|
2020-06-14, 13:43
|
#111 | |
"TF79LL86GIMPS96gpu17"
Mar 2017
US midwest
123628 Posts |
Quote:
What happens if you don't have topk in the file, and years from now want to transition to a different power or topk strategy? Seems simpler for a transition, and reliable before one, to have it explicitly contained in the file. The server or verified system can check that value and produce an error message if it doesn't match expectations, putting the server or verifier operator on notice there's a new case that needs handling, or some other issue. Last fiddled with by kriesel on 2020-06-14 at 14:21 |
|
|
|
|
2020-06-14, 13:57
|
#112 | |
|
Undefined
"The unspeakable one"
Jun 2006
My evil lair
2×19×163 Posts |
Quote:
What is it, 8 extra bytes or something? In a 120MB file. I don't think it makes a major difference to anything. It's like asking for the 1c change after you just paid $999,999.99 with your million dollar note. |
|
|
|
|
|
2020-06-14, 17:12
|
#113 | |||
|
P90 years forever!
Aug 2002
Yeehaw, FL
2×53×71 Posts |
Quote:
You could choose a different default power value if, for a particular exponent, there is no increase in tail iterations when power is increased. Quote:
Quote:
Last fiddled with by Prime95 on 2020-06-15 at 02:47 |
|||
|
|
|
2020-06-15, 02:47
|
#114 | ||
|
P90 years forever!
Aug 2002
Yeehaw, FL
1D6616 Posts |
Quote:
Quote:
A primer on potential cheating might be useful. For example, if we make h0 dependent on B, but make h1...hn known at startup, does that make cheating easy or just a little less difficult. If this were safe, I can get by with 3*power temporaries -- much better than 6GB at power==9. I also did not understand how increasing the bit-size of h0...hn makes the proof more secure. |
||
|
|
|
|
2020-06-15, 10:19
|
#115 | |
"Mihai Preda"
Apr 2015
3·457 Posts |
Quote:
The proof is like a chain of links. The whole chain is secure because each link is secure. The structure of a link is the classic "(A^h * M)^q==M^h * B". The assumption is that the link above verifies simultaneously the two indepenedent statements: A^q==M *and* M^q==B. Now of course there is more "liberty", or degrees of freedom, in the two statements vs. the compound one (probably in the "linear combinations" sense). The equivalence only holds if the first statement is verified for *multiple* values of h. Afterwards *multiple* is relaxed to "one random value of h", which is in turn relaxed to the hash in the Shamir heuristic setup. Let's see if we extremely limit the range of "h", let's say we always have h==1. Then the implication above obviously does not hold anymore: (A*M)^q==M*B does not imply (A^q==M && M^q==B) If h has values from a small set (i.e. fewer bits), then there is trouble at the step that equivalates "holds for multiple values of h" with "holds for one random value of h", because this equivalence fails at a rate of 1/#h. (thinking of it this way: the attacker can easily manufacture matching fake data for *one* specific value of h. His cheat is detected with a rate of 1/#h (where #h is the cardinality of the set(h)). Taking a step back, let's look at what would be a practical attack in our specific case. If I were an attacker, I would like to generate a valid proof for an incorrect final-B, any B would do. This is because "any" B would most likely indicate composite, and if I'm able to do this I can hide a prime. Now how much effort would it be reasonable for an attacker to put in this endeavor? how high should we set the effort bar for a successful cheat? Indeed I would also like to see an analysis of the cheat effort (which might allow us to lower the bits of h). Last fiddled with by preda on 2020-06-15 at 10:21 |
|
|
|
|
|
2020-06-15, 18:05
|
#116 |
|
P90 years forever!
Aug 2002
Yeehaw, FL
2×53×71 Posts |
The 6GB temp space requirement for a power==9 test is a problem for me. I use 32GB SSDs on a machine with 3 GPUs running 6 gpuowl instances. That's 36GB of temp space.
Or consider someone going after the 100M digit prize. We'd like to use a higher power (say 12) to reduce workload on verifier. That's 4096 40MB residues = 160GB. I can see a lot of users running out of disk space. In the power==12 example, if we make h0 dependent on B but h1...h11 are fixed we can reduce temp storage to about 150MB. How much have we weakened the proof? I think you are saying (please correct me if I've misunderstood) that a fixed h1 through h11 allows the bad guy to pick a fake B,M pair using roughly this method: Code:
h0 = hash(B) hh = h0*h1*h2*h3*h4*h5*h6*h7*h8*h9*h10*h11 Find M such that B = (A^hh)^q * M^(q-hh), where q=2^k and k=12 |
|
|
|
|
2020-06-15, 22:11
|
#117 | |
|
P90 years forever!
Aug 2002
Yeehaw, FL
1D6616 Posts |
Quote:
In case it is not obvious why pre-computing h values saves temp space for the proof author, an example. If I understand correctly, if power >= 5 one of the middle values in the proof is computed by combining 16 different intermediate residues: Code:
(((r0^h3 * r1)^h2 * r2^h3 * r3)^h1 * (r4^h3 * r5)^h2 * r6^h3 * r7)^h0 * ((r8^h3 * r9)^h2 * r10^h3 * r11)^h1 * (r12^h3 * r13)^h2 * r14^h3 * r15 |
|
|
|
|
|
2020-06-16, 08:40
|
#118 | |
|
"Mihai Preda"
Apr 2015
3·457 Posts |
Quote:
Or, the equivalent (I think) question: how hard is it to find *a* residue X that satisfies the modular equation: (A^h * X)^q == X^h * B given A, B, h and q (X, A, B are modular residues, q and h integers, given). ? (A genuine question for me, maybe a trivial question for the math people around here, thanks!) Last fiddled with by preda on 2020-06-16 at 08:43 |
|
|
|
|
|
2020-06-16, 09:07
|
#119 | |
|
"Mihai Preda"
Apr 2015
137110 Posts |
Quote:
We use the stored temporary residues only to save work ("faster") vs. the trivial way of computing the middle. But after a certain point, the trivial way becomes faster than using saved residues. Constructing the proof, at some step "i" we have the A[i] and B[i] and want to compute M[i] the middle between A[i] and B[i]. One way is to combine in the fancy way the saved residues, but of course we can also simply do a number of iterations ("half the distance between A[i] and B[i]") from A[i] and find M[i] that way. As "i" grows, using saved-residues becomes exponentially slower, while doing the iterations becomes exponentially faster. The reversal point, when the later becomes faster, is somewhere around 8. For example, by saving only 2^8 residues, when building a proof of power 9, we would work out the first 8 middles from residues, and the last one, the 9th, by doing E/512 iterations. When computing a proof of power 12, the same: save 256 residues only, and afterwards do E/512 + E/1024 + ... + E/4096 iterations. This way the temp storage is capped and smaller. (In parallel I also try to understand if the "fixed hashes" you proposed would work) |
|
|
|
|
|
2020-06-17, 08:55
|
#120 |
|
"Pavel Atnashev"
Mar 2020
22×11 Posts |
This is not efficient from the point of view of the whole system. You decrease verifier's computations at the expense of prover's computations AND increased bandwidth requirements.
|
|
|
|
|
2020-06-17, 13:55
|
#121 | |
|
6809 > 6502
"""""""""""""""""""
Aug 2003
101×103 Posts
100110001110002 Posts |
Quote:
|
|
|
|
|
 |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| phi function | rula | Homework Help | 3 | 2017-01-18 01:41 |
| delay in crediting? | ixfd64 | PrimeNet | 7 | 2008-10-20 20:45 |
| Why delay between posts? | JHagerson | Forum Feedback | 1 | 2006-05-13 21:30 |
| Minimum delay between server connections | vaughan | ElevenSmooth | 5 | 2005-09-08 17:17 |
| Stats delay | ltd | Prime Sierpinski Project | 10 | 2005-08-08 13:38 |
