Took a break on Sunday but am asking the devs to look at it. Need much more details tho. Only reason I brought it to PM was cause we probably need some private details from you like your wallet.dat. Still trying to process everything you wrote to communicate it with the devs.

Will pm you! Are you on Slack?

Zcoin($XZC) is hosting a competition to develop a miner for its implementation of MTP (Merkle Tree Proof) Proof of Work algorithm.

The MTP algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing. These are the same researchers who came up with Equihash that is currently used in ZCash and also Argon2 the winner of the Password hashing competition

Watch our video here for a brief overview of what MTP seeks to achieve.

We are inviting miner developers to take part!


Prizes

Winner of CPU miner: USD7,000.00
Winner of AMD GPU miner: USD7,000.00
Winner of NVidia GPU miner: USD7,000.00

The prizes shall be paid in Bitcoin equivalent (Bitstamp pricing) or Zcoin equivalent (Bittrex pricing) at the respective winner’s choice. The price will be determined on the time and date the winners are announced.

Criteria

Documentation and completeness:

Accurate and comprehensive documentation included with the submission (e.g., description and rationale of design, expected performance).
Accurate documentation on where the submission may be optimized or improved further.

Compatibility

The submission can be built/run on a variety of systems various popular distributions of Linux (Centos and Ubuntu at the very least)) and Windows. Mac is optional but looked at favorably.
The submissions for CPU would run on modern CPUs in the past 5 years.
The submissions for GPUs can work on a variety of modern GPU cards in general:
AMD Radeon R7 series and up
Nvidia Geforce 700 series and up

Quality

Whether the submission has self-testing capabilities or can be easily tested.

Performance

This is the most important criteria but not the sole determinant as a miner that cannot be worked on by others upon because of poor documentation or incompatibility with systems is less valuable than a well documented, easily improved upon less performing miner.
The hash rate of the submission over a variety of systems. Please in your documentation provide instructions on intensity/thread settings.

Submission and Deadline

The deadline of submission for this competition shall be the 9th August 2017 6.00PM GMT+8. Early submissions are allowed and will be looked at favorably by the judges.
The MTP code can be obtained from the mtptest Github branch.
Submissions can be amended until the deadline through making commits through the Github repository specified for Challenge purposes.

For full details, please read our blog post here: https://zcoin.io/mtp-open-source-miner-bounty-challenge/

We also have a separate MTP audit bounty challenge here: https://zcoin.io/mtp-audit-and-implementation-bounty/

Bounty for MTP Audit ($10,000) and MTP Implementation ($2,500)



We are announcing bounties for MTP audit and MTP implementation.

MTP (Merkle Tree Proof) is a new proof of work algorithm that was presented at the USENIX Security Symposium 2016 and has attracted substantial attention from the cryptocurrency and academic community. To further encourage research and scrutiny into MTP, we are sponsoring two bounties.

MTP Audit Bounty: 10,000 USD Total
MTP Implementation Bounty : 2,500 USD TOTAL

Deadline of submission is 30 September 2017 but remember it is better to submit early as duplicates are not rewarded.

Further information about rules and bounty distribution can be found in our blog post:
https://zcoin.io/bounty-mtp-audit-10000-mtp-implementation-2500/

The Lyra2z algorithm was meant to make it much less profitable for botnets to mine Zcoin since GPUs were viable and had some advantage over CPU. I don't think it has a lot of memory though especially when compared to the original algorithm.
Blake256 first round and Lyra2 (timecost = 8, r=c=8). Remember this was a placeholder algorithm.

Given that this is a transition algorithm that is due to be phased out when MTP comes along, it is pretty unlikely that an ASIC has been developed and plus we're a new coin in a rapid state of change.

Previously we were made aware of a sizeable private Nvidia GPU farm that was mining Zcoin since the Lyra2z switch on their own private pool but we really don't know if it's them.

The last I tried mining Zcoin with my Nvidias, it was less profitable than other coins but not THAT much so to make it unthinkable.

https://github.com/zcoinofficial/zcoin/commit/0d1f1125050be9dd0528c56954efc113e211f66c

Don't look at merge-mtp that is merging it back to master but doesn't affect the MTP coding.

Quick Development Updates

From our testing, Zcoin's updated Bitcoin core 0.13 sync speed from scratch is about 6 hours which is a huge improvement. Testing Zerocoin functions at the moment.

Dev team decided that despite the benefits of 0.13, MTP migration will happen first before core upgrade improvements are deployed. The same goes with our libzerocoin upgrades and fixes. This is because MTP has a totally new block header structure so migration from the old block header structure needs some planning and we want to make sure that happens smoothly first before deploying too many fundamental changes especially one as big as Bitcoin core and libzerocoin. Migration to 0.13 will then open the way for deployment of Znodes.

Final MTP patch is in place. Will announce separate MTP bounty (not the same as a MTP miner dev competition) in the next few days to encourage scrutiny into MTP.

We are happy to announce that Torphop Korgtadam has been appointed to be a consultant for Zcoin in IT Security matters.

Torphop Korgtadam is Co-Founder of Creden and MHCON (Meet the Hackers). He has experience in the banking industry and has been appointed as Global Subject Matter Experts (GSME) for Cyber Security, End-Point Security, and Web Application Security. He consults and advises on matters in relation to IT audit and control and the management strategy of internal audits.

https://zcoin.io/team/

A quick dev update:

Aizensou's Bitcoin Core upgrade to 0.13 is progressing smoothly. Still on track to complete by end of the month. Fingers crossed. Took a bit longer than originally foreseen due to one of the functions used by the Zerocoin code being deprecated in 0.13.

Adapted Bitcoin paper wallet generator for Zcoin. To be released soon.

MTP debate and analysis still ongoing. Poramin to release one more minor patch. Looking into extension of miner bounty competition deadline. For the moment still aiming to go on mainnet at Block 47500.

Reference GPU miner development taking longer than expected. This is because of the proof size being put in the header being large that's causing some issues with adapting existing miner code. djm34 believes he knows how to work around this now.

Tim Ruffing has completed a bunch of fixes to libzerocoin. Will integrate and publish them during core upgrade period. Tim Ruffing beginning benchmark work on Sigma to explore performance times as compared to Zerocoin.

Riordant has commenced work into coding for Ethereum mixer. Previous efforts were into examining/calculating the gas costs for the various functions and optimizations that can be done to reduce gas costs.

We also spoke to Marc Bevands who had a lengthy exchange with Alexy and Dmitry. There's a lot of academic and good discussions happening in the background.

Note we are not saying that MTP is not going to be improved upon/developed upon. We do definitely forsee upcoming changes. One of the things we are looking at is also the compression of the proof which is quite large.

However at this point in time, we are still going ahead with rolling MTP on the mainnet unless a significant change is required due to new developments. We may push back the competition deadline a little and introduce a separate bounty fund to encourage scrutiny on MTP.

We have added two new interview videos to the playlist. You can follow the link above or view them individually here:

Zcoin's ZEth: Implementing Zerocoin on Eth
https://youtu.be/nS1A3VdJFmM

Zcoin's ZEth: Optimizing Zerocoin further for ZEth
https://youtu.be/8eVk7QKxtLg

MTP Open-source Miner Bounty Challenge

We are sponsoring a prize fund of USD 21,000 for the development of open source miners for the upcoming MTP protocol as implemented in Zcoin. There are three categories for the miner bounty: CPU miner, AMD GPU miner, and nVidia GPU miner.

The prizes shall be paid in Bitcoin equivalent (Bitstamp pricing) or Zcoin equivalent (Bittrex pricing) at the respective winner’s choice. The price will be determined on the time and date the winners are announced.

Eligibility
Anyone who can speak English and has reached the age of majority in their country of residence. Teams can be formed however one person shall be designated as the contact person and shall be the sole recipient of any prize money. All contestants must have a Github account.

Deadline: 9 August 2017 6.00PM GMT+8

For requirements, criteria and technical details, visit the bounty challenge blog post.

Hey no problems pretty good questions but dang all the most controversial ones

The Cointelegraph article is actually not correct that we would do it by the end of the year. Likely to spill over into 2018. You can read more about this here: https://zcoin.io/zcoin-moving-beyond-trusted-setup-in-zerocoin/. https://eprint.iacr.org/2014/764.pdf Roadmap is here: https://imgur.com/Vad2DG7

The current trusted setup for Zerocoin if broken, transactions are NOT de-anonymized. The privacy is guaranteed through the zero-knowledge proofs as the accumulator is not involved in the privacy part. The only security we need from the accumulator is that you can't claim that you have a coin in the accumulator which is actually not there. So that's just orthogonal to privacy. So yes arbitrary inflation is the issue though note that it would still be a serious issue but it will be detected in Zcoin at least.

ZCash had a slow release schedule if I'm not mistaken during its initial mining period. We also had a bug that allowed coins to be generated which was subsequently fixed. Not our finest moment for sure but you can read about it here. We also released in September 28.

Poramin Insom indeed was the dev of ZeroVert and was with the previous founder Gary (who is no longer with the project). You can read about our explanation on that incident here and you will notice that the premine was untouched.

We are happy to announce that Litebit.eu, Coinex.ir and Coinexchange.io has listed Zcoin! Thank you to our community for making this possible.

Same as Bitcoin

Interview with Tadhg Riordan on Zcoin's Ethereum Mixer.

And on what basis are you saying that MTP is not memory hard as Lyra2z? And it's not about memory hardness alone , if not we could have just stuck with our initial crazy PoW which was the most insane thing. Yes it was frickin undeniably memory hard. But it was a pain for verifiers.

I thought you had apologized to me on what you were implying on the Zcoin hack and now you're taking it back. Brilliant. At least post my response to it and the proof I provided. You deleted that post and that actually made my response LESS visible rather than just responding publicly. You also kept the original Reddit post without amending it.



Way to flip flop.

Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.

Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.

The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.

Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.

Note it's much easier to accuse than to defend so a lot of time has to be spent in replying.

The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.

First of all, let us be alarmist and consider the worst case scenario.

The Worst Case Scenario

First of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'.

A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result.

The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No.

Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors.

Now that we have seen the unlikely worst case scenario let's examine what the paper is saying.

How the TMT works


First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper.

We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further.

The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them.

The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment.

Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier.

However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done.

How Practical it is right now to take advantage of it

MTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs.

TL:DR version

The academic implications are indeed very interesting but it's not really a big issue at the moment. The paper's authors suggested a fix that patches it that is easily implemented but does indicate that further research is required. We have improved upon some of their suggested fixes and are awaiting further research.

• The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched. The worse case if the attack couldn't be fixed (which the paper does NOT indicate) is that we become like Bitcoin/Litecoin/Dash.
• From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34 so it isn't a big change.
• ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
• MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.

Hi mjosephs.

Totally understand your concern that's why we haven't released the MTP miner bounty challenge yet. We will be releasing the details sometime this week which should give people more than a month to code miners.

The MTP change was meant to address recent findings in this paper: https://eprint.iacr.org/2017/497 which was only very recently released (like two weeks before we released MTP?) and we were only recently made aware of it.

After consultation with Dmitry Khovratovich (co-author of MTP), the proposed fix in the paper was not ideal as it used Argon2i instead of Argon2d as there exists strong tradeoff attacks on Argon2i.

TLDR version: the paper talks about bruteforcing the garbage blocks until the references to the next real blocks all point to the memory. A solution to this (and simpler attacks they mention) is to embed the challenge in all compression function calls to prevent memory reuse across challenges and this is the reason for the changes in the algorithm which are relatively minor.

No planned changes on the block 47,500 switch. We don't forsee any further changes on the MTP algorithm itself. Some of the fixes are in there are to fix the memory leak in the inbuilt miner and not the algorithm which should not affect miner dev.