Topic: [ANN] Zcoin (XZC) - Implementing ZKP privacy without trusted setup - page 174. (Read 663229 times)
July 07, 2017, 12:18:52 AM
July 07, 2017, 12:01:17 AM
Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week.
Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared?
I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are?
I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young?
Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking.
Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared?
I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are?
I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young?
Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking.
And on what basis are you saying that MTP is not memory hard as Lyra2z? And it's not about memory hardness alone , if not we could have just stuck with our initial crazy PoW which was the most insane thing. Yes it was frickin undeniably memory hard. But it was a pain for verifiers.
I thought you had apologized to me on what you were implying on the Zcoin hack and now you're taking it back. Brilliant. At least post my response to it and the proof I provided. You deleted that post and that actually made my response LESS visible rather than just responding publicly. You also kept the original Reddit post without amending it.
Way to flip flop.
July 06, 2017, 11:51:06 PM
Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week.
Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared?
I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are?
I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young?
Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.
Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.
The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.
Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.
The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.
Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared?
I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are?
I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young?
Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking.
Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.
Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.
The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.
Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.
The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.
July 06, 2017, 11:49:21 PM
Thank you for all of the work and efforts. I have been watching thus thread for some time now anf just made an account to post here. Plenty of haters and fools running their mouths in hopes to sway public opinions to their agenda. The same obvious game will occur with any innovations and improvements and anything of monetary value. Lack consciousness is a sad thing its too bad all people who love to be free are not together working for better. It must be challenging maintaining PR against onslaught of jealous haters.
Thanks again your work will be supported by the people whos opinions actually matter- devs and creators of worlds. We thank you and many blessings.
Thanks again your work will be supported by the people whos opinions actually matter- devs and creators of worlds. We thank you and many blessings.
July 06, 2017, 11:23:30 PM
Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.
Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.
The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.
Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.
Note it's much easier to accuse than to defend so a lot of time has to be spent in replying.
The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.
July 06, 2017, 11:20:47 PM
Dude playingpoodles, what the hell are you talking about? The "worst case" Reuben (the guy posting under zcoinofficial) mentioned assumes that mjosephs' scenario occurs – that many more, deeper, "unfixable" attacks would be found which would always allow for the time-memory-tradeoff.
The current attack is fixed.
The fix is in place in the mtptest branch in the github repo. You can look it up yourself. MTP isn't broken, it's still as memory-hard as it was intended to be.
And so much more nonsense in your post... no wallet? Like aside from the ones you can download here for Linux, Mac and Windows? And yes, it works, and it starts up instantly after the initial sync.
You're so transparently FUDding it's not even funny. Just go troll somewhere else.
The current attack is fixed.
The fix is in place in the mtptest branch in the github repo. You can look it up yourself. MTP isn't broken, it's still as memory-hard as it was intended to be.
And so much more nonsense in your post... no wallet? Like aside from the ones you can download here for Linux, Mac and Windows? And yes, it works, and it starts up instantly after the initial sync.
You're so transparently FUDding it's not even funny. Just go troll somewhere else.
July 06, 2017, 11:08:03 PM
Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders. A couple of posts above you state "We don't forsee any further changes on the MTP algorithm itself" now you're stating it can change anytime without notice therefore ASIC designers ought to be scared? This is like a Peter Sellers movie.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
And you try and "damage control" by saying "nothing to see here!"? The market will will make its own decision about that.
First of all, let us be alarmist and consider the worst case scenario.
The Worst Case Scenario
First of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'.
A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result.
The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No.
Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors.
Now that we have seen the unlikely worst case scenario let's examine what the paper is saying.
How the TMT works
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper.
We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further.
The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them.
The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment.
Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier.
However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done.
How Practical it is right now to take advantage of it
MTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs.
TL:DR version
a) The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched.The worse case if the attack couldn't be fixed is that we become like Bitcoin/Litecoin/Dash.
b) From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34.
c) ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
e) MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders. A couple of posts above you state "We don't forsee any further changes on the MTP algorithm itself" now you're stating it can change anytime without notice therefore ASIC designers ought to be scared? This is like a Peter Sellers movie.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
And you try and "damage control" by saying "nothing to see here!"? The market will will make its own decision about that.
Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
First of all, let us be alarmist and consider the worst case scenario.
The Worst Case Scenario
First of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'.
A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result.
The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No.
Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors.
Now that we have seen the unlikely worst case scenario let's examine what the paper is saying.
How the TMT works
Quote
"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper.
We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further.
The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them.
The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment.
Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier.
However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done.
How Practical it is right now to take advantage of it
MTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs.
TL:DR version
a) The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched.The worse case if the attack couldn't be fixed is that we become like Bitcoin/Litecoin/Dash.
b) From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34.
c) ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
e) MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.
July 06, 2017, 10:35:06 PM
Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
First of all, let us be alarmist and consider the worst case scenario.
The Worst Case Scenario
First of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'.
A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result.
The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No.
Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors.
Now that we have seen the unlikely worst case scenario let's examine what the paper is saying.
How the TMT works
Quote
"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper.
We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further.
The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them.
The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment.
Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier.
However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done.
How Practical it is right now to take advantage of it
MTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs.
TL:DR version
The academic implications are indeed very interesting but it's not really a big issue at the moment. The paper's authors suggested a fix that patches it that is easily implemented but does indicate that further research is required. We have improved upon some of their suggested fixes and are awaiting further research.
- The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched. The worse case if the attack couldn't be fixed (which the paper does NOT indicate) is that we become like Bitcoin/Litecoin/Dash.
- From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34 so it isn't a big change.
- ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
- MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.
July 06, 2017, 08:40:25 PM
Very easy to respond to why the so-called memory hard proof carefully selected, and put as the centrepiece of development before all else -including having a working wallet - isn't memory hard at all?
I'm not the only person on this board to comprehend the gravity that MTP isn't memory hard. Sell orders on Bittrex up a third, but it hasn't shifted price much yet - wait til this news gets more widely disseminated, it'll be a bloodbath.
(After I wrote that I just noticed a flippening, Bittrex XZC price now higher than BTC38 reversing the normal case of substantial BTC38 premium, which means the Chinese have processed this news before the white devils).
I'm not the only person on this board to comprehend the gravity that MTP isn't memory hard. Sell orders on Bittrex up a third, but it hasn't shifted price much yet - wait til this news gets more widely disseminated, it'll be a bloodbath.
(After I wrote that I just noticed a flippening, Bittrex XZC price now higher than BTC38 reversing the normal case of substantial BTC38 premium, which means the Chinese have processed this news before the white devils).
There is a lot of hate in this message and I'm sure developers will be able to respond very easily.
July 06, 2017, 02:47:48 PM
There is a lot of hate in this message and I'm sure developers will be able to respond very easily.
July 06, 2017, 11:08:34 AM
Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
July 06, 2017, 06:02:22 AM
Not just the parameters, but the algorithm just changed this weekend? And no longer follows the paper? How are we supposed to code for a moving target like this?
Totally understand your concern that's why we haven't released the MTP miner bounty challenge yet. We will be releasing the details sometime this week which should give people more than a month to code miners.
Dude, this isn't about your beauty pageant. Radical last-minute changes like this guarantee that the best miners will be the ones that exploit some bug you introduced while frantically trying to plaster over another bug. And they will be kept private. Like the last Zcoin issuance bug.
https://eprint.iacr.org/2017/497 which was only very recently released (like two weeks before we released MTP?) and we were only recently made aware of it.
And this didn't cause you to reconsider whether or not you understand what you're involved in here?
After consultation with Dmitry Khovratovich (co-author of MTP)
... and the same guy who utterly failed to foresee this entire class of attacks against his MTP scheme. Wouldn't it make more sense to gather opinions from the people who broke his scheme?
TLDR version:
A simpler way to put it: just like PoS is vulnerable to "stake grinding", it turns out MTP is vulnerable to "DAG grinding". Instead of grinding for a nonce as you would like them to do, the miners can instead grind for a favorable DAG that minimizes the chances of their bluff getting called when they stuff garbage into the Merkle Tree. It's like letting a poker player sift through all the possible future call/check/raise patterns instead of sifting through all the possible hands he might be dealt. Once he finds the "future" where nobody calls his bluffs when he's bluffing, it doesn't matter what cards he's dealt. DAG grinding is still grinding of course and it's still work, but it's not memory-hard anymore -- DAG grinding requires hardly any memory.
This calls into question any sort of scheme for validating only a pseudorandomly selected subset of the miner's work. The source of pseudorandomness has to come from the blockchain's blocks, which are selected by the miners themselves, meaning it will always be a potential alternative grinding target.
The band-aid hack bears a disturbing similarity to the Proof Of Stake cults lately, who just keep slapping on extra layers of complexity to hide the alternative-grinding problem, when in fact it raises fundamental issues with the entire scheme.
the changes in the algorithm which are relatively minor.
... and only fix the most epic and catastrophic attack. All you did was stop miners from reusing work across blocks; MTP is still no longer memory-hard in light of Dinur and Nadler's work, and can be mined using an ASIC with less than a megabyte of on-die SRAM (i.e. 20-year-old chip fabs). By the way I think it's utterly fascinating that Nadler is a semiconductor fab tool engineer/executive rather than a cryptographer (check out the guy's career history). Dinur of course is a hardcore hashbreaker.
No planned changes on the block 47,500 switch.
Full speed ahead, trainwreck ahoy!
We don't forsee any further changes on the MTP algorithm itself.
Well since you didn't forsee this one that's not saying much.
July 06, 2017, 03:53:58 AM
Hi, I would like to start working on an open-source AMD miner for MTP. However after reading the MTP paper, it is clear that the choice of parameters has a big impact on the optimal code architecture.
Thanks.
Thanks.
https://github.com/zcoinofficial/zcoin/commit/5b6d2941616e756051ec584085297cc691a5614e
These probably will be the final parameters that we're working on for the release.
Uh, I guess not:
https://github.com/zcoinofficial/zcoin/commit/bc81678b7f9467fecf64e0a44dba35550e50619f
Not just the parameters, but the algorithm just changed this weekend? And no longer follows the paper? How are we supposed to code for a moving target like this?
What is going on here folks? This is some serious seat-of-the-pants-nonsense. If you are making changes like this then you'd better not be serious about the height=47500 target, and if you're not then that should be made public.
Either way I will be sitting out until the dust settles.
Hi mjosephs.
Totally understand your concern that's why we haven't released the MTP miner bounty challenge yet. We will be releasing the details sometime this week which should give people more than a month to code miners.
The MTP change was meant to address recent findings in this paper: https://eprint.iacr.org/2017/497 which was only very recently released (like two weeks before we released MTP?) and we were only recently made aware of it.
After consultation with Dmitry Khovratovich (co-author of MTP), the proposed fix in the paper was not ideal as it used Argon2i instead of Argon2d as there exists strong tradeoff attacks on Argon2i.
TLDR version: the paper talks about bruteforcing the garbage blocks until the references to the next real blocks all point to the memory. A solution to this (and simpler attacks they mention) is to embed the challenge in all compression function calls to prevent memory reuse across challenges and this is the reason for the changes in the algorithm which are relatively minor.
No planned changes on the block 47,500 switch. We don't forsee any further changes on the MTP algorithm itself. Some of the fixes are in there are to fix the memory leak in the inbuilt miner and not the algorithm which should not affect miner dev.
July 06, 2017, 03:49:41 AM
Perhaprs your too old GPU is not supported by your ccminer version or Cuda ?
Is there a version of ccminer that supports older gpu's and has lyra2z algo or any gpu miner that supports older cards and has lyra2z algo?
Currently no. Lyra2z is being phased out in a month anyway.
Currently 4 x GTX 1080 TI will net you around 1.4 XZC a day only.
How much the cost of mining, how to calculate
July 06, 2017, 02:20:10 AM
Hi, I would like to start working on an open-source AMD miner for MTP. However after reading the MTP paper, it is clear that the choice of parameters has a big impact on the optimal code architecture.
Thanks.
Thanks.
https://github.com/zcoinofficial/zcoin/commit/5b6d2941616e756051ec584085297cc691a5614e
These probably will be the final parameters that we're working on for the release.
Uh, I guess not:
https://github.com/zcoinofficial/zcoin/commit/bc81678b7f9467fecf64e0a44dba35550e50619f
Not just the parameters, but the algorithm just changed this weekend? And no longer follows the paper? How are we supposed to code for a moving target like this?
What is going on here folks? This is some serious seat-of-the-pants-nonsense. If you are making changes like this then you'd better not be serious about the height=47500 target, and if you're not then that should be made public.
Either way I will be sitting out until the dust settles.
July 05, 2017, 06:32:52 PM
Very interested in this coin... Can't wait for the MTP implementation.... Can we also have an update for easier mining on the GUI wallet please?
Hmm, but I thought, that MTP was released already, wasn't it?
July 05, 2017, 06:28:43 PM
Very interested in this coin... Can't wait for the MTP implementation.... Can we also have an update for easier mining on the GUI wallet please?
Hmm, but I thought, that MTP was released already, wasn't it? July 05, 2017, 10:09:00 AM
Very interested in this coin... Can't wait for the MTP implementation.... Can we also have an update for easier mining on the GUI wallet please?
July 05, 2017, 09:45:19 AM
Perhaprs your too old GPU is not supported by your ccminer version or Cuda ?
Is there a version of ccminer that supports older gpu's and has lyra2z algo or any gpu miner that supports older cards and has lyra2z algo?
Currently no. Lyra2z is being phased out in a month anyway.
Currently 4 x GTX 1080 TI will net you around 1.4 XZC a day only.
July 05, 2017, 06:55:24 AM
Perhaprs your too old GPU is not supported by your ccminer version or Cuda ?
Is there a version of ccminer that supports older gpu's and has lyra2z algo or any gpu miner that supports older cards and has lyra2z algo?
Currently no. Lyra2z is being phased out in a month anyway.
Currently 4 x GTX 1080 TI will net you around 1.4 XZC a day only.
Jump to: