← Back to context

Comment by tromp

5 days ago

Does the gridbach server trust all submitted results to be correct, or can it somehow verify them (much faster than the outsourced computation) ? I managed to contribute 2B verifications in a few minutes.

28 comments

tromp

Reply
oefrha  5 days ago

I had a brief look at the network traffic and code. The network communication is very simple:

To request a new batch:

  POST https://jqarehgzwnyelidzmhrn.supabase.co/rest/v1/rpc/get_job
  apikey: ...
  authorization: Bearer ...

  {"_client_hash":"..."}

returns something like

  {
    "jobId": 755344,
    "message": "get_job() succeeded, got jobId: 755344 as a new one"
  }

which means the client should check 4000075534400000000-4000075534500000000.

Once done:

  POST https://jqarehgzwnyelidzmhrn.supabase.co/rest/v1/rpc/put_job
  apiKey: ...
  authorization: Bearer ...

  {"_client_hash": "...","_job_id": 755344,"_status": 1,"_elapsed_time": 19.54,"_p": 3463,"_q": "4000075534448687929"}

Here, _client_hash is generated by wasmHash(`{"method":"Hash"}`) in /js/worker.js (yes, the payload is a fixed string), and while I didn't try to disassemble the wasm, one can pause execution and repeatedly call wasmHash() to observe it's basically a TOTP that changes every 10s, so it doesn't carry any mathematical information.

Therefore, all the info that can be used for verification on the server is a single pair of _p and _q adding up to one number in the entire range. That's the extent of the verification.

One can of course patch the code to check a single number before reporting that the entire range has been checked. Pretty sure it's impossible for the server to detect that.

Correct me if I made a mistake somewhere.

Edit: On second thought, maybe the specific number reported back is deterministically chosen in a way that relies on finishing all the checks in the range, and thus can be compared with other reported results for the same range?

Even in that case, the server can't verify the work without repeating it. mersenne.org hands out a double checking job about 8 years later presumably to thwart determined attackers.[1]

[1] https://www.mersenne.org/various/math.php

  • looofooo0  5 days ago

    Yeah, I mean what OP doing is statistically searching for counterexample at worst, but without verification about the completeness of the range. Only if we assign jobs randomly and multiple times, we may believe in the truth about the whole range, at least under the assumption, that there is enough people and no big enough attacker.

  • jay_gridbach  5 days ago

    [flagged]

    • MauranKilom  5 days ago

      But you posted this to a site that is literally called Hacker News... To be clear, I am not supporting any attempt at undermining your project, but people are pointing out to you that your results will be called into question if your only defence against "hacking" is "I hope people don't figure out how to do that".

      1 reply →

    • tgv  5 days ago

      That is understandable, but counterproductive. Tou can’t walk away from this by pretending it doesn’t exist. It only takes one troll to ruin the achievement.

      1 reply →

    • oefrha  5 days ago

      Note: The parent comment accused me of giving clues to hack the application, but that part was later edited out, making my response a bit strange.

      ---

      This is basically a free security audit, even though I only spent like five minutes. If your application can be "hacked" so easily, it's very irresponsible to say you're "verifying" the conjecture. Removing the comment doesn't make your application any more secure.

      Btw, I even helpfully pointed to prior art which you can learn from. A butthurt response is pretty sad.

      1 reply →

    • gpvos  5 days ago

      The most foolproof way to verify the results would be to have the client return all the 100 million values back to the server. This may be a bit much though, so alternatively, after submission, send a random selection of numbers in the range back to the client, which will have to return the prime summands* for those. Possibly with a time limit to prevent it from doing the calculation for only those numbers. So it probably also needs to be a fairly large selection.

      *I had to look up that word

    • fragmede  5 days ago

      Respectfully, you have put in an amazing amount of work. Unfortunately life is not so kind in other parts of the world, and people are just not nice on the Internet, and they will try and break your project just for the fun of it. It is very sad, but that is the reality of the Internet today.

      5 replies →

jay_gridbach  5 days ago

Thanks for giving it a try. The Gridbach server only accepts computed result sent from my component.

  • Gehinnn  5 days ago

    But how do you make sure the user actually runs your component without any modification?

    • jay_gridbach  5 days ago

      All I can tell here is that I do certain level of valication on server side. As one of the goals of this project is to popularize the fun of mathematics among the general public, I think I would need to avoid a open network configuration to strictly conduct academic verification. The algorithm itself is publicly opened, so anyone can verify the computation step is correct or not. https://github.com/nakatahr/gridbach-core

      8 replies →