Covert attack on Bitcoin drives block size debate stagnation

On Wednesday afternoon, Bitcoin Core developer Greg Maxwell submitted a Bitcoin Improvement Proposal (BIP), inhibiting a “covert attack on the Bitcoin POW function.” Maxwell discovered patent pending technology being used in an ASIC Bitcoin mining chip, which gives certain Bitcoin miners 20 to 30 percent more mining power.

The technology, AsicBoost, was invented by Timo Hanke in collaboration with Sergio Lerner. "Through clever pre-processing and crafting of the work that is sent to the chip, the ASIC is allowed to re-use about one quarter of the information that would otherwise be created and discarded on a continuous basis internally to the hashing cores,” explains Hanke. “A hashing core adopted for AsicBoost can save up to one quarter of the gates by re-using that information over time or by sharing it with other hashing cores."

While the technology is offered for use under license, Maxwell discovered an ASIC chip with the technology in, which the creators “were completely unaware of.” The BIP to counter the problem does not prevent the attack in general, “but only inhibits covert forms of it which are incompatible with improvements to the Bitcoin protocol.”

“A month ago I was explaining the attack on Bitcoin's SHA2 hashcash which is exploited by ASICBOOST and the various steps which could be used to block it in the network if it became a problem,” states Maxwell. “As I explained one of the approaches to inhibit covert ASICBOOST I realized that my words were pretty much also describing the SegWit commitment structure.”

“An incompatibility would go a long way to explaining some of the more inexplicable behavior from some parties in the mining ecosystem so I began looking for supporting evidence.”

- Greg Maxwell

The new vulnerability, according to Maxwell, is “a clear and present danger to the Bitcoin system which requires a response.” He gives two examples of the harm it can do, which mainly manifest in either “inequality in the mining process and interference with useful improvements.”

The more obvious problem is mining power centralization, a subject that bitcoin developers have been worried about since the invention of ASIC mining chips. In this case, it makes mining centralization even more profitable than usual, at the expense of other miners.

“Exploitation of this vulnerability could result in a payoff of as much as $100 million USD per year at the time this was written (Assuming at 50% hash-power miner was gaining a 30% power advantage and that mining was otherwise at profit equilibrium), Maxwell explains. “This could have a phenomenal centralizing effect by pushing mining out of profitability for all other participants, and the income from secretly using this optimization could be abused to significantly distort the Bitcoin ecosystem in order to preserve the advantage.”

Maxwell also claims that the covert use of AsicBoost incentivizes miners using the capability to vote against all of the previous attempts to change the bitcoin blocksize. “The best methods of implementing the covert attack are significantly incompatible with virtually any method of extending Bitcoin's transaction capabilities,” he explains. “With the notable exception of extension blocks (which have their own problems).”

- Greg Maxwell

Speaker and author Andreas Antonopoulos read the BIP and soon tweeted his take on the problem. “The real issue with this ASICBOOST drama is the fact that it incentivizes bizarre Tx selection and resistance to block header changes,” he began, referring to unusual mining patterns. “It creates specific incentives to produce imbalanced merkle trees in order to get a 30% boost. That's a problem.”

However, former Bitcoin head developer Gavin Andresen stated that the efficiency gains provided by AsicBoost make mining more efficient. “It's not ok for Ethereum to change their rules to undo a theft,” Andresen said. “But it is ok for Bitcoin to change the rules to prevent an optimization?” He was not alone. Yours Network CEO Ryan X Charles asked “Are ‘attack’ and ‘exploit’ accurate characterizations? Looks like an optimization to me.”

Maxwell explains this mindset as a simple lack of information or cognition on their part. “I think part of the reason people haven't taken it seriously as a threat is because it's tricky to understand,” he said on an IRC channel after earlier remarks. “While talking about it privately for the last month I ran into many experts that kept lapsing into thinking that the collision required 2^32 work, and other misunderstandings.”

When asked how the vulnerability can be verified, and if it can simply be seen by examining a block, Maxwell stated that the network needs to be watch for behavioral patterns. “The covert method is hard to detect and cannot be detected on a block by block basis. It can show up as an increased number of empty blocks, strange ordering of transactions in blocks, or never-seen-before transactions showing up in blocks.” It is these “protocol interactions of the covert method,” Maxwell states, that would “block the implementation of virtuous improvements such as segregated witness.”

Meanwhile, using AsicBoost as intended, overtly, isn’t a problem that most developers are seeking to fix. “The overt method is trivial to detect, trivial to block, and not currently in use,” Maxwell claims. This is the version that “most people understand ASICBOOST to be-- which is part of the reason people hadn't been worrying about it.”

His BIP set out a plan to use a Soft Fork upgrade of Bitcoin, which implies backwards-compatibility and is strictly an opt-in upgrade. Once applied to a majority of bitcoin nodes, it would block the covert implementation of AsicBoost. The proposed code is a targeted attack that “interferes” with the covert method by eliminating the specific algorithmic advantages he’s detected, while not harming any other performance increases.

- Maxwell

While the company behind the chips has not been named, there are very few ASIC manufacturers. A very similar patent was filed on August 21, 2015, by Chinese Bitcoin manufacturer Bitmain. The company produces the leading ASIC product line on the global market, Antminers, and also runs the leading mining pool, Antpool. Their Chinese patent for a technology that is described in the same way as AsicBoost, although it predates the latter patent by several months. CEO Jihan Wu’s name is on the Chinese patent as a co-inventor.

The technology looks so similar that many people in the community have already made the connection and accused Wu of theft. BitTorrent creator and Bitcoin developer Bram Cohen declared that “Bitmain took out a chinese patent on asicboost with no credit to the actual inventors.” There has been no reply to the numerous questions asked of Wu on various platforms.

While the connections remain speculation, the price of Bitcoin rose sharply soon after the news broke, jumping $35. BitGo CTO Ben Davenport noticed the trend and said that the “market likes the ASICBOOST discovery... removal of uncertainty. Once you know the disease, you can find the cure.” Blockstream CEO Adam Back, who helped develop Proof of Work speculated that “Segwit would be activated today if not for one persons probably conflict of interest.”