Bitcoin Forum
July 19, 2019, 05:56:14 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 ... 2047 »
  Print  
Author Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency  (Read 4569915 times)
AnonyMint
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
May 06, 2014, 10:09:57 PM
 #881

There is another egregious flaw in the proof-of-work algorithm.

AES encryption is being employed as the hash function and assumed to be a random oracle with perfect distribution in order to provide the randomized memory access. Problem is that AES is not suitable as a hash (certainly not when employed as encryption) for it has too small of a output space (repeating patterns will be over a few number of bits), thus it will be possible to attack this with an algorithm to reduce the scatchpad size size significantly from the 2MB.

In the memory hard phase, and it uses 256-bit key sizes.  This is followed by a number of SHA3 candidates at the bottom.  Even if you broke the memory hard AES phase, you'd still have to contend with those.

So, whoever breaks 256-bit AES keys in the memory hard section is awarded most of the hash rate for the network. Good for them, and good luck to them.

I have no real concern with keeping it "CPU only". Whoever innovates the first GPU miner or ASIC miner or whatever should be rewarded accordingly for their efforts.

I think you've misunderstood my point. From ocular inspection of the code, the current 16 word value in the 2MB array is 'hashed' by applying AES encryption and this produces a new value and index into the array to store. Thus the uniform, random oracle, and thus non-patterned distribution of indices is assumed, otherwise an algorithm similar to a birthday attack can be applied to reduce the storage requirements in order to fun it faster on for example a GPU because more instances could be run simultaneously.

In short, AES encryption is not a cryptographic hash function and shouldn't be employed as one.

Thus I am not talking about breaking CryptoNote's slowhash function, rather I am pointing out that by misusing AES encryption, you are breaking the memory hard assumption.

If you are not concerned with keeping it CPU-only, then why call it "CPU only"? There are so many altcoins which have deceived on this point.

unheresy.com - Prodigiously Elucidating the Profoundly ObtuseTHIS FORUM ACCOUNT IS NO LONGER ACTIVE
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
blaaaaacksuit
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250

Who cares?


View Profile
May 06, 2014, 10:13:36 PM
Last edit: May 06, 2014, 10:26:33 PM by blaaaaacksuit
 #882

I don't think it is necessarily anything.

very day we see people coming on here trying to figure out how to mine. Some of those people have multiple computers, some have many computers. I remember yesterday two people were specifically asking about how to set up multiple computers to mine to one wallet. I have no idea how many computers either of them have or how many other people like that didn't post. There was an optimized Windows miner released recently that doubled the has rate on a lot of hardware. With the price going up like crazy yesterday that was clearly going to attract a lot of people.

All of this is going to rapidly drive up the amount of mining and the hash rate, which in total still isn't that high, only 5000 or so computers.


If a couple of large farms show up it's going to chase all the miners off because there's no pool yet.  Nobody will have any realistic chance of getting a block.
eizh
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500



View Profile
May 06, 2014, 10:28:27 PM
Last edit: May 06, 2014, 10:54:18 PM by eizh
 #883

If you are not concerned with keeping it CPU-only, then why call it "CPU only"? There are so many altcoins which have deceived on this point.

I can agree with the spirit of this, but from common usage on this forum "CPU only" just means currently a GPU miner isn't available. Usually someone comes along and develops one, often demanding payment to open source it. ASICs follow if/when economic feasibility allows. So it seems valid at least as far as the thread title goes. The CryptoNote developers' description of their PoW as "egalitarian" (implying true CPU only) is a different issue.

In any case, I changed it to say "CPU only currently".
Keyboard-Mash
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
May 06, 2014, 10:47:56 PM
 #884


I think you've misunderstood my point. From ocular inspection of the code, the current 16 word value in the 2MB array is 'hashed' by applying AES encryption and this produces a new value and index into the array to store. Thus the uniform, random oracle, and thus non-patterned distribution of indices is assumed, otherwise an algorithm similar to a birthday attack can be applied to reduce the storage requirements in order to fun it faster on for example a GPU because more instances could be run simultaneously.


So, I'm trying to understand -- AES does not take in completely random input size and value, and output a consistent length string, but instead takes in a consistent length random value string, and outputs a consistent size string? The effect being that you have limited your sources of particular outputs (inputs) to strings of size 'x' rather than strings of any size?



If you are not concerned with keeping it CPU-only, then why call it "CPU only"? There are so many altcoins which have deceived on this point.

I would like to see a bounty raised for GPU miner, to prevent deception or groupthinking. Putting it in the headline gives the implication that it will be permanent to people seeing it for the first time.
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 06, 2014, 10:54:10 PM
 #885

I don't think it is necessarily anything.

very day we see people coming on here trying to figure out how to mine. Some of those people have multiple computers, some have many computers. I remember yesterday two people were specifically asking about how to set up multiple computers to mine to one wallet. I have no idea how many computers either of them have or how many other people like that didn't post. There was an optimized Windows miner released recently that doubled the has rate on a lot of hardware. With the price going up like crazy yesterday that was clearly going to attract a lot of people.

All of this is going to rapidly drive up the amount of mining and the hash rate, which in total still isn't that high, only 5000 or so computers.


If a couple of large farms show up it's going to chase all the miners off because there's no pool yet.  Nobody will have any realistic chance of getting a block.

Sure, if that happens. It hasn't happened yet. The whole network is around 5000 computers. Even with one little computer you should get a block every 3 days.

People may be impatient, but I can't help that. I solo mined bitcoin until I only got a block every few months. 


 
blaaaaacksuit
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250

Who cares?


View Profile
May 06, 2014, 11:15:56 PM
 #886

I don't think it is necessarily anything.

very day we see people coming on here trying to figure out how to mine. Some of those people have multiple computers, some have many computers. I remember yesterday two people were specifically asking about how to set up multiple computers to mine to one wallet. I have no idea how many computers either of them have or how many other people like that didn't post. There was an optimized Windows miner released recently that doubled the has rate on a lot of hardware. With the price going up like crazy yesterday that was clearly going to attract a lot of people.

All of this is going to rapidly drive up the amount of mining and the hash rate, which in total still isn't that high, only 5000 or so computers.


If a couple of large farms show up it's going to chase all the miners off because there's no pool yet.  Nobody will have any realistic chance of getting a block.

Sure, if that happens. It hasn't happened yet. The whole network is around 5000 computers. Even with one little computer you should get a block every 3 days.

People may be impatient, but I can't help that. I solo mined bitcoin until I only got a block every few months. 


 

But it can, and it will happen.  Probably sooner than later considering how fast the value of this coin is rising.  I have six computers mining and only found one block so far back when the difficulty was in the 1000000 range.  At 6000000 I'm just going to stop mining because there really is no point.  Not trying to be a thorn in anybody's side here, just saying this could turn into a problem.  Only time will tell i guess.
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 06, 2014, 11:21:37 PM
 #887

I don't think it is necessarily anything.

very day we see people coming on here trying to figure out how to mine. Some of those people have multiple computers, some have many computers. I remember yesterday two people were specifically asking about how to set up multiple computers to mine to one wallet. I have no idea how many computers either of them have or how many other people like that didn't post. There was an optimized Windows miner released recently that doubled the has rate on a lot of hardware. With the price going up like crazy yesterday that was clearly going to attract a lot of people.

All of this is going to rapidly drive up the amount of mining and the hash rate, which in total still isn't that high, only 5000 or so computers.


If a couple of large farms show up it's going to chase all the miners off because there's no pool yet.  Nobody will have any realistic chance of getting a block.

Sure, if that happens. It hasn't happened yet. The whole network is around 5000 computers. Even with one little computer you should get a block every 3 days.

People may be impatient, but I can't help that. I solo mined bitcoin until I only got a block every few months. 


 

But it can, and it will happen.  Probably sooner than later considering how fast the value of this coin is rising.  I have six computers mining and only found one block so far back when the difficulty was in the 1000000 range.  At 6000000 I'm just going to stop mining because there really is no point.  Not trying to be a thorn in anybody's side here, just saying this could turn into a problem.  Only time will tell i guess.

Whether or not large farms or botnets show up, the hash rate will certainly continue to rise if the coin is successful and pools will be needed if small miners want consistent payouts. Fortunately an open source pool solution is being developed.

David Latapie
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


Monero Core Team


View Profile WWW
May 06, 2014, 11:39:44 PM
Last edit: May 06, 2014, 11:55:57 PM by David Latapie
 #888

I use this one:

start_mining  42kW2qQgSu81gTwkh6tTvKLqFwo487NTiU2xCURNSPJqBegivh5bUxcddCo7BzJ2wFbF9giMx8ySnYN 6BazQQFHVPnrtHUX 4
This one is good.

underscore does not start the miner. however the hyphen does start it.

in the responses above, people are using hyphen not underscore.

this is more complex than i realized.
Go to http://monero.cc/getting-started. And PM for question (I don't always read the post).
Also check the starter pack if you need precompiled binaries
starter pack

But I don't understand, Monero and BitMonero - is this one coin or different? Huh
Yesn sale coin but for historical reason, the dev doesn't accept the changing of the name.

But I don't understand, Monero and BitMonero - is this one coin or different? Huh
Yesn sale coin but for historical reason, the dev doesn't accept the changing of the name.

People may be impatient, but I can't help that. I solo mined bitcoin until I only got a block every few months.
Considering the electricity bill and the price of BTC by that time, was it worth it when you did it? Or were you that much in love with bitcoin that you were ready to mine at a loss?

Monero: the first crytocurrency to bring bank secrecy and net neutrality to the blockchain.HyperStake: pushing the limits of staking.
Reputation threadFree bitcoins: reviews, hints…: freebitco.in, freedoge.co.in, qoinpro
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 12:29:04 AM
 #889

People may be impatient, but I can't help that. I solo mined bitcoin until I only got a block every few months.
Considering the electricity bill and the price of BTC by that time, was it worth it when you did it? Or were you that much in love with bitcoin that you were ready to mine at a loss?

It was profitable over the cost of electricity, I think. (I had free electricity so I don't really remember but I don't think that was the issue.) Whether you use a pool or solo mine does not affect profitability (although...pool fees, etc. would reduce it), only how much your results are influenced by luck, which can go either way.

blaaaaacksuit
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250

Who cares?


View Profile
May 07, 2014, 12:39:29 AM
 #890

Smooth, you have any ETA on the pool?
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 12:43:07 AM
 #891

Smooth, you have any ETA on the pool?

Any updates will be posted. Tacotime is in contact with the developer.
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 12:50:30 AM
 #892

Problem is that AES is not suitable as a hash (certainly not when employed as encryption) for it has too small of a output space (repeating patterns will be over a few number of bits), thus it will be possible to attack this with an algorithm to reduce the scratchpad size significantly from the 2MB.

I agree with this. Only a small number of bits of the output of AES are being used, but AES does not guarantee that all of its output bits are random. For example, consider an algorithm AES' which is just like AES except that it appends 10 trailing bits that are always zero (AES'(x) = AES(x) << 10). This would be just as secure as AES for encryption, but catastrophically bad for slow_hash.

I suspect the developers wanted to use AES because of the hardware support in Intel CPUs, but they made a mistake, though it isn't immediately apparent how catastrophic this is (unlike my toy example above for example). If they used a true secure hash, it would be much slower and likely not memory bound.

The algorithm can and should likely be improved in this regard, although I don't have any immediate suggestions how.
Keyboard-Mash
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
May 07, 2014, 12:58:47 AM
 #893

Problem is that AES is not suitable as a hash (certainly not when employed as encryption) for it has too small of a output space (repeating patterns will be over a few number of bits), thus it will be possible to attack this with an algorithm to reduce the scratchpad size significantly from the 2MB.

I agree with this. Only a small number of bits of the output of AES are being used, but AES does not guarantee that all of its output bits are random. For example, consider an algorithm AES' which is just like AES except that it appends 10 trailing bits that are always zero (AES'(x) = AES(x) << 10). This would be just as secure as AES for encryption, but catastrophically bad for slow_hash.

I suspect the developers wanted to use AES because of the hardware support in Intel CPUs, but they made a mistake, though it isn't immediately apparent how catastrophic this is (unlike my toy example above for example). If they used a true secure hash, it would be much slower and likely not memory bound.

The algorithm can and should likely be improved in this regard, although I don't have any immediate suggestions how.


What kind of comparison can be made with Tromp's Cuckoo Cycle (Man, that's painful to say -- sorry Tromp), or the blockchain mining style that's proposed in HoneyPenny in light of the weakness in AES?
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 01:04:37 AM
 #894

Problem is that AES is not suitable as a hash (certainly not when employed as encryption) for it has too small of a output space (repeating patterns will be over a few number of bits), thus it will be possible to attack this with an algorithm to reduce the scratchpad size significantly from the 2MB.

I agree with this. Only a small number of bits of the output of AES are being used, but AES does not guarantee that all of its output bits are random. For example, consider an algorithm AES' which is just like AES except that it appends 10 trailing bits that are always zero (AES'(x) = AES(x) << 10). This would be just as secure as AES for encryption, but catastrophically bad for slow_hash.

I suspect the developers wanted to use AES because of the hardware support in Intel CPUs, but they made a mistake, though it isn't immediately apparent how catastrophic this is (unlike my toy example above for example). If they used a true secure hash, it would be much slower and likely not memory bound.

The algorithm can and should likely be improved in this regard, although I don't have any immediate suggestions how.


What kind of comparison can be made with Tromp's Cuckoo Cycle (Man, that's painful to say -- sorry Tromp), or the blockchain mining style that's proposed in HoneyPenny in light of the weakness in AES?

I dont understand tromp's algorithm well enough to comment. dga posted some cautionary comments that I would echo. I don't have a link for that.

The premise of honeypenny's algorithm seems to be requiring access to the block chain in order to hash. That has some good and bad properties. Given sufficient block chain growth it turns into a storage bound task, since storing the block chain in primary memory seems implausible going forward, and likely tends toward centralization. Perhaps no more so than centralization of nodes though.



AnonyMint
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
May 07, 2014, 02:26:03 AM
 #895

If you are not concerned with keeping it CPU-only, then why call it "CPU only"? There are so many altcoins which have deceived on this point.

I can agree with the spirit of this, but from common usage on this forum "CPU only" just means currently a GPU miner isn't available. Usually someone comes along and develops one, often demanding payment to open source it. ASICs follow if/when economic feasibility allows. So it seems valid at least as far as the thread title goes. The CryptoNote developers' description of their PoW as "egalitarian" (implying true CPU only) is a different issue.

In any case, I changed it to say "CPU only currently".

As the algorithm currently is implemented, I believe that is more honest for the time being.

If AES was replaced with a true cryptographic hash that was exceptionally faster (so that it would be only latency bound and no AES birthday-like attack possible) and if that hash was not efficiently implementable on GPUs, then I would consider the PoW to be strongly CPU only. I would think even an ASIC wouldn't likely outperform significantly since it would be up against all the economies-of-scale of Intel's fabs. In short, your PoW got very close to what I think is possible for design but is missing critical elements. If such a design I envision is open sourced, then you can copy it later.


I think you've misunderstood my point. From ocular inspection of the code, the current 16 word value in the 2MB array is 'hashed' by applying AES encryption and this produces a new value and index into the array to store. Thus the uniform, random oracle, and thus non-patterned distribution of indices is assumed, otherwise an algorithm similar to a birthday attack can be applied to reduce the storage requirements in order to fun it faster on for example a GPU because more instances could be run simultaneously.


So, I'm trying to understand -- AES does not take in completely random input size and value, and output a consistent length string, but instead takes in a consistent length random value string, and outputs a consistent size string? The effect being that you have limited your sources of particular outputs (inputs) to strings of size 'x' rather than strings of any size?

The issue as I understand it (see the link I provided upthread) is that encrypted output is not designed to model a Random Oracle, whereas a cryptographic hash has certain qualities which are more approximate of a Random Oracle. In particular, there is no requirement that 1 bit of change in input to AES changes most of the bits of the output.

A cryptographic hash is irreversible so has greater leeway to incorporate more confusion and diffusion. Whereas, an encryption algorithm by definition is reversible with decryption.

unheresy.com - Prodigiously Elucidating the Profoundly ObtuseTHIS FORUM ACCOUNT IS NO LONGER ACTIVE
AnonyMint
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
May 07, 2014, 02:29:49 AM
 #896

Problem is that AES is not suitable as a hash (certainly not when employed as encryption) for it has too small of a output space (repeating patterns will be over a few number of bits), thus it will be possible to attack this with an algorithm to reduce the scratchpad size significantly from the 2MB.

I agree with this. Only a small number of bits of the output of AES are being used, but AES does not guarantee that all of its output bits are random. For example, consider an algorithm AES' which is just like AES except that it appends 10 trailing bits that are always zero (AES'(x) = AES(x) << 10). This would be just as secure as AES for encryption, but catastrophically bad for slow_hash.

I suspect the developers wanted to use AES because of the hardware support in Intel CPUs, but they made a mistake, though it isn't immediately apparent how catastrophic this is (unlike my toy example above for example). If they used a true secure hash, it would be much slower and likely not memory bound.

The algorithm can and should likely be improved in this regard, although I don't have any immediate suggestions how.


What kind of comparison can be made with Tromp's Cuckoo Cycle (Man, that's painful to say -- sorry Tromp), or the blockchain mining style that's proposed in HoneyPenny in light of the weakness in AES?

I dont understand tromp's algorithm well enough to comment. dga posted some cautionary comments that I would echo. I don't have a link for that.

The premise of honeypenny's algorithm seems to be requiring access to the block chain in order to hash. That has some good and bad properties. Given sufficient block chain growth it turns into a storage bound task, since storing the block chain in primary memory seems implausible going forward, and likely tends toward centralization. Perhaps no more so than centralization of nodes though.

I go into detailed discussion with tromp in my thread:

https://bitcointalk.org/index.php?topic=557732.0

Also you can find some discussion between him and myself in the MemoryCoin 2.0 PoW thread which I linked to upthread.

In short, I don't believe it is CPU only currently, but (and I think we agreed this, but ask him) it might be the appropriate algorithm for mobile later if CPUs move to extremely high number of cores. Our discussion concluded with more testing is needed and I would try to help him get a TileGX in future if I can.

unheresy.com - Prodigiously Elucidating the Profoundly ObtuseTHIS FORUM ACCOUNT IS NO LONGER ACTIVE
pavimus
Member
**
Offline Offline

Activity: 103
Merit: 10


View Profile
May 07, 2014, 04:34:20 AM
 #897

Omg, difficulty increased x1.5 overnight (now 8038312). Botnet?
smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 04:41:02 AM
 #898

Omg, difficulty increased x1.5 overnight (now 8038312). Botnet?

I don't think 1.5x indicates a botnet at all.

For one thing the Windows miner was optimized to be about twice as fast (which makes it slightly faster than Linux, but fairly close). Given that so many people use Windows a big jump is to be expected.

Second with the attention this coin is getting and the enormous price jump it is not surprising that many more people want to mine it.
eizh
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500



View Profile
May 07, 2014, 05:31:04 AM
 #899

We're all hip and stuff now:

smooth
Legendary
*
Offline Offline

Activity: 2184
Merit: 1130



View Profile
May 07, 2014, 05:32:57 AM
 #900

We're all hip and stuff now:



Nice work!
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 [45] 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 ... 2047 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!