ASICBOOST isn't an efficiency gain

[anonymoustroll420]

Lets take a few hypothetical scenarios:

All ASIC's move from 28nm tech to 16nm tech.
-More work is being done, therefore more security

ASICBOOST is released for free and all ASIC's adopt it
-Same amount of work is being done, security is the same

ASICBOOST is patented and only specific miners can use it
-Same amount of work is being done, but causes miner centralization.

Bitcoin's security is provided by work (proof of work). Actual work has to be done to increase security. "Shortcuts" do not increase security. ASICBOOST doesn't do more work, it lets you pretend that you did more than you actually did. It is not an efficiency gain, it is a shortcut. It is disenguous to compare it to other efficiency gains where more work was done.

The correct terminology to describe ASICBOOST is that it is a cryptographic attack.

Definition:

A cryptographic attack is a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme.

The cryptographic attack used by ASICBOOST is colliding message blocks.

This same cryptographic attack, colliding message blocks, was used by Google in February 2017 to decrease the security of SHA-1 from 2^128 to 2^61. This allows anyone with a powerful computer cluster to produce full hash collisions for SHA-1, completely breaking its security. This means that an attacker can produce two files with the same hash if they execute this attack and compute 2^61 operations.

More about the SHA-1 attack here:
http://shattered.io
This page contains two different files with the same SHA-1 hash proving that SHA-1 is not secure and cannot be used to verify the integrity of files.

Whitepaper on the colliding message block attack om SHA-1 that was used by Google:
http://shattered.io/static/shattered.pdf


ASICBOOST uses colliding message blocks to reduce the security of SHA-256 from 2^256 to approximately 2^255.48. In practice, this is negligible. However, if a new attack similar to ASICBOOST was revealed that reduced the security to somewhere in the order of 2^61, Bitcoin mining would be completely broken. It would be possible to mine a block, no matter the difficulty, with 2^61 operations, which is very achievable with today's technology.

Calling ASICBOOST an efficiency gain is very wrong.

Leaving cryptographic attacks unpatched sets a bad precedent that we don't care about these kinds of attacks.

[Sadlife]

Well technically yes. All ASICBOOST is doing is skipping some steps in solving a block that's why BU sometimes produce empty blocks with no transactions.
Lucky for us this exploit has been discovered before it could cause some major damage
I guess Jihan wants a centralized Blockchain where he can gain more than spend.

[anonymoustroll420]

Well technically yes. All ASICBOOST is doing is skipping some steps in solving a block that's why BU sometimes produce empty blocks with no transactions.
Lucky for us this exploit has been discovered before it could cause some major damage
I guess Jihan wants a centralized Blockchain where he can gain more than spend.

It was discovered, but it will not be patched....

All that has been suggested is to patch the covert version. Overt version is still allowed, as it's only a small decrease in security from 2^256 to 2^255.48. And even at that, currently there is little support for the softfork that was proposed to specifically fix the issue (segwit happens fixes it too, but I'm not talking about the segwit softfork).

But only patching covert use while still allowing a cryptographic attack sets a bad precedent that we don't care about cryptographic attacks, and when more are found people will point to this one and say "why was that one allowed". It needs to be clear that we will patch any vulnerabilities on SHA-256.

[Wind_FURY]

This gives the argument for a POW upgrade more reasonable. But would it be possible to do the upgrade only to disable ASICBOOST and let everything else remain the same?

[anonymoustroll420]

would it be possible to do the upgrade only to disable ASICBOOST and let everything else remain the same?

Yes.

[anonymoustroll420]

All ASICBOOST is doing is skipping some steps in solving a block that's why BU sometimes produce empty blocks with no transactions.

It's since been discovered that ASICBOOST can be done fully undetectable by repeatedly creating transactions that pay yourself until you find a collided block header. This is fully undetectable.

It's likely the empty blocks were caused by headfirst mining. Though it is also possible some of them were the result of early versions of ASICBOOST that didn't use the transaction trick.

[dinofelis]

I think you guys are having a totally distorted view on what asic boost is about.

I wrote it up here:

https://bitcointalk.org/index.php?topic=1874983.0

and it is almost a triviality which is so well known in normal symmetric cryptography that I wonder how it took 6 years and a patent pending to do the obvious: re-using the key schedule !

What is peculiar about the application of "re-using the key schedule" is that the second block of data needs to be kept constant, which contains still 16 bits of the Merkle root which complicates the scheme.