The Blocksize War – Chapter 14 – ASICBoost
On Wednesday April 5, 2017, another bombshell was set off, this time by the small blockers. It was in the form of an email to the Bitcoin developer mailing list from Gregory Maxwell. We won’t go too much into the details here, as it’s highly technical. The main thrust behind Gregory’s allegation was that Bitmain and Jihan’s stated reasons for opposing SegWit were, in fact, lies. Bitmain supposedly had a secret agenda: the company had discovered a secret mining optimisation, a proof-of-work shortcut, that would not work if blocks contained SegWit transactions. The reason for the opposition to SegWit was therefore financial, to protect Bitmain’s profitability, rather than the stated reasons of complexity or to retain leverage to get a hardfork. If it was true that Bitmain had been dishonest to this extent, it could be argued that Bitmain were malicious actors when it came to the Bitcoin protocol.
Gregory’s email is provided below.
A month ago I was explaining the attack on Bitcoin’s SHA2 hashcash which is exploited by ASICBOOST and the various steps which could be used to block it in the network if it became a problem.
While most discussion of ASICBOOST has focused on the overt method of implementing it, there also exists a covert method for using it.
As I explained one of the approaches to inhibit covert ASICBOOST I realized that my words were pretty much also describing the SegWit commitment structure.
The authors of the SegWit proposal made a specific effort to not be incompatible with any mining system and, in particular, changed the design at one point to accommodate mining chips with forced payout addresses.
Had there been awareness of exploitation of this attack an effort would have been made to avoid incompatibility — simply to separate concerns. But the best methods of implementing the covert attack are significantly incompatible with virtually any method of extending Bitcoin’s transaction capabilities; with the notable exception of extension blocks (which have their own problems).
An incompatibility would go a long way to explain some of the more inexplicable behavior from some parties in the mining ecosystem so I began looking for supporting evidence.
Reverse engineering of a particular mining chip has demonstrated conclusively that ASICBOOST has been implemented in hardware.
On that basis, I offer the following BIP draft for discussion. This proposal does not prevent the attack in general, but only inhibits covert forms of it which are incompatible with improvements to the Bitcoin protocol.
I hope that even those of us who would strongly prefer that ASICBOOST be blocked completely can come together to support a protective measure that separates concerns by inhibiting the covert use of it that potentially blocks protocol improvements.
ASICBoost is a way to reduce the amount of work a miner is required to do when making a hashing attempt for Bitcoin’s proof of work (PoW). SHA256, which is the hashing algorithm used for Bitcoin’s PoW, splits the block header into 64-byte chunks before the computations occur. The Bitcoin block header is 80 bytes in size and therefore it is split between two chunks — chunk 1 and chunk 2. ASICBoost keeps the value of one of the chunks the same over multiple hashing attempts. Therefore, the miner is required to do only partial work for this chunk, for multiple hashing attempts, resulting in significant efficiency gains of perhaps around 20 percent. A paper describing this system was first published in March 2016 by Timo Hanke.
There were two ways of achieving this: overtly, by tinkering with the version bits area in the Bitcoin block header in chunk 1 to create entropy as chunk 2 remained static for multiple hashing attempts; or covertly. Covert ASICBoost is far more complex, and involves tinkering with Bitcoin transactions, to find a collision in the last four bytes in the Merkle root of the transactions. The Merkle root is split across both chunks, with the last four bytes in chunk 2. Therefore this covert method also keeps chunk 2 static for multiple hashing attempts. This covert manipulation can occur by tinkering with the order of the transactions in the block. The SegWit upgrade requires miners to commit to the transaction structure elsewhere in the block, making this type of manipulation almost impossible. SegWit therefore inadvertently prevents covert ASICBoost.
There was still considerable uncertainty with respect to Gregory’s claim that “reverse engineering of a particular mining chip has demonstrated conclusively that ASICBoost has been implemented in hardware”. While most small blockers appeared to believe the allegation, it was not clear to me that there was enough evidence to support the allegation. Perhaps small blockers were so convinced that SegWit was a good idea, and that there was no good reasons for Bitmain to oppose it, that they had inappropriately concluded that Bitmain’s intentions must therefore be nefarious. This allegation fit very well into that narrative, explaining Bitmain’s behaviour, and for that reason most small blockers seemed to believe it. Of course, an alternative explanation for Jihan’s behaviour, which also seems quite possible, was that he was an extreme large blocker, exposed to the narrative of the large blocker side. This was also a valid explanation for his opposition to SegWit.
Two days after the allegation was made, Bitmain put out a long and rambling denial:
Bitmain has tested ASICBOOST on the Testnet but has never used ASICBOOST on the mainnet as implied in Gregory Maxwell’s proposal. We ask conclusive proof from whoever claims this to be false because such baseless claims are toxic for the Bitcoin space.
Bitmain holds the ASICBOOST patent in China. We can legally use it in our own mining farms in China to profit from it and sell the cloud mining contracts to the public.
Bitcoin mining equipment depreciates rapidly. Bitmain has constantly been introducing newer more efficient miner models for all. As such the statement that the deployment of ASICBOOST, which can lead to a 20% difference in power efficiency, is some kind of negative development for Bitmain’s business model is false.
SegWit is not running in production because the conditions made clear in the Hong Kong agreement have not been met
Gregory Maxwell’s recent proposal suggests changing 2^32 collision to 2^64 collision to make ASICBOOST more difficult. The result of this would be a loss for the patent owners and the Bitcoin protocol. The patent owners will get nothing and Bitcoin protocol will become more complicated.
The Bitcoin community suffered a grave misfortune when Maxwell lead (sic) the coup against Gavin Andresen and removed his Github commit access. It is now incumbent upon us as a community to figure out how to find a new core developer group that does not busy itself with attacking one of Bitcoin’s largest investors (Ver), one of its largest exchanges (Coinbase), and its largest mining equipment provider (Bitmain).
The first thing to note is that, despite the denial, Bitmain did appear to admit to using what was presumably covert ASICBoost on the testnet and therefore it was probably implemented in their hardware. Prior to this denial, I was unsure of the accuracy of the allegations. Ironically, in my mind, the nature of the denial greatly increased the probability that the allegation was true. Bitmain even went on to claim that they owned the ASICBoost patent in China and could legally use it if they wanted to, before going on to defend the technology as a legitimate mining optimisation. A far more effective communication policy would have been a simple, clear denial, rather than defending ASICBoost in the hypothetical scenario that Bitmain was using it. The denial therefore weakened Bitmain’s position and was cited by small blockers as evidence of the nefarious behavior. Even if Bitmain was not currently using covert ASICBoost, they potentially intended to and therefore the spirit of Gregory’s accusation appeared somewhat accurate: Bitmain were dishonest in their opposition to SegWit. It may have been all about the money.
However, a simpler explanation is also possible. Perhaps Bitmain were just bad at communicating in English, and this could be why the denial was so weak. There is also a combative culture of arguing every point in this war. Maybe Bitmain’s point was that they were not doing covert ASICBoost, but even if they were, so what? It is not impossible that Bitmain wanted to make this point, even if the company wasn’t conducting ASICBoost. The denial also went on to restate Bitmain’s position in the blocksize war, that they would not run SegWit as the conditions of the Hong Kong agreement had not been met. Of course, to the small blockers, it was never intended to be a quid pro quo.
Remarkably, Gavin even went on to defend Bitmain, based on the assumption that the company was conducting covert ASICBoost, arguing that it was a legitimate mining optimisation using the Bitcoin software.
It’s not ok for Ethereum to change their rules to undo a theft, but it is ok for Bitcoin to change the rules to prevent an optimization?
However, Gavin seemed to be missing the point. The issue was not that covert ASICBoost was illegitimate, but that Bitmain’s opposition to SegWit was based on dishonesty and that, in the blocksize war, one of the main parties was motivated by dishonest intentions. Had Bitmain come clean and openly opposed SegWit for this reason, it would have been a different story.
Around the same time as the ASICBoost scandal, several large blockers had been proposing extension blocks as an alternative idea to SegWit; a way to increase the blocksize limit via a softfork. This proposal was made by Andrew Lee on the Purse.io blog, a company associated with the large block camp. This plan was even supported by Roger Ver, and Bitmain also appeared to support the idea. Extension blocks were originally proposed by SegWit co-author Johnson Lau in 2013, however the idea was largely abandoned as the experience of sending coins from the extension block to the main chain was not seamless. In contrast, with SegWit, where this process was straightforward.
What was remarkable here was that the large blockers appeared to agree on a proposal that had many of the supposed shortcomings of SegWit, in that it was highly complex and not a simple blocksize limit increase. However, what appeared to be important to them was that this idea was not developed by Bitcoin Core. At this point, developing their own ideas and feeling free from Bitcoin Core appeared to be the most significant issue to the larger blockers, not a blocksize limit increase itself.
Extension blocks were a way to get a softfork blocksize limit increase and retain the ability to conduct covert ASICBoost. To the small blockers, this proposal was therefore further evidence of Bitmain’s guilt. Small blockers also accused Bitmain of financing this recent extension blocks push, again evidence of Bitmain’s guilt over ASICBoost. Just like the larger blockers didn’t want to adopt anything implemented by Bitcoin Core, the smaller blockers appeared to have a similar bias, and the fact that this extension block proposal was promoted and financed by Bitmain, ensured that they opposed it.
The ASICBoost patent was considered a significant threat to Bitcoin. It is possible one mining entity could acquire the patent, claim exclusive rights to use the technology and then dominate the mining industry due to the advantage the technology could provide. To help alleviate this concern, several Bitcoiners are said to have purchased the patent for quite a high price and then, in March 2018, placed the patent into a defensive patent pool, such that the patent could never be used except to defend against other patents. From around April 2018, blocks on the Bitcoin blockchain started indicating the use of overt ASICboost. Overt ASICBoost is far simpler and more efficient than the covert format and also avoids the issue of being incompatible with SegWit. In November 2018, Bitmain adopted overt ASICBoost in its firmware and, as of today, more than 70 percent of Bitcoin blocks are mined using overt ASICBoost. As for the patent, it was never clear exactly who purchased the patent, nor could one easily trace the ownership from the inventor to whomever supposedly put the patent into the defensive patent pledge. Therefore, what actually occurred here was a bit murky.
Even today, I am genuinely unsure of whether Bitmain was using covert ASICBoost on the mainnet or not. Opinion on this issue is mixed among the experts. I think the odds are somewhere around 50:50.
The ASICBoost accusation appeared to have a very little impact in the larger blocker community. In general, they did not understand the accusation and dismissed it as more Bitcoin Core propaganda and lies. The accusation also had very little impact on persuading more people to join the small block camp, largely due to the complexity of the allegation. However, it certainly did have a very significant impact in hardening the views of many of the small blockers, who now considered the situation as far more urgent. Here, the ASICBoost controversy played a significant and monumental role in the conflict. The small blockers now seemed determined to take action.