Analyze cost to attack truncated SHA256

[ValarDragon]

There is concern that 80 bits of security with truncated 20 byte sha256 is insufficient. We need to do a cost analysis of the cost to break truncated levels of sha256 (i.e. cost per asic + electricity) and figure out exactly what margin between 20 byte and 32 byte hashes we want to use. (As the space savings are worth considering) Its important to note that you can't reuse bitcoin asics, since we have domain seperators on the hashes.

Ideally at the end of it, we should create an ADR for this.

[ValarDragon]

TL;DR I think we should go with 27 bytes instead of 20.

The Antminer S9 costs $615, computes at 13 TH/s, and takes about 1.2KW. Recall that bitcoins hash function is sha256d, so this is really 26 TH/s (26 * 10^12) for our use case.

For purposes of this analysis, lets presume both the energy cost, cost per unit is halved due to technological improvements, and that the hash rate is about doubled. So a $300 base fee, at 50 TH/s, and .5KW. Lets also assume our attacker is magical, who can achieve the vast quantities of energy needed at 10$/ MWH, without transmission loss, and suffers 0 cost for doing things at scale. (e.g. no cooling bills or operational expenses). This is a model that is nowhere near possible to instantiate imo.

The birthday bound tells us that 20 byte truncated sha2, takes 1.17 * 2**80 hashes for a 50% chance of collision. (Lets round this to 2**80) Lets optimize for what the lowest cost on the miner would be, and see what that cost is.

Cost(security parameter, num_miners) = base_cost_per_miner * num_miners + num_miners * time_ran * electricity_rate * electricity_cost

time_ran = (2^(security parameter / 2)) / (num_miners * hash_rate_per_miner)

Note that substituting the time_ran term into the cost equation cancels out the num_miners term, therefore the electricity costs are independent of the number of miners. (As we already opted to ignore all the operational expenses / issues with scaling) This indicates that we can just measure cost in terms of the electricity cost, and presume the attacker had any number of miners. (the dictating term is now electricity_rate_per_miner / hash_rate_per_miner)

Cost_due_to_time = electricity_rate_per_miner * electricity_cost * (2^(security parameter / 2)) /  (hash_rate_per_miner) 
= (.5KJ per second) * $10/MWH * (2**80 hashes) / (50 * 10**12 hashes per second)
= 1 KJ per second * $36/ ( 10^6 KJ) * 20148763660
= $435,213

So clearly in this idealistic model with 80 bits of security, cost due to electricity is insufficient.

Consider what happens if we raise the security to 25 bytes, or 100 bits of security. Then the cost would increase by a factor of 2**20, and therefore, it would cost 456 billion dollars to pay for the electricity to attack this system. When you want to have enough miners, that this could be computed in the human lifespan (~80 years), the number of miners needed is:

num_miners_needed = (2^(bits of security)) / (time_to_run * hash_rate_per_miner)
= 2^100 hashes / ((80 * 365 * 24 * 3600 seconds) * 50TH/s) 
= 10,049,233 miners

At the cost cited here, building these miners would cost about a billion. Also with 10 million miners, the rate of electricity usage would likely drive up the operational costs that are being ignored here. I also doubt any adversary wants to wait 80 years though. Lets say they want to find a collision within one year, simply raise the number of miners needed by a factor of 80.

In case there is fear that the described model is not idealistic enough, (e.g. we find a way to compute more sha2 hashes with less electricity, or cold fusion is significantly more cost effective) I propose using 27 bytes, or 108 bits of security. In this model, that puts the energy cost to 116 trillion dollars, and the number of miners needed to break the system in 80 years to 2.5 billion miners. I think things like paying for cooling, or handling transferring power, are going to drive the real world price well past what has been estimated here.

I am certain that for the foreseeable future, 116 trillion is fine. (The US governments yearly revenue atm is < 7 Trillion AFAICT) As I've now mentioned many times, I think the true cost will be much higher, and with that much money you can certainly buy 1/3rd of the atom supply imo. We can also switch hash functions, thats not out of the picture, if there is significant improvement in ASIC technology, or electricity. Because of this I'm actually fine with 25 bits as well.

Recall that this only would enable you to double spend (e.g. find a random collision), you couldn't steal someone elses money.

I'll write this up into a spreadsheet, so one can play with the numbers more easily.

[ValarDragon]

Actually I think we should just use full Sha2. While we do get space improvements per the above analysis, I imagine many people will want to fork and use a faster hash, e.g. blake2. The security trade-off for faster hashes is much different if ASICS for them develop, and therefore the above analysis is invalidated. (e.g. by virtue of blake2b being faster, an ASIC will be able to do more hashes per unit time, so you'd need more bytes)

To avoid the concern of having to deal with communicating not only the hash, but what size the output is (And if its truncation, or an adaptation to the algorithm itself as in blake2), I think we should just use full 32 bytes.

[ValarDragon]

Talked to @jaekwon, he said 32 bytes seemed fine for launch. We should keep the code in such a way that it is easy to update the size (so keeping the tmhash and tmhash.Size concepts). He suggested that #postlaunch we benchmark impacts changing the hash size will have on IAVL and proofs, and reconsider lowering it then.

Jae also had an interesting idea to keep the address hash as 20 bytes. (\end Jae quotations)

This makes alot of sense to me, since attacking an address would be a pre-image attack. For a single user, the difficulty at 17 bytes should be roughly equivalent to the difficulty of finding a 32 byte sha2 collision. We have to be careful here, and be sure to account for batch attacks properly. Math for number of bits of security for a batch pre-image attack being equivalent in difficulty to finding a random collision in sha2 from a number of hashes perspective: (The random collision has the added difficulty of memory storage, and collision checking)

Finding a random collision in sha2 takes sqrt(pi/2) * sqrt(2^(256)) ~= 1.25 * 2^128 .
Finding a pre-image of one of n hashes of length b bits takes 2^(b-1)/n hashes. Setting these equal,
b = log_2(1.25 * n * 2^129). Thus if we assume there are 2**40 = 1 trillion accounts, security is equivalent if b = 169.3 bits, or 22 bytes. (We actually get security up to 70 trillion with 22 bytes) If we go to 23 bytes for account size, we get equivalent security up to 18 quadrillion accounts.

Not sure what number of accounts we want to make the trade-off for (or if its even worth the mental complexity), though I feel like both 22 bytes and 23 bytes are safe.

Recall that world population is 7 billion.

[xla]

@ValarDragon From your last comment this sounds like a post-launch concern, unless the findings from the benchmarking will result in actionable changes. Should we move this issue?

[ValarDragon]

Changing the tmhash to 32 bytes is prelaunch, and I think was agreed on? (We can then reduce it postlaunch) I think we also want the address size to be constant post launch, so we need to decide the actual size parameter there. So right now we should probably make a second addrhash, and switch usage in Tendermint/SDK accordingly, along with resizing tmhash.

[ebuchman]

Should we adopt multihash?

[ValarDragon]

I think multihash formats should only be used to communicate the state-tree hash in an initial ibc level handshake, and not in the actual merkle tree, address hashes or intra-signature hashes. The latter is going to be insanely hard to do. There isn't really a need for this extra data in the address hash, since you should know the chain its coming from. Within the merkle tree, it would increase proof size, and break rfc compatibility.

[ebuchman]

Isn't the RFC generic w.r.t the hash function chosen? Effectively multihash defines a single hash function, so I would think it could fit into the RFC format fine.

With multihash, we could upgrade the hash function again in the future without breaking everything.