The Problem with ASICBOOST

Similar documents
CPSC 467: Cryptography and Computer Security

Some Attacks on Merkle-Damgård Hashes

1 Maintaining a Dictionary

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programming II Date: 10/12/17

Quiz 1 Solutions. Problem 2. Asymptotics & Recurrences [20 points] (3 parts)

New Attacks on the Concatenation and XOR Hash Combiners

CS1800: Mathematical Induction. Professor Kevin Gold

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Foundations of Network and Computer Security

1 Terminology and setup

Notes for Lecture 9. 1 Combining Encryption and Authentication

CPSC 467: Cryptography and Computer Security

Foundations of Network and Computer Security

1 Closest Pair of Points on the Plane

Integer Sorting on the word-ram

CSCB63 Winter Week10 - Lecture 2 - Hashing. Anna Bretscher. March 21, / 30

Attacks on hash functions. Birthday attacks and Multicollisions

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

IMBALANCED DATA. Phishing. Admin 9/30/13. Assignment 3: - how did it go? - do the experiments help? Assignment 4. Course feedback

N/4 + N/2 + N = 2N 2.

Conditional probabilities and graphical models

1 Probability Review. CS 124 Section #8 Hashing, Skip Lists 3/20/17. Expectation (weighted average): the expectation of a random quantity X is:

Notes on Logarithmic Lower Bounds in the Cell Probe Model

We might divide A up into non-overlapping groups based on what dorm they live in:

CPSC 467: Cryptography and Computer Security

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Analysis of Algorithms I: Perfect Hashing

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Lecture 18 April 26, 2012

Hidden Markov Models: All the Glorious Gory Details

Chapter 1: Useful definitions

CS361 Homework #3 Solutions

CPSC 320 Sample Final Examination December 2013

Computational Complexity. This lecture. Notes. Lecture 02 - Basic Complexity Analysis. Tom Kelsey & Susmit Sarkar. Notes

Lecture 4: Constructing the Integers, Rationals and Reals

1 Seidel s LP algorithm

Chapter 2. Mathematical Reasoning. 2.1 Mathematical Models

Bayes Networks. CS540 Bryan R Gibson University of Wisconsin-Madison. Slides adapted from those used by Prof. Jerry Zhu, CS540-1

CS 124 Math Review Section January 29, 2018

COMPUTING SIMILARITY BETWEEN DOCUMENTS (OR ITEMS) This part is to a large extent based on slides obtained from

MATRIX MULTIPLICATION AND INVERSION

IE418 Integer Programming

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Fourier Sampling & Simon s Algorithm

Lecture 2 - Length Contraction

1 Reductions and Expressiveness

Conditional Probability, Independence and Bayes Theorem Class 3, Jeremy Orloff and Jonathan Bloom

Fall 2011, EE123 Digital Signal Processing

Quiz 2. Due November 26th, CS525 - Advanced Database Organization Solutions

CSE 417. Chapter 4: Greedy Algorithms. Many Slides by Kevin Wayne. Copyright 2005 Pearson-Addison Wesley. All rights reserved.

Probabilistic Near-Duplicate. Detection Using Simhash

The Blockchain folk theorem

Introduction to Hashtables

1 Probabilities. 1.1 Basics 1 PROBABILITIES

Proof Techniques (Review of Math 271)

CPSC 340: Machine Learning and Data Mining. Stochastic Gradient Fall 2017

4.4 Recurrences and Big-O

15-451/651: Design & Analysis of Algorithms October 31, 2013 Lecture #20 last changed: October 31, 2013

Asymptotic Analysis and Recurrences

Lecture: Analysis of Algorithms (CS )

Quick Sort Notes , Spring 2010

b + O(n d ) where a 1, b > 1, then O(n d log n) if a = b d d ) if a < b d O(n log b a ) if a > b d

CS246 Final Exam, Winter 2011

Lecture 2: Divide and conquer and Dynamic programming

Quiz 1 Solutions. (a) f 1 (n) = 8 n, f 2 (n) = , f 3 (n) = ( 3) lg n. f 2 (n), f 1 (n), f 3 (n) Solution: (b)

CSE 502 Class 11 Part 2

Part A. P (w 1 )P (w 2 w 1 )P (w 3 w 1 w 2 ) P (w M w 1 w 2 w M 1 ) P (w 1 )P (w 2 w 1 )P (w 3 w 2 ) P (w M w M 1 )

Quantum Preimage and Collision Attacks on CubeHash

EE123 Digital Signal Processing

Vector, Matrix, and Tensor Derivatives

Cosets and Lagrange s theorem

Data Mining Classification

2.6 Complexity Theory for Map-Reduce. Star Joins 2.6. COMPLEXITY THEORY FOR MAP-REDUCE 51

NP-Completeness I. Lecture Overview Introduction: Reduction and Expressiveness

CMPSCI 611 Advanced Algorithms Midterm Exam Fall 2015

2.1 Definition. Let n be a positive integer. An n-dimensional vector is an ordered list of n real numbers.

Algorithm Design CS 515 Fall 2015 Sample Final Exam Solutions

Week 2: Defining Computation

Concrete models and tight upper/lower bounds

CSCB63 Winter Week 11 Bloom Filters. Anna Bretscher. March 30, / 13

Ad Placement Strategies

1 Cryptographic hash functions

Alex s Guide to Word Problems and Linear Equations Following Glencoe Algebra 1

Title. Birthday Problem. Yukang Shen. University of California, Santa Barbara. May 7, 2014

Lecture 4. 1 Circuit Complexity. Notes on Complexity Theory: Fall 2005 Last updated: September, Jonathan Katz

Cryptographic Hashing

Lecture 7: Dynamic Programming I: Optimal BSTs

Solving recurrences. Frequently showing up when analysing divide&conquer algorithms or, more generally, recursive algorithms.

6.042/18.062J Mathematics for Computer Science. Independence

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: Asymptotic Analysis, recurrences Date: 9/7/17

.Cycle counting: the next generation. Matthew Skala 30 January 2013

Lecture 12: Lower Bounds for Element-Distinctness and Collision

Saturday, April 23, Dependence Analysis

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

1 Cryptographic hash functions

(x 1 +x 2 )(x 1 x 2 )+(x 2 +x 3 )(x 2 x 3 )+(x 3 +x 1 )(x 3 x 1 ).

Further progress in hashing cryptanalysis

Introduction to Algebra: The First Week

Pascal s Triangle on a Budget. Accuracy, Precision and Efficiency in Sparse Grids

OPTIMISATION 2007/8 EXAM PREPARATION GUIDELINES

Transcription:

The Problem with ACBOOT Jeremy Rubin April 11, 2017 1 ntro Recently there has been a lot of interesting material coming out regarding AC- BOOT. ACBOOT is a mining optimization that allows one to mine many times faster by taking advantage of a quirk of HA-256. There are multiple ways of implementing ACBOOT, and recent claims are that one which is incompatible with upgrading Bitcoin is being used. thought it was a bit confusing, so hand wrote some notes for myself. They became somewhat popular, so decide (by popular request) to L A TX them. njoy! Update Log: April 11th: Correct diagram in 3.2. April 10th: ome corrections thanks to Gregory Maxwell (who first brought these issues to light). Made clear that replacement is better than permutation. Added a brief mention on Amdahl s law for speedups. April 9th: Fixed a few typos/formatting errors. Clarified witness commitment diagram to be more accurate. April 9th: Posted L A TX otes. April 6th: Posted Original Handwritten otes. 1

2 Basics A Bitcoin Header looks like this: 0 4 36 68 72 76 80 V R O PRVOU BLOCK MRKL ROOT T M B T O C A HA-256 Hash of 80-Bytes looks like this: 0 64 128 Data Data padding: 0x80... 00 Z Chunk 1 The Hash computation has the following control flow: 0 Chunk 1 1 Chunk 1 2 2

3 Reduced Work Updates ACBOOT takes advantage of the following reductions in work if you modify the first or second half of the header only. n the following diagrams, ve blacked out parts that aren t recomputed. Modifying only chunk 1 gives a small improve- Modifying Chunk 1 Only ment. 0 Chunk 1 1 Chunk 1 2 Modifying only chunk 2 gives a huge improve- Modifying Only ment. 0 Chunk 1 1 Chunk 1 2 3

3.1 How do headers get hashed? Let s juxtapose the header and hash alignment. 0 4 36 64 68 72 76 80 128 Chunk 1 Data Data padding: 0x80... 00 Z V R O PRVOU BLOCK MRKL ROOT T M B T O C The Merkle root commitment is in both chunk 1 and chunk 2. The first 28 Bytes are in chunk 1, the remaining 4 bytes are in chunk 2. 3.1.1 What is in the Merkle root? At each level, the hash of the concatenated strings is computed. ach letter A... H is the hash of a transaction. The node F is called the merkle root. F F F A B C D F G H f any of the underlying data A... H are either modified or reordered, the 4

Merkle root will have a different value (uniformly random). 3.2 What if we find two merkle roots with the same last 4 bytes? ow we can run our very efficient algorithm to only modify chunk 2 on many precomputed chunk 1s. Chunk 1 A Chunk 1 B Chunk 1 A Chunk 1 B A,1 A,2 0 B,2 B,1 0 o now for a little extra setup work, we get a 2 hash rate multiplier for every nonce we try in chunk 2. The below diagram shows the part that doesn t need to be recomputed. Chunk 1 A Chunk 1 A Chunk 1 A Chunk 1 B A,1 A,2 0 B,2 B,1 s0 f we find chunk 1s, we can use the same trick for an hash rate multiplier. As explained by Amdahl s Law 1 and due to Bitcoin s Proof-of-Work being double-ha-256, the actual measured hash rate increase using this technique will not be as pronounced. ( ) 1 peedup = (1 % Parallelizable) + % # Parallelizable 1 Workers 5

4 Practical Collision Generation How do we generate colliding (in the last 4 bytes) transaction tree Merkle commitments efficiently? 4.1 Birthday Paradox The Birthday Paradox says that if 23 people are in a room, there is a 50% chance that at least two people share a birthday. This is the same problem as our tree collision, but with different numbers. t works because as the number of people increases, the number of independent chances of sharing a birthday increases more quickly. You can visualize this as counting the number of connections in the following graphs. These represent independent chances to share a birthday between nodes. The closed form for the number of connections for n nodes is ( ) n = n! n (n 1) 2 = O(n 2 ) chances 4.1.1 Generalized Birthday Paradox 2 2 (n 2)! = A general closed formula for computing the number of entries of T types needed to be P probable to have a C-way collision is hard to find, but the following approximation works well as an upper bound 2. P 1 e ( C)T C+1 For instance, for the standard birthday paradox problem: 4.2 ummary P 0.5 1 e (23 2 )365 2+1 t s clear that the key in collision hunting is to store and generate a large number of potential matches to compare against. The probability of a collision becomes very likely even with a large set of possible birthdays (T ), and relatively small numbers of people (). Using our formula, for 4 bytes of potential birthdays, at 110k people, the probability of a shared birthday is more than 75%. 1 e (110k 2 )(2 32 ) 1 > 0.75 2 t should over-count. ee https://math.stackexchange.com/questions/25876/probability-of-3-people-in-a-room-of-30-having-the-same-birthday 6

Creating a last 4 bytes colliding Merkle tree commitments is now reduced to a problem of generating 110k unique transaction commitment merkle roots. 5 Generating Unique Merkle Trees 5.1 aive Algorithm We can generate a unique Merkle tree by changing one of the base nodes. F F F A B C D F G H C D F C D F C D F A B C D F G H The non-blacked out boxes all need to be recomputed when changing C C. Let m be the number of leaf nodes, the naive algorithm requires O( log m) hashes. 7

5.2 Higher Order Permutations nstead, we could do higher-order permutations F F F F G H A B C D ow we only need to do one re-computation to get a second potential match. f we black out the ones that don t need recomputing we see clearly this is better F F F F G H A B C D n the naive version, each new potential match is expensive to compute. n the smarter version, we can recursively apply this principle to very efficiently generate potential matches. There are several strategies for generating candidates, not just swapping. wapping isn t optimal because Bitcoin transactions have order dependencies. Most likely, miners are not using permutation. Permutation is demonstrative of the principles at play. The next section covers a more efficient algorithm. 8

5.3 fficient Algorithm Let s say we want to generate R collisions, and the birthday paradox says it is likely with hashes. First, we generate unique left hand sides and unique right hand sides (i.e., A α, B β where α, β 1 ). Aα Aα A α Aα Aα Aα Aα Aα Bβ Bβ B β Bβ Bβ Bβ Bβ Bβ With our A α s and B β s, we can generate candidates by combining each A α with each B β. The diagram below illustrates the combination process. Merkle Root Candidates Merkle Root Candidates A α Aα A α 5 Bβ Bβ B β Bβ Bβ Bβ 1 A α Aα A α 5 Bβ Bβ B β Bβ Bβ 2 Aα Aα A α Aα Aα B β Aα Aα A α Aα Aα B β Bβ We can apply this recursvely: to generate A α s, we generate left hand sides and right hand sides. n the base case, we can modify a single transaction or swap two trivially independent transactions to generate a unique parent. This algorithm uses Θ() work. This is optimal (for this component of the algorithm), because we need to produce hashes. 9

5.3.1 Complexity Proof For the interested: At each step we must do n work to create the outputs, and we recurse on 2 times the square root of the output size. Therefore, our recurrence is: Let ubstitute n with 2 p This is Case 3 of Master Theorem: T (n) = 2 T ( n) + n n = 2 p T (2 p ) = 2 T ( 2 p ) + 2 p T (2 p ) = 2 T (2 p/2 ) + 2 p (p) = T (2 p ) (p) = 2 (p/2) + 2 p (p) = Θ(2 p ) (p) = T (2 p ) T (2 p ) = Θ(2 p ) p = log n T (n) = Θ(n) This algorithm is also mbarrassingly Parallel, so can get efficiency gains using multiple cores. 5.4 -Way Hit Our earlier approximation predicts that in order to be likely to produce a 4-way collision we need to generate around 2 25 hashes, and store them for collision detection. This is about a gigabytes worth, so most computers should be able to generate this quickly. 0.49 1 e (225 4 )(2 32 ) 3 A 5-way and greater, the amount of time required to generate a collision will increase markedly, but would imagine that miners with ACBOOT would not want to use that, and prefer to generate many 4-way collisions with rolled coinbase extra-nonces. 10

6 What does egregated Witness (egwit) have to do with it? n egwit we generate an additional commitment of all the signatures and we put it into the coinbase transaction. This commits to which transactions are present in the block and in what order they appear, which means no more easy generation of unique Merkle roots; the commitment is in the leftmost transaction, so modifying the order or contents of any transaction triggers a full a factor of log m rehash. The figures below demonstrates this. A commits to BF. Any change in the order or contents of the tree triggers the update to A s nested commitment, which also triggers an update to F. ote the direction of the arrows for the witness commitment 3. F F F A B C D F G H F B Witness Commit F 3 Technically, A is put into the witness tree with a zero value so the structure of the tree is identical. Representing this would make this diagram less clear, because no data from A is committed to. 11

7 Are egwit and ACBOOT are fundamentally incompatible? o. Recall our header format... 0 4 36 68 72 76 80 V R O PRVOU BLOCK MRKL ROOT T M B T O C The version field can be used to make collisions trivialy! imply set it to a different value. 7.1 Why go through the trouble of finding non-trivial collisions? Changing versions is easy to detect. Version is already used for... versions. 12

8 How can we fix this? There are a few options: 1. Don t do anything Pro: Any changes to Bitcoin are dangerous. Con: tatus Quo is obviously harming Bitcoin. 2. Change egwit to be compatible with ACBOOT Pro: f we could start over, it would be easy to do. Con: egwit is already written, reviewed, and adopted in industry. 3. Block just undetectable ACBOOT Pro: olves the immediate problem. Con: We wouldn t be blocking it because undetectable optimization is wrong, but because this specific optimization intereferes with protocol development. The propensity to conflate the two is dangerous. 4. Block all ACBOOT Pro: ACBOOT is not available to all miners, this levels the field. Con: A dangerous precedent to set. Picking winners and losers. 5. Hard fork Bitcoin to a new header format Pro: Could leave ACBOOT intact, put egwit commitment in header, and everything else on the Bitcoin Hard-Fork Wish List. Con: Dangerous precedent, risk to split network. 13

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback