[Cryptography] Another Bitcoin issue (maybe) (was: BitCoin bug reported)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Feb 15 22:02:44 EST 2014


Peter Todd <pete at petertodd.org> writes:

>Meanwhile the early attempt of scrypt have failed badly; an ASIC has now been
>created targetting scrypt and the joule/hash efficiency increase, the
>marginal cost of hashing, compared to commodity hardware was higher than the
>SHA256^2 algorithm in Bitcoin. 

Interesting!  The first-gen stuff seems to be mostly repurposed BTC miner
hardware, and it's still at the prototype stage, but in the long term it'll
confirm something I wrote a while back:

  So how do Bitcoin-mining ASICs affect general security?  Passwords and
  encryption keys are often protected using the same hash algorithms that the
  mining ASICs (and FPGAs and GPUs) are designed to calculate at great speed.
  By repurposing the hardware that was designed for Bitcoin mining it would be
  possible to attack hashed passwords with an efficiency that wasn’t feasible
  before Bitcoin appeared (having said that, the Bitcoin ASICs for which
  details have been published are specifically designed for high-speed mining
  rather than password-cracking and would require changes to their control
  circuitry to make them suitable for password cracking — it’s not for nothing
  that they’re called application-specific ICs).

  Two variations of Bitcoin called Litecoin and Novacoin turn another
  cryptographic mechanism into collateral damage.  In this case it’s scrypt,
  which was specifically designed to be expensive to implement in custom
  hardware by accessing data spread across a large amount of memory in a
  pseudorandom manner, a so-called memory-hard algorithm [ ].  Unfortunately
  while this makes scrypt extremely expensive to implement in FPGAs and ASICs,
  it’s well suited to GPUs, so mining isn’t nearly as hard as it should be.  A
  side-effect of this Lite/Novacoin mining is that, again, a mechanism
  designed to protect one type of resource, passwords, is weakened when it’s
  also used to protect another type of resource, coin scarcity.

>I don't think anyone knows how to design a PoW algorithm without this
>joule/hash efficiency increase unfortunately; scrypt shows the memory-hard
>approach is flawed.

The PHC (password hashing competition) folks are working hard on this, stand
by.  For people interested in the technical details, the PHC list archives,
available at http://dir.gmane.org/gmane.comp.security.phc, make for very
interesting, if voluminous, reading.

Peter.


More information about the cryptography mailing list