
SAT solving – An alternative to brute force Bitcoin mining (2013) - scscsc
https://jheusser.github.io/2013/02/03/satcoin.html
======
optimiz3
SAT solving SHA256 is a dead end - I was researching this for the purpose of
Bitcoin mining (before this article came out), along with many others, for
profit.

SAT solving typically relies on reducing a function down to boolean
expressions where clauses are minimally connected with AND operations (a.k.a.
Conjunctive Normal Form).

The math basis for this is that in GF2 (Galois Field 2 - a number system with
only 2 values):

    
    
      AND is equivalent to Multiply (1 * 1 = 1; 1 * 0 = 0, etc.)
    
      XOR is equivalent to Addition (1 + 1 = 0; 0 + 1 = 1, etc.)
    

This is useful because we can re-express a boolean function as multiplication
and addition for complexity analysis.

The difficulty comes when you mix AND and XORs; take the Ch function within
SHA256 -

    
    
      Ch(E, F, G) == (E & F) | (~E & G)
    

Which can be rewritten as:

    
    
      Ch(E, F, G) == (((F ^ G) & E) ^ F)
    

Rewritten in GF2 it is equivalent to:

    
    
      Ch(E, F, G) == ((F + G) * E) + F
    

Because of distributive laws, we know there is zero way to simplify this
further.

Its trivial to see that to work backwards, you have to "consider" way more
input combinations for every known output. Even if the output is 0 (which you
want when Bitcoin mining), you have this problem where there are 4 possible
input combinations.

Now unroll the entire SHA256d function Bitcoin uses and you realize the effort
to work backwards is far more than the effort to brute-force the input
keyspace. This explosion in complexity comes from the fact that the whole
function feeds forward, so there is little that can be done to "resolve out"
intermediate values as there are no cyclic value dependencies.

SHA256d is effectively a giant rat's nest of multiplies and adds, all stacked
on top of each other, that cannot be reduced, due to distributive laws.

~~~
a-dub
I recently (naively) dug into it to try and understand where it's magic comes
from. I was under the impression that it also gets strength by flipping back
and forth between F2 and Z+. Where AND and XOR are linear in F2, they're
nonsense in Z+, where addition in Z+ is nonsense in F2 (not to forget the
whole mod 2^32 part).

Is that actually true or did I just bs myself?

~~~
optimiz3
Yes, we don't have good ways to unify the flipping between GF32 and GF2 beyond
down-converting to GF2 (which yields a massive increase in clause-complexity).

GF32 addition in GF2 basically looks like a giant ripple-carry-adder.

~~~
zvrba
> GF32 addition in GF2 basically looks like a giant ripple-carry-adder.

I tried to implement addition in GF32 through Kogge-Stone adder because the
dependency chain has length 5 instead of 32. No success. The intermediate
variables got so complex that the BDD library I used at the time couldn't even
synthesize the expression for a 32-bit adder.

------
billylindeman
This is an old article. This one is also very interesting by the same author:
[https://jheusser.github.io/2013/12/30/satcoin-
code.html](https://jheusser.github.io/2013/12/30/satcoin-code.html)

Proof of concept of the SAT solving idea.

~~~
scscsc
Yes it's from 2013 it seems but I just bumped into it and it seemed cool and
interesting. I think this community will appreciate the idea.

I was curios if anyone here is mining bitcoins and if it's worth their time.

~~~
flatline
I bought a couple of the cheaper USB miners earlier this year just to play
around with...have spent quite a bit of time since then mining alts. Bitcoin
mining is absolutely a fool's game at this point. The hardware vendors have a
terrible track record (cf. the recent FTC raid on BFL), and there is a slim
margin wherein a few people somehow manage to earn more than they spent on the
devices -- the rest of the time a purchase results in a substantial loss due
to hardware obsolescence and exponentially increasing difficulty. At some
point I figure the technology will stabilize and the prices will make mining a
reasonable option again, but for the moment you are far better off just buying
some coins.

~~~
aftbit
Things were much nicer when GPU mining was the market leader. Bitcoin mining
was usually profitable for a few weeks during/after a major price jump, and
your main cost was power. Once the profitability window ended, just turn off
your mining hardware.

Now that we have ASICs and scammy companies with months of lead time making
them, things are way more volatile. Power is cheap, but the hardware is
thousands of dollars, and the preorder/crowdfunding scheme is pretty
reprehensible.

Would scrypt with harder parameters make a better ASIC-resistant hash?

------
nickodell
>Initial tests showed that block 218430 with considerably higher difficulty is
solved more efficiently than the genesis block 0 for a given nonce range.

This is very misleading. 99.99999999% of the work of finding a valid block is
finding the right block header to mine on. You have 2^32 possible nonces, and
your odds of finding a block are 1 in 2^67.

By giving his program the block in advance, he's taking a shortcut.

An algorithm that could quickly decide whether a block header contained a
valid solution would be very valuable indeed.

------
viraptor
The part I find most interesting is that (if I understand it correctly),
bruteforce gets harder as SAT solving gets easier. That is - the more zeros
are required, the fewer variables are in the SAT problem. The less zeros are
required, the higher chance of bruteforcing a correct result.

(edit: actually not fewer variables, but... I'm not sure what the correct term
is, but the tree of operations gets smaller, because more results have to be
fixed)

~~~
scscsc
Actually I'm not sure that claim is accurate (they state it as an intuition).
The fact that there are more constraints (that was the word you're looking
for) does not necessarily mean that SAT will be easier. It could be that the
constraints make finding a solution _more_ difficult.

~~~
ITwitchToo
It is true in an absolute, mathematical sense that the search space gets
smaller when you fix a variable to a particular value.

However, by fixing a variable (and effectively removing it), you are also
removing potential solutions from that search space.

In a sense, you could view the difficulty of a SAT problem as the fraction of
valid solutions in the whole search space. By fixing a variable, you are
decreasing both the number of valid solutions and the size of the total search
space. But the fraction could end up being either greater or smaller,
depending on the variable and the value you set it to.

------
pbsd
While SAT, and their cousin SMT, solvers are useful in the analysis of
symmetric cryptographic primitives, they quickly become useless once the
complexity of the problem hits a certain threshold. They are best employed to
analyze contained parts of the primitive.

It can be wise to use a SAT solver to find a preimage of, e.g., SHA-256
reduced to 10 rounds. But it will be hopeless on the full function, unless it
is severely broken.

~~~
scscsc
I think you misread the article. They are not claiming to break SHA, they are
claiming they can get better than bruteforce performance on mining bitcoins.

~~~
pbsd
I understand that. The author himself does not claim this approach is faster
than bruteforce. Indeed, consider the converse: for mining using a SAT solver
to be faster than bruteforce implies that the SAT solver is able to exploit
some structure in the hash function which plain bruteforce has no access to.
The point of a good hash function is to have no such structure.

If you additionally consider how SAT solving algorithms work, they are less
amenable to modern CPUs than plain bruteforce, which can take full advantage
of SIMD and instruction parallelism. If you look at password hash breakers,
you will see them using extra tricks, like early abort, to speed things up
even further.

~~~
im3w1l
>The point of a good hash function is to have no such structure.

Our hash functions are not perfect with respect to this.

------
xnull2guest
In general, if one could find preimages using SAT it wIn general, if one could
find preimages using SAT it would be done for cryptanalytic purposes would be
done for cryptanalytic purposes. SAT is also not likely to admit a hardware
(ASIC, etc) solution, so it would be much more difficult to massively
parallelize and to keep cost per hash low.

