-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
64 bit seed exploits ASIC resistance #51
Comments
Hi @kik - thank you for this! Could you clarify in your post the number of keccak items required to produce one (theoretical) ProgPoW hash, and the time to produce them? The feasibility in a <14 second block time environment seems low. We will adjust to uint128_t regardless. Good find! |
I don't think this attack is very practical. First you need to solve Edit: plus, since |
This issue requires a custom implementation of node generating block templates.
where a solution is found but on a completely different header_hash It's possible though that an "attacker" runs his own custom node. There is another point though which is easy to amend in PP: This allows you to do the following:
This can be voided in two ways:
|
Why are you seeking lower bound? |
With 128-bit, we have 2 vs 4 registers taken from the main loop, which forces spilling registers to memory, which in turn results in a performance cliff. In a 256-bit environment, it's worse. 512-bit was dropped to 64-bit to reduce register pressure, hence why hash_mix has PROGPOW_REGS set to 32, where 32 registers are used as part of the random sequence of math. With Ethash, 16 registers were used to store the seed across the hash_mix call. This is wasteful on your register file - one of the most power and area intense parts of a CPU/GPU core. An ASIC could then store the 512-bit seed on the side in a much more area/power efficient manner - reducing to 64-bits reduces that advantage. The proposed fix we are suggesting would be to have hash_mix consume all 256 bits of the seed produced by the initial keccak, while having the final keccak consume only 64 bits of the seed. That keeps 256 bits of security, but does not hammer the file register. There is a trade off to every single step in hardware, and we are careful to ensure there is a balance between what an ASIC can trivially store (and perform) and what a GPU can do. Thus this approach. What are your thoughts? @AndreaLanfranchi is also playing with some alternate solutions that reduce register pressure. |
a) To find a target in 2^64 , even linear searching , is a very difficult thing already , if using the 4000 cores to build 1000 thread with 1Ghz, long time. b) Mining Pool can't degree this difficulty because it can not get proven of work for every dedicate miners. So should it be changed? |
@mcminer-thomas It is trivial to adjust this regardless. Both @AndreaLanfranchi as well as the IfDefElse team have alternate ways to approach this, but in different methods. Both need to be profiled to ensure there is not register spillage or unnecessary waste. |
@OhGodAGirl Your mitigation (PR #53) only forces register spills on Nvidia SM_30 architecture, which is hardly relevant these days. SMs > 30 do not spill. |
TL;DR; this issue (as is) is not an issue at all@kik's implementation of the exploit relies on an assumption which is not true for Ethereum: the possibility to create variants of the candidate block's header hash in a fashion similar to bitcoin. This is actually not possible in ethereum and even if supported by a customized node the block propagation of such mined blocks would be immediately blocked by other peers as the header hash in invalid. Kik's assumption originates (probably) from the presence in block header (the full one, not the hash) of a field named For a detail explanation of the exploit workflow please refer to Kik's documentation Where the whole reasoning fails is here:
As you can see from the above code the attempt is to create variants of the header hash starting from the original header hash, received from work provider (named Now ... a customized node would be supposed to store the extraNonce in the extraData field and "seal" the block using the nonce and extraNonce received. What is missing here is that for ethereum :
By consequence either of this may happen :
The way this exploit has been described does not make it impractical ... it's literally impossible !! This said the only possibility to bypass DAG accesses using a pattern similar to the one described by @kik is to modify these two steps :
to become as
but this adds so much overhead that any ASIC friendlyness is completely voided. |
uint64_t is too small.
see detail https://github.com/kik/progpow-exploit
The text was updated successfully, but these errors were encountered: