Equihash

Last updated November 16, 2024

Equihash is a memory-hard Proof-of-work algorithm introduced by the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the 2016 Network and Distributed System Security Symposium. The algorithm is based on a generalization of the Birthday problem which finds colliding hash values. It has severe time-space trade-offs but concedes vulnerability to unforeseen parallel optimizations.^[1] It was designed such that parallel implementations are bottle-necked by memory bandwidth in an attempt to worsen the cost-performance trade-offs of designing custom ASIC implementations. ASIC resistance in Equihash is based on the assumption that commercially-sold hardware already has quite high memory bandwidth, so improvements made by custom hardware may not be worth the development cost.^{[ citation needed ]}

General

Equihash was proposed by Alex Biryukov and Dmitry Khovratovich as part of the University of Luxembourg research group CryptoLUX. It was introduced at the Network and Distributed System Security Symposium 2016 in San Diego. Notable blockchain-based projects such as ZCash, BitcoinZ, Horizen, Aion, Hush, and Pirate Chain have integrated Equihash for reasons such as security, privacy, and ASIC miner resistance.^{[ citation needed ]}

The manufacturer Bitmain has succeeded in optimizing the processing of Zcash's Equihash-200,9 with an ASIC.^[2]

Specification

Equihash has three parameters – $n$ , $k$ , and $d$ – which determine the algorithm's time and memory requirements. The time complexity is proportional to $2^{{\frac {n}{k+1}}+d}$ while the memory complexity is proportional to $2^{k+{\frac {n}{k+1}}}$ . The algorithm is often implemented with $d=0$ (using an alternative method of controlling the effective difficulty).^[1]

The problem in Equihash is to find distinct, $n$ -bit values $i_{1},i_{2},...,i_{2^{k}}$ to satisfy $H(i_{1})\oplus H(i_{2})\,\oplus \,...\,\oplus \,H(i_{2^{k}})=0$ such that $H(i_{1}\parallel i_{2}\parallel \,...\,\parallel i_{2^{k}})$ has $d$ leading zeros, where $H$ is a chosen hash function.^[1] In addition, there are "algorithm binding conditions" which are intended to reduce the risk of other algorithms developed to solve the underlying birthday problem being applicable. A memory-less verification requires $2^{k}$ hashes and XORs.^[1]

Memory-hardness and time-space tradeoffs

It is proposed that the puzzle in Equihash be solved by a variation of Wagner's algorithm for the generalized birthday problem. (Note that the underlying problem is not exactly the Generalized Birthday Problem as defined by Wagner, since it uses a single list rather than multiple lists.) The proposed algorithm makes $k$ iterations over a large list.^[1]^[3] For every factor of ${\frac {1}{q}}$ fewer entries per list, computational complexity of the algorithm scales proportional to $q^{\frac {k}{2}}$ for memory-efficient implementations. Alcock and Ren^[4] refute Equihash’s security claims, concluding that no tradeoff-resistance bound is in fact known for Equihash.

Usage

The cryptocurrency Zcash implements Equihash with $n=200$ and $k=9$ .

The cryptocurrency BitcoinGold implements Equihash with $n=144$ and $k=5$ .

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications authentication algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.

In probability theory, the birthday problem asks for the probability that, in a set of $n$ randomly chosen people, at least two will share a birthday. The birthday paradox refers to the counterintuitive fact that only 23 people are needed for that probability to exceed 50%.

In mathematics, and in particular linear algebra, the Moore–Penrose inverse⁠ $⁠$ of a matrix ⁠ $⁠$ , often called the pseudoinverse, is the most widely known generalization of the inverse matrix. It was independently described by E. H. Moore in 1920, Arne Bjerhammar in 1951, and Roger Penrose in 1955. Earlier, Erik Ivar Fredholm had introduced the concept of a pseudoinverse of integral operators in 1903. The terms pseudoinverse and generalized inverse are sometimes used as synonyms for the Moore–Penrose inverse of a matrix, but sometimes applied to other elements of algebraic structures which share some but not all properties expected for an inverse element.

The Deutsch–Jozsa algorithm is a deterministic quantum algorithm proposed by David Deutsch and Richard Jozsa in 1992 with improvements by Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele Mosca in 1998. Although of little practical use, it is one of the first examples of a quantum algorithm that is exponentially faster than any possible deterministic classical algorithm.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In computer science, the prefix sum, cumulative sum, inclusive scan, or simply scan of a sequence of numbers $x 0, x 1, x 2, ...$ is a second sequence of numbers $y 0, y 1, y 2, ...$ , the sums of prefixes of the input sequence:

In computer science, locality-sensitive hashing (LSH) is a fuzzy hashing technique that hashes similar input items into the same "buckets" with high probability. Since similar items end up in the same buckets, this technique can be used for data clustering and nearest neighbor search. It differs from conventional hashing techniques in that hash collisions are maximized, not minimized. Alternatively, the technique can be seen as a way to reduce the dimensionality of high-dimensional data; high-dimensional input items can be reduced to low-dimensional versions while preserving relative distances between items.

Threefish is a symmetric-key tweakable block cipher designed as part of the Skein hash function, an entry in the NIST hash function competition. Threefish uses no S-boxes or other table lookups in order to avoid cache timing attacks; its nonlinearity comes from alternating additions with exclusive ORs. In that respect, it is similar to Salsa20, TEA, and the SHA-3 candidates CubeHash and BLAKE.

In computer science, streaming algorithms are algorithms for processing data streams in which the input is presented as a sequence of items and can be examined in only a few passes, typically just one. These algorithms are designed to operate with limited memory, generally logarithmic in the size of the stream and/or in the maximum value in the stream, and may also have limited processing time per item.

The elliptic curve only hash (ECOH) algorithm was submitted as a candidate for SHA-3 in the NIST hash function competition. However, it was rejected in the beginning of the competition since a second pre-image attack was found.

In cryptography, an accumulator is a one way membership hash function. It allows users to certify that potential candidates are a member of a certain set without revealing the individual members of the set. This concept was formally introduced by Josh Benaloh and Michael de Mare in 1993.

Zerocoin is a privacy protocol proposed in 2013 by Johns Hopkins University professor Matthew D. Green and his graduate students, Ian Miers and Christina Garman. It was designed as an extension to the Bitcoin protocol that would improve Bitcoin transactions' anonymity by having coin-mixing capabilities natively built into the protocol. Zerocoin is not currently compatible with Bitcoin.

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public-domain software.

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003. Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng. SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.

Bitcoin Gold (BTG) is a cryptocurrency which was created as a hard fork of bitcoin.

Dmitry Khovratovich is a Russian cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research.

In computer science, a parallel external memory (PEM) model is a cache-aware, external-memory abstract machine. It is the parallel-computing analogy to the single-processor external memory (EM) model. In a similar way, it is the cache-aware analogy to the parallel random-access machine (PRAM). The PEM model consists of a number of processors, together with their respective private caches and a shared main memory.

The Bernstein–Vazirani algorithm, which solves the Bernstein–Vazirani problem, is a quantum algorithm invented by Ethan Bernstein and Umesh Vazirani in 1997. It is a restricted version of the Deutsch–Jozsa algorithm where instead of distinguishing between two different classes of functions, it tries to learn a string encoded in a function. The Bernstein–Vazirani algorithm was designed to prove an oracle separation between complexity classes BQP and BPP.

References

1 2 3 4 5 Biryukov, Alex; Khovratovich, Dmitry (2017). "Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem: Open Review". Ledger. 2. doi: 10.5195/ledger.2017.48 . Archived from the original on 13 October 2018. Retrieved 7 October 2018.
↑ Dölle, Mirko (June 26, 2018). "End of the graphics card era: 8000 ASIC Miners for Zcash, Bitcoin Gold & Co". Heise (in German). Archived from the original on 6 September 2018. Retrieved 6 Oct 2018.
↑ Wagner, David (2002), "A Generalized Birthday Problem", Advances in Cryptology — CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442, Springer Berlin Heidelberg, pp. 288–304, CiteSeerX 10.1.1.5.5851 , doi:10.1007/3-540-45708-9_19, ISBN 9783540440505
↑ Alcock, Leo; Ren, Ling (November 3, 2017). "A Note on the Security of Equihash". CCSW '17. Proceedings of the 2017 Cloud Computing Security Workshop. 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA: ACM. doi:10.1145/3140649.3140652. Archived from the original on July 22, 2020. Retrieved July 21, 2020.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Biryukov_2017-1] 1 2 3 4 5 Biryukov, Alex; Khovratovich, Dmitry (2017). "Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem: Open Review". Ledger. 2. doi: 10.5195/ledger.2017.48 . Archived from the original on 13 October 2018. Retrieved 7 October 2018.

[2] Dölle, Mirko (June 26, 2018). "End of the graphics card era: 8000 ASIC Miners for Zcash, Bitcoin Gold & Co". Heise (in German). Archived from the original on 6 September 2018. Retrieved 6 Oct 2018.

[3] Wagner, David (2002), "A Generalized Birthday Problem", Advances in Cryptology — CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442, Springer Berlin Heidelberg, pp. 288–304, CiteSeerX 10.1.1.5.5851 , doi:10.1007/3-540-45708-9_19, ISBN 9783540440505

[Alcock_2017-4] Alcock, Leo; Ren, Ling (November 3, 2017). "A Note on the Security of Equihash". CCSW '17. Proceedings of the 2017 Cloud Computing Security Workshop. 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA: ACM. doi:10.1145/3140649.3140652. Archived from the original on July 22, 2020. Retrieved July 21, 2020.

[1]

[2]

[3]

[4]