Author: Jan Čapek 2017-04-07 22:48:11
Published on: 2017-04-07T22:48:11+00:00
Sergio Demian Lerner has proposed a new Bitcoin consensus rule that would inhibit the covert use of an optimization in Bitcoin Proof of Work function. The proposal aims to prevent rational miners from saving energy costs by up to 30% through the use of this optimization. The patent for this optimization was applied for by Timo Hanke and Sergio Demian Lerner, and the company Sunrise Tech Group has offered to license it to any interested parties under the trade name ASICBOOST. The document takes no position on the validity or enforceability of the patent. There are two major ways of taking advantage of this optimization: one which is highly detectable and another which has significant interaction and potential interference with the Bitcoin protocol. The covert mechanism is not easily detected except through its interference with the protocol. The use of this optimization could result in a big payoff, but the actual sum depends on the degree of research, investment, and effort put into designing the improved cores. The potential for covert use of this optimization and interference with useful improvements presents a danger to the Bitcoin system. The general idea of this optimization is that SHA2-256 is a Merkle Damgard hash function which consumes 64 bytes of data at a time. The Bitcoin mining process repeatedly hashes an 80-byte 'block header' while incriminating a 32-bit nonce which is at the end of this header data. An obvious way to generate different candidates is to grind the coinbase extra-nonce, but for non-empty blocks, each attempt will require 13 or so additional SHA2 runs which is very inefficient. This inefficiency can be avoided by computing a square root number of candidates of the left side of the hash tree then an additional square root number of candidates of the right side of the tree using transaction permutation or substitution of a small number of transactions. With this final optimization finding a 4-way collision with a moderate amount of memory requires ~2^24 hashing operations instead of the >2^28 operations that would be required for extra-nonce grinding which would substantially erode the benefit of the optimization. It is this final optimization which this proposal blocks. The proposed rule automatically sunsets. If it is no longer needed due to the introduction of stronger rules or the acceptance of the version-grinding form, then there would be no reason to continue with this requirement. The commitment in the left side of the tree to all transactions in the right side completely prevents the final square root speedup. A BIP for avoiding erroneous warning messages when miners use the overt version of the optimization was proposed several years ago, in order to deter the covert use of the optimization. But that BIP was rejected. However, in light of the current discoveries, that BIP could be reconsidered.
Updated on: 2023-06-12T00:05:06.459904+00:00