|
2020-07-17, 16:14
|
#221 | |
|
P90 years forever!
Aug 2002
Yeehaw, FL
165468 Posts |
Quote:
|
|
|
|
|
2020-07-30, 10:08
|
#222 | |
Oct 2018
48 Posts |
Use of res2048 value
Quote:
I think this an interesting thread, and very useful work for the project. I wanted to add something that occurred to me, although somewhat late in the discussion now. As noted, with topK above E the server generally can not cheaply verify the res64 or res2048 value. Although, after successfully verifying the certificate, the result of the PRP test is not in doubt. But if the PRP test indicates composite, and at later dates factor(s) are found, the residue could not be used, e.g. in the scheme R. Gerbicz showed here: https://www.mersenneforum.org/showthread.php?t=23462 to cheaply show (in some cases) that the cofactor is composite, since the stored res2048 value itself could be invalid. I'm not qualified nor very experienced in relevant fields, so there is a greater likelihood I've misunderstood. Or I might even have missed that this was considered and discounted as being out of scope (in which case I apologise in advance for not thoroughly enough reading around the topic!) |
|
|
|
|
|
2020-07-30, 17:20
|
#223 | |
|
P90 years forever!
Aug 2002
Yeehaw, FL
2·53·71 Posts |
Quote:
The res64 and res2048 will be correct, but it is not proven. What does that mean? Prime95 and gpuowl, grab the res64 value and, in prime95's case, the res2048 value on the way to TopK. Barring a program bug, or malicious user changing the available source code, these values will be correct. Proven means 3^TopK was performed correctly and the probably-prime/composite state of the Mersenne number is certain -- immune from program bugs and malicious users. |
|
|
|
|
|
2020-07-31, 00:42
|
#224 |
|
Undefined
"The unspeakable one"
Jun 2006
My evil lair
2·19·163 Posts |
Have you tested the VDF code in P95 with some of the known primes to check that the prime-found code works?
Last fiddled with by retina on 2020-07-31 at 00:42 |
|
|
|
2020-07-31, 02:47
|
#225 | |
|
P90 years forever!
Aug 2002
Yeehaw, FL
2·53·71 Posts |
Quote:
|
|
|
|
|
|
2020-07-31, 16:39
|
#226 | |
"TF79LL86GIMPS96gpu17"
Mar 2017
US midwest
14F216 Posts |
Quote:
|
|
|
|
|
|
2020-08-25, 15:14
|
#227 |
|
"Pavel Atnashev"
Mar 2020
4410 Posts |
Roots of unity Attack
It is possible to conceal a prime by tampering with the proof and forcing the result of PRP test to be different than 1. In the simplest circumstances an attacker has to perform just two multiplications by -1 to spoil the proof. I was able to do it with 30406^8192+1, and from what I understand it was as easy with GIMPS too. The attack uses my previous idea of injecting a root of unity into the proof. Ravi Fernando pointed out that it's still possible to contaminate both sides of the proof, with probability of a correct proof being inversely proportional to root's order. The attack happens entirely on client side, the server receives 100% valid proof. And it does not depend on hash hardening or the random exponent. Attacker can multiply the result and some products by a root of unity during construction of the proof. The root will be raised to unpredictable powers, but root^hash = root^(hash mod order) For cubic roots the probability that both products in the certificate will have the same power of the root is 1/3. In cases where no squarings of the result happen at server side, the attacker can use -1 if the first hash is odd. y_1 = -y*(-u1)^h0 = y*u1^h0 and -x_power will lose minus either with an even hash or when being validated x_power^distance. It is important to note that the attacker needs to have a valid proof in the first place. Pietrzak pays no attention to roots of unity because they have no effect on the performance of his verifiable delay function. The result of the computation is not important for a VDF, but since it's important for us, we need to implement additional measures to make sure the attack is not practical. The fix is simple: raise the result of PRP test to all small divisors of N-1, if you get 1 it's a cause for concern. For N=k*b^n+c, it's very easy to do so for c=1, but requires some sieving for c=-1. The depth of sieving should be rather large, because the attacker has some time and unlimited number of attempts to construct a fake proof. In practice, the check against the attack is just an additional step performed by the server during generation of the certificate. All relevant software was updated to include such a step. |
|
|
|
|
2020-08-25, 15:52
|
#228 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
2×5×7×139 Posts |
Quote:
Guys, this sounds like there's currently a viable attack vector. Comments? |
|
|
|
|
|
2020-08-25, 18:08
|
#229 | |
|
"TF79LL86GIMPS96gpu17"
Mar 2017
US midwest
2×7×383 Posts |
Quote:
Depending on what you mean by "small divisors" or "rather large" depth of sieving, that sounds to me like possibly a separate server-managed client-performed work assignment or multiple per GIMPS exponent. That much TF (and P-1?) and exponentiation may be too much for the PrimeNet server to take on. But your last line seems to indicate it's already in place on the server, so manageable load. Why someone would want to conceal a Mersenne prime baffles me. Last fiddled with by kriesel on 2020-08-25 at 18:11 |
|
|
|
|
|
2020-08-25, 22:09
|
#230 | ||
|
P90 years forever!
Aug 2002
Yeehaw, FL
752610 Posts |
Quote:
Quote:
Prior to the fix, it would allow an attacker to find a Mersenne prime and then with some effort create a proof file that showed it was not a Mersenne prime. Why one would want to do this is beyond me. The attack involves multiplying the final Fermat PRP result (for a prime this is one) by a root-of-unity. Minus one is one such possible root. Prior to the fix, the server would have seen the final PRP result of minus one and concluded "not a PRP". But now, we square the final result and turn the attacker's minus one back into one -- thwarting our madman's evil intent. There are other possible roots - like the modular cube root of one. We thwart this by also raising the final result to the third power. Pavel showed what the possible small roots of unity are so we could guard against all of them. |
||
|
|
|
|
2020-08-25, 22:15
|
#231 | ||
|
If I May
"Chris Halsall"
Sep 2002
Barbados
260216 Posts |
Quote:
But the mere fact the vector was viable would mean you couldn't say *for sure* an MP hadn't been missed. Quote:
|
||
|
|
|
 |
| Thread Tools | |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| phi function | rula | Homework Help | 3 | 2017-01-18 01:41 |
| delay in crediting? | ixfd64 | PrimeNet | 7 | 2008-10-20 20:45 |
| Why delay between posts? | JHagerson | Forum Feedback | 1 | 2006-05-13 21:30 |
| Minimum delay between server connections | vaughan | ElevenSmooth | 5 | 2005-09-08 17:17 |
| Stats delay | ltd | Prime Sierpinski Project | 10 | 2005-08-08 13:38 |
