POW improvements #1227
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2024-12-06#1227
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I'm going to work on some improvements to the current POW subsystem:
Continuously update expiry time while doing the work to hide your computing power from peers. Short living messages would also get advatage from this, because POW calculation can take notable part of their TTL.
Calculate several POWs in parallel in the same thread. Previous change will require to periodically interrupt calculation, so we can interleave several POWs creating something like a simple task scheduler.
Add ability to stop POW and cancel or edit a message in the UI.
Add an expected time indicator to the UI, analogous to Vanitygen's.
Make starting nonce random, solving this issue #1213.
What more?
Good idea
I realised that random starting nonce can't completely hide the number of threads. It's because the first successful nonce is taken as the result, so an attacker can try all nonces before it until he finds another solution. This way he can limit the range of possible starting values making them not so random for him.
If there are two consecutive or not very distant nonces that both satisfy the POW target and a node has chosen the second of them, it reveals high probability that the node uses a multithreaded worker.
Maybe this problem is not serious, but it shows that random starting value is a bad solution and there may be more such problems. It's like using one-time pad multiple times, to encrypt all nonce trials.
I see several possible solutions:
Use strong encryption instead of this one-time pad. Encrypt a counter with a block cipher and use this value as a nonce. This must be performed for each iteration, so this would be unacceptably slow.
Choose random nonce every time. Like the prevoius option it's too slow, and a little worse because of collisions, which are impossible in case of a block cipher.
Start with a random nonce and then take the last 64 bits of the double hash as the next nonce. This is as fast as the current unencrypted counter. But these hash chains can form cycles, when a nonce collides with one of the previous. And they provide only 64-bit security: instead of decrementing a counter an attacker now needs to reverse a 64-bit hash.
Choose the first 56 bits at random and try all 256 possibilities for the last 8 bits. If two solutions are found, select one at random. This is fast and looks secure, I think it's the best option.