Topic: [ANN] Zcoin (XZC) - Implementing ZKP privacy without trusted setup - page 174. (Read 663504 times)

Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week.

Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared?

I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are?

I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young?

Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking.

Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.

Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.

The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.

Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.

The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.

Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.

You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.

I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.

First of all, let us be alarmist and consider the worst case scenario.

The Worst Case Scenario

First of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'.

A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result.

The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No.

Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors.

Now that we have seen the unlikely worst case scenario let's examine what the paper is saying.

How the TMT works


First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper.

We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further.

The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them.

The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment.

Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier.

However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done.

How Practical it is right now to take advantage of it

MTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs.

TL:DR version
a) The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched.The worse case if the attack couldn't be fixed is that we become like Bitcoin/Litecoin/Dash.
b) From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34.
c) ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
e) MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.

Hmmm these are some really strong allegations,  Eager to hear what the Dev has to say

If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand

"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "

There is a lot of hate in this message and I'm sure developers will be able to respond very easily.

Totally understand your concern that's why we haven't released the MTP miner bounty challenge yet. We will be releasing the details sometime this week which should give people more than a month to code miners.

https://eprint.iacr.org/2017/497 which was only very recently released (like two weeks before we released MTP?) and we were only recently made aware of it.

After consultation with Dmitry Khovratovich (co-author of MTP)

TLDR version:

the changes in the algorithm which are relatively minor.

No planned changes on the block 47,500 switch.

We don't forsee any further changes on the MTP algorithm itself.

Uh, I guess not:

https://github.com/zcoinofficial/zcoin/commit/bc81678b7f9467fecf64e0a44dba35550e50619f

Not just the parameters, but the algorithm just changed this weekend?  And no longer follows the paper?  How are we supposed to code for a moving target like this?

What is going on here folks?  This is some serious seat-of-the-pants-nonsense.  If you are making changes like this then you'd better not be serious about the height=47500 target, and if you're not then that should be made public.

Either way I will be sitting out until the dust settles.

Currently no. Lyra2z is being phased out in a month anyway.

Currently 4 x GTX 1080 TI will net you around 1.4 XZC a day only.

https://github.com/zcoinofficial/zcoin/commit/5b6d2941616e756051ec584085297cc691a5614e

These probably will be the final parameters that we're working on for the release.

Hmm, but I thought, that MTP was released already, wasn't it?

Very interested in this coin... Can't wait for the MTP implementation.... Can we also have an update for easier mining on the GUI wallet please?

Currently no. Lyra2z is being phased out in a month anyway.

Currently 4 x GTX 1080 TI will net you around 1.4 XZC a day only.

Is there a version of ccminer that supports older gpu's and has lyra2z algo or any gpu miner that supports older cards and has lyra2z algo?