|
gsxrboy
|
 |
July 06, 2017, 03:08:34 PM |
|
Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
|
|
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
rowenta01
|
|
July 06, 2017, 06:47:48 PM |
|
There is a lot of hate in this message and I'm sure developers will be able to respond very easily.
|
Report to moderator __◣ Stake.com ◥ Stake v2 Now live! 12+ Gamemodes | Provably Fair | Daily Giveaways |
|
|
playingpoodles
Member
 Offline
Activity: 107
Merit: 10
|
|
July 07, 2017, 12:40:25 AM
Last edit: July 07, 2017, 02:48:34 AM by playingpoodles |
|
Very easy to respond to why the so-called memory hard proof carefully selected, and put as the centrepiece of development before all else -including having a working wallet - isn't memory hard at all? I'm not the only person on this board to comprehend the gravity that MTP isn't memory hard. Sell orders on Bittrex up a third, but it hasn't shifted price much yet - wait til this news gets more widely disseminated, it'll be a bloodbath. (After I wrote that I just noticed a flippening, Bittrex XZC price now higher than BTC38 reversing the normal case of substantial BTC38 premium, which means the Chinese have processed this news before the white devils). There is a lot of hate in this message and I'm sure developers will be able to respond very easily.
|
|
|
|
|
|
zcoinofficial (OP)
|
|
July 07, 2017, 02:35:06 AM
Last edit: July 07, 2017, 02:58:21 AM by zcoinofficial |
|
Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
First of all, let us be alarmist and consider the worst case scenario. The Worst Case ScenarioFirst of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'. A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result. The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No. Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors. Now that we have seen the unlikely worst case scenario let's examine what the paper is saying. How the TMT works"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper. We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further. The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them. The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment. Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier. However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done. How Practical it is right now to take advantage of itMTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs. TL:DR versionThe academic implications are indeed very interesting but it's not really a big issue at the moment. The paper's authors suggested a fix that patches it that is easily implemented but does indicate that further research is required. We have improved upon some of their suggested fixes and are awaiting further research. - The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched. The worse case if the attack couldn't be fixed (which the paper does NOT indicate) is that we become like Bitcoin/Litecoin/Dash.
- From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34 so it isn't a big change.
- ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
- MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.
|
|
|
|
playingpoodles
Member
Offline
Activity: 107
Merit: 10
|
|
July 07, 2017, 03:08:03 AM |
|
Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain. You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders. A couple of posts above you state "We don't forsee any further changes on the MTP algorithm itself" now you're stating it can change anytime without notice therefore ASIC designers ought to be scared? This is like a Peter Sellers movie. I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not. And you try and "damage control" by saying "nothing to see here!"? The market will will make its own decision about that. Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
First of all, let us be alarmist and consider the worst case scenario. The Worst Case ScenarioFirst of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'. A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result. The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No. Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors. Now that we have seen the unlikely worst case scenario let's examine what the paper is saying. How the TMT works"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper. We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further. The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them. The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment. Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier. However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done. How Practical it is right now to take advantage of itMTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs. TL:DR versiona) The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched.The worse case if the attack couldn't be fixed is that we become like Bitcoin/Litecoin/Dash. b) From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34. c) ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it. e) MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem. |
|
|
|
|
Prima Primat
Member
Offline
Activity: 117
Merit: 10
|
|
July 07, 2017, 03:20:47 AM |
|
Dude playingpoodles, what the hell are you talking about? The "worst case" Reuben (the guy posting under zcoinofficial) mentioned assumes that mjosephs' scenario occurs – that many more, deeper, "unfixable" attacks would be found which would always allow for the time-memory-tradeoff. The current attack is fixed.The fix is in place in the mtptest branch in the github repo. You can look it up yourself. MTP isn't broken, it's still as memory-hard as it was intended to be. And so much more nonsense in your post... no wallet? Like aside from the ones you can download here for Linux, Mac and Windows? And yes, it works, and it starts up instantly after the initial sync. You're so transparently FUDding it's not even funny. Just go troll somewhere else. |
|
|
|
|
|
zcoinofficial (OP)
|
|
July 07, 2017, 03:23:30 AM
Last edit: July 07, 2017, 03:40:24 AM by zcoinofficial |
|
Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were. Again, I repeat... THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny. The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'. Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough. Note it's much easier to accuse than to defend so a lot of time has to be spent in replying. The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it. |
|
|
|
|
awill333
|
|
July 07, 2017, 03:49:21 AM |
|
Thank you for all of the work and efforts. I have been watching thus thread for some time now anf just made an account to post here. Plenty of haters and fools running their mouths in hopes to sway public opinions to their agenda. The same obvious game will occur with any innovations and improvements and anything of monetary value. Lack consciousness is a sad thing its too bad all people who love to be free are not together working for better. It must be challenging maintaining PR against onslaught of jealous haters.
Thanks again your work will be supported by the people whos opinions actually matter- devs and creators of worlds. We thank you and many blessings.
|
|
|
|
|
playingpoodles
Member
Offline
Activity: 107
Merit: 10
|
|
July 07, 2017, 03:51:06 AM |
|
Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week. Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared? I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are? I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young? Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking. Are you serious? This is "damage control"? The "worst case" scenario is you have staked all on a much vaunted and praised hash MTP that was designed to be more memory hard than the existing hash. In fact, it turns out to be less memory hard by orders of magnitude. This wasn't announced by Zcoin staff, but discovered by a miner who came on here to complain.
You don't have a working wallet, no roadmap for incentivised nodes, and now this MTP that consumed all your effort turns out to be worse than the existing hash. You must realise the reputational damage this causes, both the discovery, and moreover that you didn't announce the discovery as soon as you were aware of it but rather it was discovered by miner coders.
I warned weeks ago on this thread that I thought it was a mistake to focus on MTP at the expense of a wallet. I don't know if the Coinomi wallet works for Zcoin, I haven't used it, but it's clear from all the complaints on this thread that your "new" "fixed" desktop wallet does not.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were. Again, I repeat... THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny. The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'. Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough. The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it. |
|
|
|
|
|
zcoinofficial (OP)
|
|
July 07, 2017, 04:01:17 AM |
|
Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week. Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared? I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are? I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young? Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking. And on what basis are you saying that MTP is not memory hard as Lyra2z? And it's not about memory hardness alone , if not we could have just stuck with our initial crazy PoW which was the most insane thing. Yes it was frickin undeniably memory hard. But it was a pain for verifiers. I thought you had apologized to me on what you were implying on the Zcoin hack and now you're taking it back. Brilliant. At least post my response to it and the proof I provided. You deleted that post and that actually made my response LESS visible rather than just responding publicly. You also kept the original Reddit post without amending it.  Way to flip flop.  |
|
|
|
Prima Primat
Member
Offline
Activity: 117
Merit: 10
|
|
July 07, 2017, 04:18:52 AM |
|
Just pinning the actually valuable responses from last page: Hmmm these are some really strong allegations, Eager to hear what the Dev has to say
If the Algo is no good, it's just better to reconsider it's implementation instead of sticking the head on the sand
First of all, let us be alarmist and consider the worst case scenario. The Worst Case ScenarioFirst of all let us understand what this attack does when successful and examine its worse case scenario. With a memory hard proof of work, we're supposed to require a lot of memory since this increases ASIC development cost significantly and also makes the algorithm more 'memory limited'. A time memory tradeoff attack means you can reduce the memory required (in this case down to 1mb), and instead of being penalized very badly until it's not worthwhile, in this case they are penalized only a 170 times. This makes MTP not as 'memory hard' as advertised. What if we didn't patch the problem and just let it stand? Does it break the security of the chain? Not really, just not the intended result. The very worse case scenario if we did nothing or that the problem cannot be fixed that our coin is like Bitcoin or Dash. But even then given that these two algos SHA256 and x11 use no memory, it's unlikely to be as bad. Have these coins died? No. Unlike the use of crypto in encrypting communications, the worst thing that this attack does is make ASICS more likely to be economical than previously thought and that is a LOT of factors. Now that we have seen the unlikely worst case scenario let's examine what the paper is saying. How the TMT works"The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness. "
First of all, all the simple attacks have been patched and even improved upon from the suggestions in the paper. We did consider the option of switching to Argon2i as suggested in the paper but has not been explored in detail and Dmitry's opinion is that we shouldn't touch that until further research is done as it has its own set of trade-offs. How this attack works is because Argon2d uses data-dependent indexing. Argon2i uses data-independent indexing but is not as resilient to other types of attacks so it would be foolish to jump here and there until that has been explored further. The paper itself says that switching to a function with data-independent indexing would completely stop the attack in documented in the paper but that there is a *possibility* that there may be other ways to attack it but further non-trivial research is required. It needs to be explored further. This is how a lot of stuff works in the real world, someone finds a way to attack it, then it is fixed and patched. Note switching from Argon2d to Argon2i or some other function is quite trivial and djm34 also said that it's unlikely to affect miner development significantly but research has to be done on which function to use. So if and when the academic consensus is a bit clearer, we can modify. We are monitoring it closely and will reach out to Dinur and Nadler as well though I understand Dmitry has been in contact with them. The only reason we are not switching to Argon2i immediately was because Dmitry (who is also the co-author of Argon2 which won the Password Hashing competition https://password-hashing.net/) didn't recommend it due to other attack vectors which need to be explored further before making the switch. Given he's the expert on Argon2, we defer to his better judgment. Also increasing the parameter L is one way to make it much more difficult but has to be weighed against its performance penalties on the verifier. However right now, MTP works, it cannot be simply attacked and we welcome the further research into this field. Our idea given the low impact of this attack on the security on Zcoin as it stands right now is to roll this out and further improve on it when more research has been done. How Practical it is right now to take advantage of itMTP compared to other algorithms is quite a complex beast and developing an ASIC for this would still be quite a challenge and would take considerable resources. Given that we could at any time modify it (and given that it's a new algorithm some change is expected as research progresses) it would not be economical to start design of an ASIC right now. Actually right now they can't even do it until a new attack method is found and given we are now stating that MTP is not a fixed algorithm, its parameters and internal functions can be changed, it doesn't make sense for anyone to develop MTP ASICs. TL:DR versionThe academic implications are indeed very interesting but it's not really a big issue at the moment. The paper's authors suggested a fix that patches it that is easily implemented but does indicate that further research is required. We have improved upon some of their suggested fixes and are awaiting further research. - The proposed attack doesn't really affect MTP's security in Zcoin in his current state. The simple attacks have all been patched. The worse case if the attack couldn't be fixed (which the paper does NOT indicate) is that we become like Bitcoin/Litecoin/Dash.
- From a coding standpoint, changing the internal function within MTP to Argon2i is relatively trivial and would completely defeat all of this but we prefer to wait and see how the academic debate evolves before making a decision. Miner code also can still be adapted relatively easy according to djm34 so it isn't a big change.
- ASIC development is unlikely to be economical unless another attack vector is found. Development of an ASIC MTP miner is likely to be significantly more complex than any other miner before so the economics would have to be very good for them to even begin it.
- MTP in Zcoin's current state of development is not a fixed target and we intend to improve on it once the academics have had time to examine and debate it further. It really isn't an immediate or breaking problem.
Guess you need to read the paper and what I wrote. The worst case scenario is the absolute worst case scenario WHICH HAS NOT HAPPENED. The only reason why I bring this up is that many lay people would go omg Zcoin PoW is broken gg without bothering to read what this attack entails and if we did nothing or cannot fix it (which isn't the case). What this attack (if successful) is saying is that MTP isn't as memory hard as it claims to be but it doesn't mean it's 'broken' per se. A question to ask can be is x11 broken? Is Litecoin's Scrypt broken? They're not but they weren't as ASIC resistant as they thought they were.
Again, I repeat...THIS HAS NOT HAPPENED. MTP is still memory hard until further research shows otherwise and we welcome the scrutiny.
The paper's author itself said their proposed fixed completely fixes the attack but remains to be seen if there are other ways to attack. Basically a 'I suspect there may be ways but I don't know and we should research further'.
Now, this isn't the first time the MTT attack was brought up and was left in comments in various news articles which I believe we responded to. We also responded to various pms to us on this. Does it technically affect Zcoin right now in anyway? No. Heck it's on testnet. Is it fixed? Yeah and will continue to be improved. Would we want a bit more clarity from the researchers before putting out a full announcement on a non critical issue? Our discussions with Dmitry only happened in the last week of June and is still ongoing. Usually how it happens is that until you fix it, you don't announce it unless you know you can't fix it. Monero does this as well as I think most projects or even vulnerabilities in general. And again, this is on TESTNET. That's the whole point of the testnet. We knew we could fix it and we wanted the fix in place before an official announcement on it and were picking some brains to just make sure we understood the current situation well enough.
Note it's much easier to accuse than to defend so a lot of time has to be spent in replying.
The wallet upgrade Bitcoin core is proceeding very rapidly which would improve the wallet experience which right now is only bad on the first initial sync. However Coinomi completely works. We went through this discussion before so I won't repeat it.
So, final tl;dr for anyone late to the discussion: - Current attack is fixed
- Any future attacks could be fixed by simple switch from argon2d to argon2i, if necessary (but it's not necessary at the moment)
- MTP still works and is still memory-hard.Yay. Questions? |
|
|
|
|
playingpoodles
Member
Offline
Activity: 107
Merit: 10
|
|
July 07, 2017, 04:27:06 AM |
|
Look Reuben, you can try and selectively quote out of context from the dozens and dozens of posts I have made on Zcoin, I'm cool with that. People can search my postings, I've been consistent - in fact, for example my comments on incentivised nodes and Coinomi that you mentioned were based on what Zcoinofficial told everyone - and with nodes at least it turned out not to be exactly, well, true. I struggle to see how you impugn my credibility when I post something optimistic in reliance of Zcoin's not perfectly forthright public statements. I do think incentivised nodes might be good - but they're miles off because you spent all this time with MTP which I advised against and has turned out to be a turkey. And I apologised for mentioning you by name in my Reddit post about the Zcoin hack, I didn't "take it back". I also didn't delete your post, I deleted my post which mentioned you by name, which I thought was unfair hence why I removed it. I certainly think it's probable that the hack was an inside job by one or more devs, I just think I was utterly wrong to mention your name, because I just think it was one or more Zcoin devs, no idea who. https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/?utm_content=title&utm_medium=user&utm_source=reddit&utm_name=frontpageI can't spend my whole day here arguing. I'm just expressing my genuine belief. I am not even saying that Zcoin has no future, I'm saying that this news on MTP is massive, will massively weigh on prices, and is a very big setback and adds to reputational concerns around Zcoin. Guess you need to read my post above - what I said was MTP appears to be less memory hard than the hash it replaced. I think your preoccupation with MTP as Zcoin's revolutionary development when in fact it's staring to look worse than the hash it replaces is a very big deal. The market's down 10%. I'm sure you've got a reserve to stem the flow and there will be a dead cat bounce, but not indefinitely and this will play out badly over a week. Which is it Reuben, "We don't forsee any further changes on the MTP algorithm itself" that you wrote, or what you wrote in the post after that that you reserve the right to change the algorithm at any time so ASIC developers should be scared? I did not say that MTP being flawed necessarily made the network insecure transactionally. Though given the lack of memory hardness supposedly now patched it poses theoretical risks of 51 per cent attacks by ASIC maker, but that's a side issue and not my point. My point is the last several months have all been about MTP, and now it turns out it could be worse than the existing Lyra2 in terms of memory hardness. That is a massive problem, spending months without fruitful result. Now you're working on functioning wallets? Like 10 months after launch or whatever we are? I have previously posted about the Zcoin hack here https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/ which I believe was an inside job. I was willing to let sleeping dogs lie on the matter, it wouldn't be the first time it had happened, and the developers would still want the coin to go up as much as investors and miners. But I just see the reputational hits keep on coming. You guys are smart, but maybe not smart enough and too young? Look I can't really guess which way Zcoin holders should jump, for goodness sake if you're not invested wait some weeks til the dust settled, especially if the devs run out of reserves to inject liquidity to try and hold Zcoin's price from tanking. And on what basis are you saying that MTP is not memory hard as Lyra2z? And it's not about memory hardness alone , if not we could have just stuck with our initial crazy PoW which was the most insane thing. Yes it was frickin undeniably memory hard. But it was a pain for verifiers. I thought you had apologized to me on what you were implying on the Zcoin hack and now you're taking it back. Brilliant. At least post my response to it and the proof I provided. You deleted that post and that actually made my response LESS visible rather than just responding publicly. You also kept the original Reddit post without amending it. Way to flip flop. |
|
|
|
|
Prima Primat
Member
Offline
Activity: 117
Merit: 10
|
|
July 07, 2017, 04:40:00 AM |
|
Yes, the Zcoin devs would totally engineer a weakness that results in coins being created out of thin air, with all the great PR this entails, when it's open and official that 20% of mined coins from the first 4 years go to a dev fund anyways. Flawless logic there, mate.
And you're still ignoring literally everything that has been clarified about MTP in order to push your "it's broken!!!11111" narrative. Which is false. (Just like you ignore all links to the wallet and continue claiming that "there's no working wallet" lol)
Why don't you just give up and go back to your Zencash, which you seem to like a lot better (according to your post history)?
|
|
|
|
|
|
harvw
|
|
July 07, 2017, 05:54:30 AM |
|
What is the inflation rate for ZCoin?
|
The beginning of a new era.
|
|
|
|
zcoinofficial (OP)
|
|
July 07, 2017, 06:44:26 AM |
|
 Interview with Tadhg Riordan on Zcoin's Ethereum Mixer. |
|
|
|
|
zcoinofficial (OP)
|
|
July 07, 2017, 10:48:15 AM |
|
What is the inflation rate for ZCoin?
Same as Bitcoin  |
|
|
|
playingpoodles
Member
Offline
Activity: 107
Merit: 10
|
|
July 07, 2017, 11:24:07 AM |
|
Did you read my post https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/?utm_content=title&utm_medium=user&utm_source=reddit&utm_name=frontpage ? I address everything you raise. You might be right, I might be wrong, but I think anyone who has doubts about who did the hack should read my post and decide for themselves. Yes, the Zcoin devs would totally engineer a weakness that results in coins being created out of thin air, with all the great PR this entails, when it's open and official that 20% of mined coins from the first 4 years go to a dev fund anyways. Flawless logic there, mate.
And you're still ignoring literally everything that has been clarified about MTP in order to push your "it's broken!!!11111" narrative. Which is false. (Just like you ignore all links to the wallet and continue claiming that "there's no working wallet" lol)
Why don't you just give up and go back to your Zencash, which you seem to like a lot better (according to your post history)?
|
|
|
|
|
Prima Primat
Member
Offline
Activity: 117
Merit: 10
|
|
July 07, 2017, 12:32:19 PM |
|
Poodle, yeah I've read it. After all, you've posted that link 3 times now on the current 2 pages. (Almost as if you have some sort of agenda and any phrase like "decide for yourself" is a thin veil over the fact that you very much want to decide what other people think about this project...)
Your logic still sucks. If the coin hasn't taken off (i.e. there's insufficient buy support) and someone urgently needs money, then devs would not be able to dump 370.000 coins at all. Especially not without completely tanking the coin's value. Supply and demand is a thing. (In fact, when buying is so limited because the coin hasn't taken off yet, it can be assumed that they would barely be able to get rid of their founders' reward on the market, so any additional 370.000 coins would be completely worthless at that point.)
And if they don't need it urgently, it just makes a lot more sense to keep your reputation intact, keep developing the tech, and wait until the word spreads and Zcoin adopts a more appropriate market cap for a working zero-knowledge coin with its own development from the ground up and its own amazing dev team.
The only people who still don't want that to happen are those like you, who apparently missed the boat at lower prices and now want to FUD like crazy to try and get another low entry point.
|
|
|
|
|
|
zcoinofficial (OP)
|
|
July 08, 2017, 04:02:19 PM |
|
 We are happy to announce that Litebit.eu, Coinex.ir and Coinexchange.io has listed Zcoin! Thank you to our community for making this possible. |
|
|
|
rdnkjdi
Legendary
Offline
Activity: 1256
Merit: 1009
|
|
July 09, 2017, 09:19:29 AM
Last edit: July 09, 2017, 09:40:28 AM by rdnkjdi |
|
I hate to be "that guy" - but a birdie told me Zerocoin is working on setting up a trust-less setup (possibly slated for this fall). Can anyone confirm this?
I like ZCash except for this part. I'm interested in the first coin to implement the Zerocoin technology that comes up with a way to do it without the trusted setup.
Also on a different note (did some digging and couldn't find the answer). Is the current trusted setup for Zerocoin able to de-anonymize transactions or just create arbitrary inflation (like ZCash)?
Also - it looks like ZCash and ZCoin were both released in October. And from what I understand both have bitcoins inflation schedule. Can someone explain to me why ZCoin has 2,500,000 coins vs ZCash's 1,600,000? 30 days between releases should only result in 144,000ish coins shouldn't it? (50 coins X 4 per hour (every 15) X 24 hours per day X 30 days = 144,000).
(Edit: 10 min block times as poster below pointed out. So 50 X 6 X 24 X 30 = 216,000 minted in a month. Still seems like we have almost a 1,000,000 coin difference when there should only be 216,000 difference. Even with the bug that released 200K extra coins - that's still 900,000 discrepancy when there should only be a 400,000ish supply discrepancy.)
And one more question. I was around back when ZeroVert came out with ZeroCoin never being implemented and devs faded into the background. It looks like Poramin was the dev of that supposed "first implementation of Zerocoin" years ago. Until it turned out to be a scam (I think?). Coin wasn't even around for a few months.
Can someone confirm that Poramin Insom was or was not the dev of that coin? I'm not trying to FUD here or detract from others who are fine with the ZeroVert incident. I would just like an explanation if there is one. And if Paramin started it and abandoned it even with the 168K premine due to lack of funding or whatever. I understand many will be ok with this. I'd just like to gather more information for myself.
|
|
|
|
|
|
