[Hardware] Notes... The case for an open client

Dan Oetting dan_oetting at uswest.net
Sun Aug 15 21:48:05 EDT 2004

On Aug 15, 2004, at 3:40 PM, Elektron wrote:

>> Ah ... trust, strategies and game theory :)
>> As for sabotaging the entire project, it seems pretty difficult for a
>> single player to do so if some of Dan suggestions like requiring 
>> partial
>> match keys to be posted as proof of searching the space, as it becomes
>> computationally trival to verify those keys as minimim to accept the
>> blocks before including them in the database.
>> Sure, DoS problems could be created ... but d.net faces similar risks.
> Find one partial match. Post the block. Don't bother searching the 
> rest.

There is a collection of parts that work together to secure the whole.

1. Partial match keys are used as counters for work performed.
2. Residual checks on blocks to detect failures
3. Client ID's for tracking work performed by individual users/machines.

You cannot get credit for your work without finding the partial match 
keys. Over the long run it takes a fixed amount of effort to find each 
key regardless of how you search. If a client stops processing a work 
unit after finding the first partial match key it will have a 
significant undercount in found keys. If it tried to cover up the 
undercount by not reporting empty work units it will have a high lost 
work rate and still have a skewed count for multiple partial key units. 
The only way to keep a clients results statistically normal so it 
doesn't stand out is to do all the work. Then it might as well join the 
existing project or form it's own.

I can't come up with any way to justify spending the effort to crack 
RC5-72. To spend the same effort only to have a slim possibility of 
stopping someone else from cracking it is just unfathomable.

>>> Nobody needs the source. It was probably /dev/srandom or so, anyway.
>> Security thru obscurity?
> No, security through impossible-to-recover device timings. Have you 
> asked RSA how the keys were generated? Did they tell you they can't 
> tell, because that might compromise the contest? Or are you just 
> assuming that the keys were generated by someone typing random 
> hexadecimal digits, or MD5ing a text string, or (ick!) rand()?

When I was just a kid during engineering days at college someone was 
running a craps program on an HP 9830 desk calculator. I waited until 
they restarted the program and wrote down a few results went upstairs 
and wrote my own simulator. Sure enough, they were using the built in 
rand() and not even initializing it (I told you these were engineers). 
After jotting down several sequences I went back downstairs and cleaned 
them out. Too bad they weren't playing for money.

More information about the Hardware mailing list