200, 200);">
<tbody>
<tr valign=3D"top" style=3D"border-spacing: 0px;">
<td id=3D"TextCell_14914779708440.3747157755215689" colspan=3D"2" style=3D"=
vertical-align: top; position: relative; padding: 0px; display: table-cell;=
">
<div id=3D"LPRemovePreviewContainer_14914779708440.6010049460283657"></div>
<div id=3D"LPTitle_14914779708440.5364067327594058" style=3D"top: 0px; colo=
r: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_=
segoe-ui_light, "Segoe UI Light", "Segoe WP Light", &qu=
ot;Segoe UI", "Segoe WP", Tahoma, Arial, "Apple Color E=
moji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symb=
ol", "Android Emoji", EmojiSymbols, sans-serif; line-height:=
21px;">
<a id=3D"LPUrlAnchor_14914779708450.35914654150375735" href=3D"https://list=
s.linuxfoundation.org/mailman/listinfo/bitcoin-dev" target=3D"_blank" style=
=3D"text-decoration: none;">bitcoin-dev -- Bitcoin Protocol Discussion - Li=
nux Foundation</a></div>
<div id=3D"LPMetadata_14914779708450.7480051946749007" style=3D"margin: 10p=
x 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf=
_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial=
, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji=
, "Segoe UI Symbol", "Android Emoji", EmojiSymbols, san=
s-serif; font-size: 14px; line-height: 14px;">
lists.linuxfoundation.org</div>
<div id=3D"LPDescription_14914779708450.8262054407680588" style=3D"display:=
block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_seg=
oe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, &q=
uot;Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, &q=
uot;Segoe UI Symbol", "Android Emoji", EmojiSymbols, sans-se=
rif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidde=
n;">
Bitcoin development and protocol discussion. This list is lightly moderated=
. - No offensive posts, no personal attacks. - Posts must concern developme=
nt of bitcoin ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
</div>
</span></font></div>
</div>
</div>
</body>
</html>
--_000_SINPR04MB19493BB6268FBC75F107C2BAC20D0SINPR04MB1949apcp_--
|