The performance claims and prices are unrealistic

[kjj]

This thread delivers!

pcm81, please, please keep posting.  I haven't laughed like this in weeks.  Hand drawn ASIC masks, mythological export restrictions.  Can't wait to hear what you think of next.

[gmaxwell]

Congratulations, you may have broken US law.
See item #10
csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
If SHA algorithm you used was not for 256 bits, it may not have required license.

You've managed to link to something unrelated to your comment, try again. And, no— I'm quite sure I haven't broken the law.

[Littleshop]

SHA-256 is used to encrypt data

How does that work? Show me how to decrypt a SHA256 hash back to its original contents.

Step 1, generate random contents
Step 2, hash it
Step 3, compare to a known hash. If matches and random contents makes sense you done, if does not match loop to step 1.

In reality this is an infinite loop that produces no results.  It is more likely that all of the oxygen in the room you are in is distributed poorly and none of it is near you.

[Phinnaeus Gage]

Seriously, to prove I ain't got no clue, I'm rooting for the guy, but seeing I may be on the wrong team.

[pcm81]

SHA-256 is used to encrypt data

How does that work? Show me how to decrypt a SHA256 hash back to its original contents.

Step 1, generate random contents
Step 2, hash it
Step 3, compare to a known hash. If matches and random contents makes sense you done, if does not match loop to step 1.

In reality this is an infinite loop that produces no results.  It is more likely that all of the oxygen in the room you are in is distributed poorly and none of it is near you.

I feel generous, so i am going to teach you a little something about hashes. When you create a web account for you online banking, the banks server does not actually store your password. The banks server stores SHA-256 (being extremely optimistic) hash of your password. When you log in the web server compares stored hash to the hash of the password you provided. If the two match, you are in. Now imagine that I hacked the webserver and stole the file which has the hash value of your password. I still can't log in and take your money; i need to find a string which will hash to the same value as the hash of your real password, then use that string to log into the banks server and take your money. There are many strings which would match hash value of your password, but the only way i can find one of them is to start hashing all of the possible strings, until i find one whose hash matches the hash of your password. This is why SHA-256 is under export control. Imagine if i had a super computer doing 1PHps, it would take me less time to randomly find a string which matches your passwords hash. So, US gvt restricts export of SHA-256 to Export Licensed companies. It does not mean it can not be exported, it just means company doing the export/import needs export/import license. Sending SHA-256 cores to china for assembly would require export license.

[pcm81]

Seriously, to prove I ain't got no clue, I'm rooting for the guy, but seeing I may be on the wrong team.

I think you are pulling our leg...
1. 10,000+ posts
2. you are cheering for a guy with IQ 111 (above 110 is considered above average)
...
 and you say you got no clue...

[gmaxwell]

Now imagine that I hacked the webserver and stole the file which has the hash value of your password. I still can't log in and take your money; i need to find a string which will hash to the same value as the hash of your real password, then use that string to log into the banks server and take your money. There are many strings which would match hash value of your password, but the only way i can find one of them is to start hashing all of the possible strings, until i find one whose hash matches the hash of your password. This is why SHA-256 is under export control.

Password stretching is a very niche use-case of hash functions— one that is better done with specialized hard to compute functions instead of generic hash functions, only incompetent software uses a plain cryptographic hash—   and it is not an application which is of general interest to the US government and certantly not one of interest for the export restrictions, which — as I have pointed out to you, _specifically_ exempt authentication (what you're talking about).

Likewise, no review or notification is required for encryption items with limited cryptographic capabilities described in [...], such as authentication, access control, digital signature, copy protection, banking use or money transactions, and cell phones that do not allow encrypted access to the Internet or other forms of "end-to-end" encryption.

(I'd link to the actual regulations but they're spread out across four places and their updated and appendices)

Moreover, your example doesn't actually match your bogus claim— searching for a password requires the password to be weak. Finding a random collision would take time proportional to the size of the hash (e.g. on the order of 2^127 invocations of the hash) and you run into problems with their not being enough energy available on earth. The idea that you think that this is a method for general _decryption_ is why people are laughing at you.

Nevermind the fact that at least one of the companies is doing the design _in_ china— sha256 is, after all, a well documented standard (and the export of cryptographic source code _can_ _not_ be restricted, see bernstein v. us).

[Phinnaeus Gage]

Seriously, to prove I ain't got no clue, I'm rooting for the guy, but seeing I may be on the wrong team.

I think you are pulling our leg...
1. 10,000+ posts
2. you are cheering for a guy with IQ 111 (above 110 is considered above average)
...
 and you say you got no clue...

I'm serious, pcm81. When it comes to this stuff, I'm lost. BTW, the guy I'm cheering for is you, not some other. Currently, I'm in your camp till better tasting marshmallows are provided at the other(s).

[Transisto]

I know little about import laws of crypto IPs but this is what make sense to me.

Since bitcoin mining ASICs simply cannot be used to encrypt or decrypt anything....
I would then wonder if having an SHA core isolated from interconnects on the chip would cause concern.

The hash comparison is done against a specific hash mask of X difficulty level. Not some fixed hashes and even less a list of hashes.

[2112]

There is nothing special abut ASIC, most ASIC vendors just use a custom programmed FPGA; this is called FPGA to ASIC conversion.

To get an FPGA/ASIC project of this scale done you will need 2 very good engineers forking full time for a year.

The original post has multiple false premises and therefore makes false conclusions. I'm going to address just the above two.

Bitcoin hasher is a spectacular example where full-custom ASIC implementation will be much better than the FPGA implementation.

SHA-2 is a rather rare digital circuit that is completely self-testable and observable. All the standard JTAG testing logic required in majority of digital circuits can be omitted. In fact vast majority of the internal D-type flip-flops in the hasher core don't even need the reset signal connected. Order of magnitude less power than FPGA will be easy.

Because of self-testability of SHA-2 and repetativeness of brute force hasher the overall design could be done over a couple of lunch breaks by a single engineer familiar with mixed-signal design and with access to the appropriate software tools. In addition to the above the chip is almost completely solipsist: it really doesn't have to obey any well-known interfacing standard, not even with a second copy of itself. It is sufficient to just communicate between the hashing chip and the I/O controller.

The "mixed-signal" is a key point here. Although the Bitcoin doesn't by itself use analog signals; the hashing chip is limited primarily by (1) power dissipation and (2) simultaneous switching noise. Because of the above two limitation mixed-signal experience would be a key to designing a chip that will be both efficient and will work on the first tapeout.

The optimal package for bitcoin hasher would be something like TO-220 with 7 leads:

http://www.psitechnologies.com/products/todo220.php

The I/O would be serial, the leads would be VccI/O ClkI/O RxD TxD VccHash ClkHash and Reset. Ground would be provided by the heatsink screw pad. One could even omit reset lead by doing serial reset: hold RxD high over (say) 100 I/O clocks.

Well, from the choice of packages (all with many more pins) one can surmise that none of the Bitcoin ASIC vendors obtained the advice from the power-analog and mixed-signal designers.

I'm not familiar with the commercial toolchains used in ASIC development; but from my past experience with R&D in digital and mixed signal design I'm positive that the main stumbling block would be the learning curve required to understand and learn the tools required. This is a time-to-market or time-to-mine issue.

pcm81 didn't make any manufacturing yield claims, but other people did. The Bitcoin hasher is so repetitive that if correctly designed, with a trivial set of clock-disable-bits, the overall yield would be nearly 100% useable chips. Only the chips with faults in the I/O or clock circuitry would have to be rejected.

Some other people also made wild claims about testing effort and expense. Well, SHA-2 is essentially self-testing: it either fully works or fails nearly every test. There are no hidden states  or data-conditional decision making in the algorithm. The test plan for the chip would be as trivial as it gets.

The "millions of dollars" price tags for NRE are just flights of fancy. This really is a project that could be done by a single ASIC engineer over a series of lunch breaks provided that he has both access to and experience with the required toolchain.

[nathanrees19]

The optimal package for bitcoin hasher would be something like TO-220 with 7 leads:

http://www.psitechnologies.com/products/todo220.php

The I/O would be serial, the leads would be VccI/O ClkI/O RxD TxD VccHash ClkHash and Reset. Ground would be provided by the heatsink screw pad. One could even omit reset lead by doing serial reset: hold RxD high over (say) 100 I/O clocks.

Well, from the choice of packages (all with many more pins) one can surmise that none of the Bitcoin ASIC vendors obtained the advice from the power-analog and mixed-signal designers.

https://bitcointalk.org/index.php?topic=120184.0

Code:

Chip Specification
Technology Summary:
    TSMC 0.11- micron G process
        5 Metal
Core Voltage: 1.2 V
I/O Voltage: 3.3 V
Core Frequency: 256+ MHz
Number of Pads: 48
    8 Data
    40+1 Power
Package Type: QFN48 -0.5 Pitch
Packaged Chip Size: 7 mm x 7 mm

Chip Interface
Data Pins (8 in total):
Clock                     i
Serial Data In  [2]       i
Serial Data Out [2]       o
Serial Data Bypass [2]    o
Reserved    [1]    -

Having extra pads for power kinda makes sense, but I wonder why they have dual I/O lines.

[Ente]

I consider pcm81 proven wrong in most of his claims.
The question is, uninformed or FUD?
Still, I enjoy the insights given here, as I had little knowledge of all this before Bitcoin.

And I still don't believe in ASIC miners before having definite proof! :-)

/subscribing

Ente

[2112]

Having extra pads for power kinda makes sense, but I wonder why they have dual I/O lines.

In general, number of pads doesn't have to match the number of pins. One could use a power interposer with one ruddy wire to the pin and many thinner wires to the pads.

Maybe they were given a choice: QFN before New Year or TO-220 after New Year. Example custom packaging from the same site:

http://www.psitechnologies.com/products/custom-packages.php

As far as dual I/O: maybe they used some ready-made serial I/O blocks that operate in a dual ring, sort of like FDDI? There are pins named "bypass", which kinda suggests ring topology interconnect.

[Korbman]

ASIC just means Application Specific Integrated Circuit. So, a burned FPGA is ASIC. A very bad one, but it is still ASIC. If you want to design a real, clean ASIC then you need to take SHA-256 cores, or design your own, and wire them up manually on a wafer / pcb etc.

Uhh..what?
So if I light my gate arrays on fire, they spontaneously turn into integrated circuits that can only perform one task? Wish I would have known that before! Could have saved a ton of money on preorders...

Moreover, your example doesn't actually match your bogus claim— searching for a password requires the password to be weak. Finding a random collision would take time proportional to the size of the hash (e.g. on the order of 2^127 invocations of the hash) and you run into problems with their not being enough energy available on earth.

This.

@pcm81 - You have a better chance of winning the Powerball Lottery (if you're in the United States) four times in a row (at 1 / 175,000,000 chance or so) than finding 1 collision.

[MrTeal]

This thread is comedy gold.

I honestly can't see his guy being serious, he has to be trolling. If he is a P.Eng, he should review his licensing body's guidelines on consulting outside his area of expertise.

[Miner99er]

Isn't the guy(s) behind AvalonASIC the same people that delivered Icarus and Carismore FPGAs?

I'm probably confused with FPGA they we behind BUT... they still designed an FPGA that could hash the SHA-256 encryption algorithm that Bitcoin uses.

That had no issues from shipping out of china...

[pcm81]

Isn't the guy(s) behind AvalonASIC the same people that delivered Icarus and Carismore FPGAs?

I'm probably confused with FPGA they we behind BUT... they still designed an FPGA that could hash the SHA-256 encryption algorithm that Bitcoin uses.

That had no issues from shipping out of china...

But did they actually program the FPGA in China? I seriously doubt that.

[pcm81]

This thread is comedy gold.

I honestly can't see his guy being serious, he has to be trolling. If he is a P.Eng, he should review his licensing body's guidelines on consulting outside his area of expertise.

1. I said i am an engineer, i never said i was a PE. Even if I was a PE, this is internet forum small talk, this does not qualify as consulting. Nice try, but no cigar.

[Miner99er]

Isn't the guy(s) behind AvalonASIC the same people that delivered Icarus and Carismore FPGAs?

I'm probably confused with FPGA they we behind BUT... they still designed an FPGA that could hash the SHA-256 encryption algorithm that Bitcoin uses.

That had no issues from shipping out of china...

But did they actually program the FPGA in China? I seriously doubt that.

Yes, Plug it in, turn your miner on... and go. Same with all the other FPGA's at the time.

Yes there were better bitstreams coming out to make them go faster, and JTAG was disabled on at least BFL's FPGAs (Not sure on Modminer, Icarus/Carismore.)

[MrTeal]

This thread is comedy gold.

I honestly can't see his guy being serious, he has to be trolling. If he is a P.Eng, he should review his licensing body's guidelines on consulting outside his area of expertise.

1. I said i am an engineer, i never said i was a PE. Even if I was a PE, this is internet forum small talk, this does not qualify as consulting. Nice try, but no cigar.

Obviously, but the professional training you should have gone through is usually pretty thorough in driving home the idea of not throwing around your qualifications when it's (blatantly) obvious you have no idea what you're talking about.