[Cryptography] Another Bitcoin issue (maybe) (was: BitCoin bug reported)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Feb 15 22:02:44 EST 2014
Peter Todd <pete at petertodd.org> writes:
>Meanwhile the early attempt of scrypt have failed badly; an ASIC has now been
>created targetting scrypt and the joule/hash efficiency increase, the
>marginal cost of hashing, compared to commodity hardware was higher than the
>SHA256^2 algorithm in Bitcoin.
Interesting! The first-gen stuff seems to be mostly repurposed BTC miner
hardware, and it's still at the prototype stage, but in the long term it'll
confirm something I wrote a while back:
So how do Bitcoin-mining ASICs affect general security? Passwords and
encryption keys are often protected using the same hash algorithms that the
mining ASICs (and FPGAs and GPUs) are designed to calculate at great speed.
By repurposing the hardware that was designed for Bitcoin mining it would be
possible to attack hashed passwords with an efficiency that wasnât feasible
before Bitcoin appeared (having said that, the Bitcoin ASICs for which
details have been published are specifically designed for high-speed mining
rather than password-cracking and would require changes to their control
circuitry to make them suitable for password cracking â itâs not for nothing
that theyâre called application-specific ICs).
Two variations of Bitcoin called Litecoin and Novacoin turn another
cryptographic mechanism into collateral damage. In this case itâs scrypt,
which was specifically designed to be expensive to implement in custom
hardware by accessing data spread across a large amount of memory in a
pseudorandom manner, a so-called memory-hard algorithm [ ]. Unfortunately
while this makes scrypt extremely expensive to implement in FPGAs and ASICs,
itâs well suited to GPUs, so mining isnât nearly as hard as it should be. A
side-effect of this Lite/Novacoin mining is that, again, a mechanism
designed to protect one type of resource, passwords, is weakened when itâs
also used to protect another type of resource, coin scarcity.
>I don't think anyone knows how to design a PoW algorithm without this
>joule/hash efficiency increase unfortunately; scrypt shows the memory-hard
>approach is flawed.
The PHC (password hashing competition) folks are working hard on this, stand
by. For people interested in the technical details, the PHC list archives,
available at http://dir.gmane.org/gmane.comp.security.phc, make for very
interesting, if voluminous, reading.
Peter.
More information about the cryptography
mailing list