Bitcoin Forum

Hi all,
In this series of articles, I'm going to share my technical analysis of Bitmain's latest attack on Ethash along with my own counterattack proposal. I have not started coding my algorithm tweak proposal yet but will do it in next few days.

It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo. The endless scalability debate (faked/escalated by Bitmain?  :-\ ) was just a distraction for the community to seat and watch what was happening to the most unique, unprecedented feature of bitcoin, decentralization powered by PoW, being put in danger by an old fashioned way of crack: Application Specific Integrated Circuit, ASIC.

As a direct consequence of this passivitism, Jihan earned billions of dollars and became powerful enough to attack other coins  by investing more on ASIC design and production (besides taking malicious positions in bitcoin ecosystem) Scrypt, X11, Blake, ... cracked one after another in a short period of time. Each time an ASIC miner with crazy efficiency advantage over gpu mining was introduced by Bitmain after it has mined enough of each coin before the disclosure.

Now, the monster has become so reach and self confident to attack the second largest cryptocurrency and one of the most promising ones, Ethereum and its Ethash PoW, by introducing E3. It isn't an ASIC attack, as I'll argue through this topic, but deserves to be classified as an attack, possibly a new class of attack that can be accomplished only by such a resourceful monster and again its purpose is hardware monopolization.

Monero and its Sergio reacted almost instantly, they have already forked the chain and are very committed to their ASIC resistance strategy but Ethereum Foundation and Buterin on the contrary are showing no interest. They have not responded yet, instead, Buterin recently has coldly proposed to take advantage of this threat and boost Ethereum's migration to PoS, using his new toy, Casper.

PoW is not a toy to be replaced childishly, and I'm sure Ethereum Foundation will have a lot of trouble to manage for such a destructive hard fork,( personally I'll fully support any resistance against their agenda), so, I will deliberately eliminate Casper and PoS as a solution, firstly because I don't recognize a coin based on PoS as Ethereum( Posethereum? May be :)) ) and secondly I think it is more about Ethash. Pos may save or destroy Ethereum but it has nothing to do with Ethash.

Actually it is more about PoW rather than Ethash, improving bitcoin's SHA256 PoW is not that unlikely to be supposed totally off the table forever (even after the  failed BTG experiment). I think Bitmain is increasingly getting stronger and more dangerous and will take more aggressive positions against the community and one solution for the crisis would be enhancing PoW to get rid of Bitmain. This is why I have labeled this topic as a resurrection attempt toward PoW rather than Ethash, the later is just an interesting case chosen to be studied more precisely.

The upcoming debate in bitcoin over this issue and its result won't be as radical as what Buterin and his mates feel free to do with Ethereum. Bitcoin is three times bigger (in terms of market cap) and unlike the way Buterin and Ethereum Foundation (inappropriately) treat their coin, it is not an experimental project, there will be no PoS or proof of anything migration debate ever in bitcoin but a PoW tweak to become more resistant to Bitmain attcks? Who knows? :-\

So I see stakes here for bitcoin community to get involved in ASIC resistance debate actively, and it is not that surprising:
Cryptocurrencies have a lot of technology and experience to share and PoW issues are on the top of the list.

After all PoW has gone through, there is disappointment in the air and many give up proposals on the table. Some people argue that because 'ASIC resistant' is not equal to 'ASIC proof '(?) the failure of  Scrypt, Cryptonight, X11, ... algorithms (and supposedly Ethash now), are enough evidences for us to be convinced  that PoW is inherently vulnerable and will lead to hardware centralization. Some use this to suggest approaches other than PoW for securing blockchain ('proof of something' discourse and the trending PoS vaariant) while others recommend coping with the claimed flaw and pray for other ASIC manufacturers to come to the scene and compete, or claim that there is no centralization threat at all(honestly, aren't they payed by Bitmain?  :-\).

I'm strongly against this arguments and believe that ASIC resistance is the same as ASIC Proof (practically) and if some algorithms have failed their promise it does not imply anything other than they have to upgrade and fix their vulnerabilities.

Plus I think a more general hardware centralization threat should be addressed (including but not limited to ASIC), it is substantially because of my perception of the latest Bitmain E3 which I have come to the conclusion that it is not ASIC but yet a serious hardware centralization threat.

Bitmain's E3 seems to be a new type of attack on PoW based blockchains, It is not an Application Specific Integrated Circuit(ASIC) because it has not the required signature of ASICs being orders of magnitude enhancement in efficiency. From what Bitmain has officially announced, E3 is not more efficient than a 6x570 based gpu rig (it consumes 800 watts to produce 180 Mh/s Ethash mining power) definitely it is not what you expect from an ASIC.

But if Bitmain has not achieved more efficiency, how is it possible to categorize its E3 as an attack? The trivial answer is cost efficiency.

In a sophisticated marketing maneuver, Bitmain is selling its miner for a price far (more than 3 times) below what an ordinary gpu miner can manage to assemble a comparable mining rig. It pushes ordinary miners out of the market and is a hardware centralization threat and deserves to be classified as an attack. I'll show here that it is an special purpose machine built for taking advantage of a specific vulnerability of a modern PoW algorithm like Ethash. It is nothing less than an attack and for the convenience I'll call it Application Specific Architectured Computer, ASAC.

Bitmain, obviously, has not disclosed anything worth mentioning about E3 other than a picture (of an ugly mini case) plus 800 watts power consumption, 180 Mh/s Ethash power and 800$ price besides a 3 month pre-order requirement for the buyers, if it was not Bitmain, it would look  just like a scam, but it IS Bitmain and something is wrong here.

Just like any other technology, the most important secret that will be disclosed once it has been introduced, is always its feasibility. When you announce a product, you have already compromised the most important secret about it: its existence!

My assumption here is Bitmain has managed to reduce costs dramatically and the very few days  after the announcement, I have been busy finding how.

Obviously, I had to review Ethash again, this time, under the lights of E3 disclosure and being 100% convinced that there exists a vulnerability and Bitmain has taken advantage of it to manage for the attack.

I have found a possible answer and a proper solution both not very hard to guess: I think it is a shared memory attack (not the old Dagger vulnerability thou) and mitigation is possible by enforcing dedicated memory requirements, which I'll share in next few days,  but before proceeding anymore, I would like to hear from other forum members about this issue.

POS

Thanks for the thoughtful article.  I'm working in a similar area and thought I'd add my own perspective on how to deal with the  centralization-as-an-attack  cryptocurrency problem.

We seem to agree on the idea that the best defense against ASIC's (and other approaches that fill the same functional and economic niche) is an economic defense.   For example, my approach to POW is to leverage PC's in a way that is uneconomic to duplicate in a fixed-purpose device.  Since many people already own PC's their machines don't have to be counted as part of the cost of decentralized POW. 

On the other hand, someone building a dedicated mining farm would have to outlay *extra* money to compete with something that the decentralized community already has in abundance.   

This approach failed for bitcoin because the POW algo was too trivial; it required only a few instructions of the CPU and a tiny amount of memory.  A $1000 PC was making use of only a tiny fraction of its cost for mining.  This left a huge window for exploitation by ASIC's (and GPU's).

A better approach would have been to use more instructions and more complex instructions as well as far more memory in the POW algo, obviously.  Further, as as you point out above, the memory should be dynamically used rather than static to reduce the possibility of shortcuts.  Ideally, the algo would make use of as many capabilities of the (common) PC as possible.  Successfully implemented, this approach would not make ASIC and GPU mining 'impossible', merely impractical.

But, as you say, ASIC resistance, as defined economically, *is* ASIC proof. 

My algo is pretty basic in that it mostly makes use of lots of memory and memory bandwidth for each thread, but that alone addresses a significant subset of the 'ideal' requirements of my approach.  A GPU would be able to run a few threads, for example, but its performance should pale in comparison to a CPU.  It might be worth the electricity at the low usage level -- but the ROI would not be worth the capital outlay of building a GPU rig.

An ASIC (or ASAC) could still be made to be more efficient than a PC, but should not be drastically so.  As long as the pay-off period for a piece of special-purpose equipment is measured in multiple years, the risk would be too great for a prudent investment -- especially in the fast-moving space of cryptocurrencies.  And, more importantly, it would not provide the economic foundation for a few companies to quickly rise to dominate the space.

I've made thread about similar problem at Do you think Bitcoin need to change it's PoW algorithm? (https://bitcointalk.org/index.php?topic=2971204). But changing/tweak/modify PoW algorithm is difficult once ASIC is available for public, hashrate dominated by ASIC or the algorithm isn't designed to combat ASIC (such as SHA-256).

For Monero, tweak CryptoNight algorithm isn't difficult since mining with CPU/GPU still profitable (which means ASIC haven't take over the network/hashrate), tweak CryptoNight don't change hash speed of CPU/GPU and most importantly majority community agree with their Core team decision.

For Bitcoin, it's hard task because :
1. ASIC completely dominate Bitcoin mining.
2. Changing algorithm to ASIC resistance is difficult since the network hashrate would be very low which makes block generation very slow and make Bitcoin network vulnerable during transaction since that means attacking bitcoin network 51% attack will be far easier. Even when considering there are ways to "tweak" SHA-256 just to break ASIC
3. Getting community approval over tweak/change which require hard-fork is difficult, especially from ASIC miners.

I think tweak Ethash algorithm at this point is good idea since the ASIC isn't available for public yet, but without Ethereum Foundation or majority community approval, your idea won't happen (at least without chain-split).
But i think enforcing dedicated memory requirements won't do much since ASIC/FPGA manufacture simply can add more memory, unless your solution is similar with CryptoNight which force high-speed/low-latency for efficient mining such as L2/L3 cache which is expensive in big capacity. CMIIW.

thumbs down

PoS is out of context, firstly because it is a naive and immature idea that is not and will not be approved under multi billion dollars incentivized attacks and secondly Ethereum is not a PoS based system and the (hypothetical) PoS based Ethereum, as I mentioned above, should be called Posethereum or something like that.

I doubt you have read my article at all, but thanks for sharing your idea anyway.

For bitcoin, as I see it and have mentioned above somehow, this option (tweaking PoW to resist against ASICs) is both an open possibility and an unavoidable  destiny in the middle term. For the latter my argument is based on Bitmain situation as an over-bloated center that happens to reside in China. Bitcoin community eventually will be united, no choice.

For Ethereum it is an inevitable almost urgent agenda. I'll do it and I don't care about a foundation and its crypto idol who have gone too far this time by breaking their contract and taking position against the majority of the users and miners. They will pay for their strategic mistake on this issue.

Back to your arguments about hashrate drop problem after the fork:
I know you are an expert by your own, but I have to make it clear that two different PoW algorithms are not comparable, all that matters is security and it is directly related to the costs of attacks like sybil or 50%+1 attack.

After the hypothetical fork, if it is supported by enough users (wallets) and a significant amount of mining power, Bitmain have no choice other than sticking with old chain and trying to manipulate the price of the upgraded bitcoin, desperately. This can be easily mitigated by a smart and well organized campaign, imo.

Assume I start with 128MB/thread.  How many threads are ASIC's running to achieve their impressive hashrate/$ ratio?  Unless they can maintain their performance with a PC-like low thread count, their costs will quickly spiral out of control.  Of course, if I guess to the low side on memory footprint and an ASIC emerges for my hypothetical cryptocoin, I can double my memory requirements with a parameter change and recompile, rendering existing hardware devices obsolete. 

Note that this is not a technical solution but an economic one.  Who would do the R&D, manufacture a production run of ASIC's, and ship them to customers when the target algo is designed from the outset to trivially increase its memory requirements with one parm change?  Also, who would buy it?

Interesting,

In the first part you say "PoS is out of context" because  "it is a naive and immature idea", but provide not support for this statement. Could you please explain why is it naive and immature, especially in the light that some of the multimillion dollars cryptocurrencies are running on it?

Secondly, you mention Posethereum and state as it is not Ethereum, then PoS won't work.

I often see there is no much love for PoS in some circles, genuinely interested why?

There are a lot of reasons why some people do not like proof-of-stake:
There's nothing extrinsic to the network at stake unlike in proof of work where electricity costs and computing power, are used to secure the network.
In POS systems, whatever you're staking is already present in the network, so you're not really adding anything of value. You can make a case for the value of bitcoin being the electricity costs used to mine a block.

It's not as battle tested as proof of work.

Rewards on staking are usually proportional to the amount of the currency a user holds so the rich get richer. I suppose a similar argument could be made for mining.

Also there's the "nothing at stake" problem where forgers can vote for multiple blockchain histories.
There's no definite mitigation to the problem so far, current attempts only rescale the problem, and others just use a POW + POS hybrid.

I find myself having to agree with you, well presented argument but "proof a-b-c-" is just a basis for "Trust" and this runs
against the manter here about "Trustless" network.

PoW is not so bad if it's useful work and not just 20,000 nodes clogging up the CPU and network but that's not whats happening with Bitcoin
but what is happening is CPU-Wars have been created and that only keep Intel rich and the miners competing against each other.

What might had been acceptable if we only had the 1000 miners we needed to maintain the network does
not work when you have 20,000 of more or them and lets save the none debate about the 51% attack

I'm not here to argue about PoS and I think it is off topic. They want go PoS let them go and why in the hell they haven't do this already? You know why? Because there is no straight and simple model, no mathematical proof for PoS to be a reliable approach to secure a distributed system and all its proponents  have to say is something like 'this or that kind of attack never happens in real world' ... the most worthless argument ever.

To understand what is wrong about PoS, one should understand the importance of Satoshi's PoW innovation. We had reputation based proposals for decentralized distributed systems, no one capable of solving the problem. It was before Satoshi Nakamoto and his brilliant PoW proposal.

PoS is a descendent of those naive reputation based proposals (your stakes are an index of your reputation) it shares the same 'subjectivity' property in its pure form. Once a participant is staking her coins, she is risking a subjective, virtual asset (her coins/reputation) it is nothing-at-stake, nothing objective. In practice it leads to the infamous nothing-at-stake attack for which Ethereum's idol, Vitalik Buterin has proposed a ridiculous algorithm called 'slasher' just like a undereducated technician who tries to file a patent for his invention of an ideal machine that violates the second law of thermodynamics  ;D

PoS proponents, optimistically embrace such junior programmer's tricks and try to convince us that they have not wasted their lives  on a subjective, impractical approach to decentralized systems and they can compete using 'light' versions of subjectivity (Vitalik words).

There is no 'light subjectivity', imo, a subjective algorithm is poisoned as much as it is subjective. Hybrids, fail because of their inherent weak genes, ultimately and in long term. If it was legitimate and feasible to produce money from air, central banks would be the most legitimate bodys for this job.

Instead, PoW is an objective solution to decentralization, one should consume 'real' resources (computing power, electricity, ...) and there is a cost for every single action in the network and a reward for the well formed protocol compliant behaviors. This is why PoW is rigid and a masterpiece, it is objective, btc, eth, ltc, ... are gaining their values not from a compromise between members of a community (it is not fiat money) but because they consume resources to generate them.

Slasher algorithm (Vitalik's masterpiece  ;D) or other proposed algorithms for nothing-at-stake attack in PoS based systems, can do nothing about this weakness, specifically, I'm telling you, a childish punishment algorithm (for preventing stakeholders from playing in multiple forks)  has nothing to do with the fact that these 'stakes' are nothing, have come from nowhere with no cost.

Current criticism around PoW is worthless, imo. Satoshi's legacy is far more important to be criticized that trivially.

Talking about environmental issues is irrelevant in the first place. It is an industry, you love planet? Go find me some clean and price effective electricity to consume, as a miner, I consume energy to produce a valuable asset that can be used for resisting corrupted banking and financial systems, the most important use case in modern history!

Accusing PoW to be vulnerable to ASIC and its hardware centralization consequences is not acceptable too. I'll do this fork and show the way, the accuser has the same obligation or has to follow me (take the lead or just follow). ASIC vulnerability is not an inherent property, despite some claims, an ASIC proof algorithm is achievable (one may call his general purpose processor ASIC, but it is not).

Naggers, like Vitalik who constantly complain about scalability and performance, are the worst people ever. There are a handful of approaches (sharding, off-chain solutions, ... ) ready to be implemented, if bitcoiners fail to converge and has a governance crisis to overcome, Ethereum community has this idiot idol in charge, hasn't it? Instead of wasting time and resources on a 'light version' of subjectivism (believe it? What an idiot  ;D ) wasn't it ways better to improve the protocol and produce complementary components to prevent the network from being congested by something like 'cryptokitties' ?

I agree with your criticism of Slasher and how it's presented to be the "breaking through" idea.


"Weak subjectivity" is the term aimed to hide the fact the long-range attack is not solved in PoS. So that, if you selected "wrong nodes" joining the network, you are screwed then.

But won't you have the same set of problems in Bitcoin if: you download wrong client (broken or hacked), someone hacked Bitcoin's main site and patched the wallet, someone hacked DNS service and changed the list of bootstrap nodes? In other words, there is also some kind of subjectivity - not in consensus algorithm, but in other areas.

One can argue that PoS cryptocurrencies are also not immune to these things, but I think what stands them out is that they can deliver real decentralization, not like a PoW coin, mining of which is concentrated in hands on 9-10 organizations.


Right, but will Lightning Network and SegWit help to scale Bitcoin to the level that it is possible to run an app store, full of "cryptokitties", which is what mass adoption means?

Thank you! It's just ridiculous, isn't it? covering the mess with tv style ads

PoS eventually will lead to a very limited number of 'banks' taking deposits from users, using them as stakes ,  ... leading to ways worse scenarios than what PoW coins are experiencing with pools.
I agree that 'resource sharing' is a problem for both paradigms bot PoS suffers more and implies more threats because of so-called 'mitigation' proposals like Slasher and others which require long term deposit contracts that lead to less flexibility to switch between centres (in PoW you can simply point your miners to whichever pool of your choice).

Plus, running a pool service requires a much less investment compared to what a 'bank' needs, just like a traditional bank does.

As of hacked DNS service and alike, if pools have any bad thing to do with PoW, they are good in this respect and generally speaking a 'bootstrap poisoning' attack for a solo miner or any full node in PoW is very unlikely to succeed while PoS is inherently vulnerable to this attack in its core consensus algorithm, the only mitigation being programming tricks like Slasher that put the network in even more serious centralization dangers because of what I have reminded above.




Sidechains are more favorable solutions for me and sharding is the second while I have very little sympathy to Segwit and don't take lightning serious enough to list it as an ultimate solution.

I think scalability is a major problem and it needs step by step solutions and improvements to be tackled until the ultimate solution (which I believe is of a sidechain class) is operational. We are in no rush, right now.

"ASIC resistant algorithm" is somewhat of a misnomer, since it's only "resistant" up to the point where someone designs a new ASIC for it.  Most altcoins who claim to be ASIC resistant can get away with making that claim, simply because their coin isn't valuable enough for anyone to bother designing a custom chip for it.  Resistance through obscurity, in effect.  The problem Bitcoin has is that it obviously is quite valuable, so the moment you change the algo, all the big manufacturers will start work an a new ASIC designed to work with that algo.  There's simply too great an incentive for it.  

It doesn't matter what algorithm you pick, it's always going to be inherently less resistant to ASICs by mere virtue of the fact that it's Bitcoin and ASICs are what all the miners will naturally want to have, so there will always be an overwhelming demand for someone to manufacture one.  Sooner or later, it's inevitable we'll have ASICs once again.  It's only ever going to be a temporary reprieve and will likely involve a hardfork every time it needs changing again.  You might have noticed, but hardforks tend to be somewhat controversial round these parts.  

While I don't really keep up with Monero, I read that it somehow managed to split into 4 distinct chains because no one could agree on how their attempt at blocking ASICs should work.  We don't really want a repeat of that omnishambles in Bitcoin.

My take is that we just need a wider variety of manufacturers involved.  Other hardware companies need to step up their game and challenge Bitmain's current stranglehold.  Bricking hardware would likely escalate tensions and could even provoke some pools or perhaps Bitmain themselves into some form of retaliation.  That might sound silly, but it's worth pointing out there's a tremendous amount of money involved and when people with lots of money see a threat to their financial future, offence is often seen as the best form of defence.  It may even have other potential consequences like needing to include emergency difficulty adjustments due to a sudden plummet in hashrate, which could potentially unbalance the release schedule of newly minted coins into circulation.  One of Bitcoin's primary strengths is its predictable supply, so not something we should jeopardise lightly.

Caution is strongly advised.

The "ASIC resistant not ASIC proof" theory has one important implication that we should beware of: It question's Nakamoto's PoW innovation to be instrumental for securing decentralized, permissionless systems like bitcoin, Ethereum and alike. Actually proposing such a duality is not less than saying something like:

"The rise of proprietary, closed systems, under the control of corporates that outperform commodity cpu/gpu based computers and monopolize the network, is an inevitable destiny for any network that is secured by a consensus protocol, based on PoW algorithm, it is just a matter of incentive and how much the coin's market cap is and does it worth it?"


It is nothing less than  burying PoW, not a surprise that people like Vitalik Buterin and other PoS enthusiasts never get tired of repeating such claims and they are not alone, we have Jihan Wu and his paid journalism that escalate and propagate this theory just like a proven mathematical theorem.

If anybody is willing to do so, burying PoW, I'm no enthusiast, just asking for paperwork.

Although, It is on claimant to prove the claim, apparently with all these advertisements we have no choice to prove that such duality is ridiculous:
Once you have a good ASIC resistant algorithm (unlike bitcoin's SHA2) you have a 'practical' ASIC proof algorithm in hand. And the practical adjective here is not a weakening factor because this field, public blockchain is a practical context and every single technology or protocol discussed here yields a practical assumption.

Claiming that with enough incentive, resourceful attackers can crack every PoW algorithm by making an ASIC is just saying that PoW can not achieve a practical security et se, as long as it is PoW.
I'm here to show the falsehood of such a predict. But I think I have done half of the job by revealing the importance and destructive nature of such a claim.

I'm deliberately avoiding to criticize 'ASIC is not that bad' discourse for now, first things, first.


There is no split in monero and it doesn't make sense to call it split. Monero users are happy and their balances are safe, miners are happier and their profits are becoming interesting. Forks happen, I can fork bitcoin overnight and nobody gets hurt (other than myself, I suppose, because of wasting my resources).

It is all about the community and the devs to reach a consensus, the rest is a piece of cake (at least compared to reaching to a consensus).


Monopoly is not the only or even the biggest threat when it comes to ASICs.

Other facts like that manufacturers are always one or two step ahead of the community or they know the exact mission of the device they are building and selling and this gives them options to plant everything they wish in the firmware and ... are of critical importance, too.

I don't think that's the case at all.  The existence of ASICs neither undermines the innovation of PoW, nor ensues its demise.  It merely encapsulates the most efficient means of performing the work currently.  Rather than trying to fight against the natural incentive to utilise the most efficient means, it's healthier to make ASICs more attainable for a wider number of both mining participants and hardware manufacturers to level each respective playing field.



How certain are we that CPUs and GPUs are immune to malicious code in the firmware?  Mining is always going to rely on hardware in some form and we'll have to trust someone to make that hardware.  Declaring war on ASICs doesn't absolve this.  At least monopoly can be somewhat negated.  We may as well focus on the things we can actually fix.

Both historically and theoretically the sole purpose of Satoshi's PoW is perceivable as a practical solution to Byzantine Generals problem which any distributed permissionless decentralized system that is open to untrusted players (like bitcoin) should consider it as its canonical challenge.

Care should be taken that in the context of Byzantine Generals Problem, the participants are supposed to be human beings and not machines, because machines have no incentive to take part in any conspiracy, or remain loyal to an agenda. They are simply, tools and devices used by their owners.

PoW is not a protocol to solve machine's malicious behavior, mainly it is about the owner's.

For unfaithful owners reaching to critical majorities (50%+ and 2/3+) needed to break/takeover a well formed consensus protocol (like a blockchain) is much harder when their cardinality is higher and they are more divergent in terms of power, interests, geographical location etc.

If a PoW based system could not guarantee a minimum level of diversity between miners (human beings behind the miners not the machines) it should not be considered safe and needs immediate upgrades.

If it is a normal consequence of PoW and it is a matter of time for any PoW based system to become unsafe, then PoW should not be considered a solution for Byzantine Generals problem at all! Not a good news for Satoshi fans.

The threats involved in introduction of ASICs to a PoW based system are more than obvious:

1- Regarding its technological leverage, the manufacturer uses its advantage to mine far more efficiently it yields a situation in which the ordinary miners disappear gradually and the manufacturer becomes more powerful with almost an unlimited access to required resources for accelerating the process even more, reducing the cardinality and diversity of the participant to a dangerous level.

2- The very first company that manages to crack the algorithm and produce a specialized machine,  will save its position almost forever because of the gains. There will be no room left for competition and leveling the situation and delaying the disaster a bit to buy some time.

3- Such a system no longer could be classified as permissionless because practically you should get permission (buy the hardware) from the manufacturer to participate, i.e. you can not use your general purpose device to take part/leave  whenever you wish without undergoing significant cost.

In bitcoin we are already in the process of experiencing all the above mentioned challenges.

Of course Bitmain plays a sophisticated strategy that keeps everything in a fragile balance, but it is Bitmain's incentives that are summarized to  a determinant. This is not how decentralization is defined and understood.
Although I'm a critic of all closed systems it is important to mention that there is a huge difference between CPU/GPU reliability problems and ASICs.

Once you go to the market and buy a general purpose AMD GPU for instance, neither AMD nor the shopkeeper have a clue about what you are going to do with their product. Mining Ethereum with that gpu is your decision. It is impractical for them (or very unlikely) to take ownership of your system to act maliciously in Ethash protocol. You choose to participate without their permission, you can leave and use the gpu to play game or render 3D images, whatever, you are free and safe, well almost.

Obviously purchasing and running a specialized device like a S9 is totally different and vulnerable to trojan attack schemas that can take ownership of the device and participate in the protocol maliciously, because they know exactly how you will use it, you are just following their instructions.

Any real solution that makes a cryptocurrency's Sybil resistance closer to democratic (1 person ≈ 1 vote) rather than plutocratic ($1 ≈ 1 vote) is fine by me.

That said, I still have doubts that a good solution exists within traditional PoW.

(this paragraph edited after the fact; I reread and got a better idea of what you were talking about)
The first reason is that, even if specialized hardware doesn't make sense for a pure mining operation, it will always make sense for an entity trying to execute a double-spend. Such an entity isn't bound by the traditional mining payoff chart; provided they have the start-up capital, all they need to do is reverse some high-profile transactions (or extort "insurance payments" from those trying to transact) to make their money back. For them, only the fixed cost of the hardware - and not the marginal cost of electricity - matters, because they only need to mine when they have someone's kneecaps to break.

But for the sake of argument, let's say you figure it out. Let's say you actually come up with a proof of work scheme that can't benefit meaningfully from custom hardware.

In this situation, the attacker's optimal strategy just shifts from "build a huge fuck server farm" to "build a huge fuck botnet". This is something organized crime groups do today anyway, to great success and populations in the millions (https://themerkle.com/top-4-largest-botnets-to-date/). How many Bitcoin full nodes are there today? Something like 10,000? (https://bitnodes.earn.com/) They would be drowned out like a sprinkler in a hurricane. Even if you assume that most BTC users, in a world where they could mine, were to install their own full node, that's maybe 30 million users (https://www.bitcoinmarketjournal.com/how-many-people-use-bitcoin/) if you make optimistic assumptions - Bredolab could still have outvoted them, or credibly threatened to do so.

What's your plan for mitigating such a strategy?

Well said, "They" try to cover all bases and Intel chip firmware was exposed by a russian company, best blame Putin
like they always do.

Wow the Ministry of Bitcoin Propaganda (MBTCP) took seconds to deleted my last comment, must be using bot's now
or our I am keeping our nazi moderator awake.

Overtaking a PoW network can't be accomplished by a temporary virus/bot infection, the owners will eventually figure out the attack and do a fresh bootstrap. In other words, a long range attack against the network using botnets isn't feasible. Current Ethereum network worth 70+ $billions,  and we have no evidence of such an attack while more than enough incentives exist.

The scenario you suggest, according to which the attacker can benefit from a short range attack for the sake of double spending on a specific transaction  is unlikely because typically, large volume transactions take place in a more cautious way by participants and the attacker has to rewrite more blocks with the same long range attack problems. It is worth mentioning that such attack attempts are always discouraged by the weapon disclosure risk. The attacker(s) should lie in  ambush for a multi-million dollars trade (with a foolhardy partner who will release the valuable assets after few confirmations)  worth the disclosure risk.

Plus, I have no idea of such a hypothetical botnet to be sophisticated enough to participate in a PoW protocol effectively.

It's not like the threat is imaginary.  Mining botnets do exist (https://www.coindesk.com/botnet-infects-half-million-servers-mine-thousands-monero/), it's just that they just aren't particularly profitable for any of the coins with a high enough difficulty.  As such, ASICs make it considerably less tempting for anyone to bother trying to create one for Bitcoin.  I'd say the fact people aren't aware of the issues with botnets is a pretty good indicator that we're on the right path, being that people are usually only aware of things like that once they actually become an issue for them.  When it's not a problem for us, we turn a blind eye, even though it might affect others.



Overtaking the network doesn't have to be the end goal for it to be an issue.  It still places a large number of coins into the hands of people who are more likely to be bad actors than those who mine using legitimately purchased hardware.  It's probably better if people writing malware designed to infect users' machines aren't rewarded for their efforts solely because we mistakenly decided to declare war on the miners by bricking their ASICs.  When you create a power vacuum, it will often be filled by people who aren't exactly noble in their motives. 

botnets are real, of course, and they can mine, yes. But the scenario proposed by @quoheleth, which I was trying to reject, is more complicated than just mining, it is about short range attack on PoW chains and double spending coins. It needs synchronization between the bots to lie in ambush as I have mentioned, by the sentence you quoted, I'm implying that it just doesn't look that easy to write a malware to participate both maliciously and effectively in the protocol. It is why we have not experienced such an attack. It was my fault not formulating my argument properly, perhaps.

Botnets should be categorized as a general computing problem rather than a cryptocurrency one. Typically miners are much more careful about stealing their hash power, when it comes to gpu mining  but even for Cryptonight and cpu mineable algorithms in which botnets are more effective, it is not about anything other than stealing a very small fraction of block rewards with no general impact on the blockchain.


No it is not about 'a large number' of coins. It is just about stealing a small fraction of cpu power from people which is bad generally for cryptocurrency  and any other computing technology, but not an ultimate threat. Attackers can target cpu mineable coins for a fraction of their fresh block rewards, they can't put any crucial characteristic of the blockchain in danger.

Using this as an excuse for saying welcome to an obvious attack like cracking the algorithm by ASIC (it is a crack,, both historically and analytically) is the most weakest argument ever. It looks to me just insane, putting everything in the hands of Jihan Wu and praying for him to keep us safe against botnets!

It would be a weak argument if I was asking to put everything in the hands of Jihan Wu, but that's not the case.  You might want to consider the possibility that changing the algorithm could even be advantageous to Wu, since his company would almost certainly react fastest to any newly announced algorithm.  It would effectively kill any opportunity for another manufacturer to catch up.  You might end up handing them monopoly on a plate through your desire to beat them.  I'd say at least wait to see how quickly it is before another Monero ASIC is designed before you dismiss this notion.  I don't think it'll take that long.  Let them be the guinea pig before we start meddling with things that are largely theoretical at this stage.

As you stated yourself:
So it makes sense that the company that cracks it first will keep cracking it each time you change it.  Therefore, it's actually more sensible to allow other manufacturers the opportunity to catch up.

Plus, as stated in other threads, botnets aren't the only issue with changing the algorithm:


And those are just the things that foresight permits us to see.  Consider the pain when hindsight bites us in the ass with all the repercussions we didn't anticipate.  You keep talking about this like it's a simple change that magically fixes everything with no consequences.  It just isn't going to pan out that way.  And with this many unknown variables, the first example becomes the most poignant.  You need to get almost everyone to agree.  How can we do that if we can't even tell what all the problems are going to be?

I'm completely against the hypothesis that states every PoW algorithm is vulnerable and will be cracked sooner or later by ASICs or other special purpose systems. There is no basis for this assumption other than a false induction or a kind of tautological manipulation of the terms involved.  A cautiously designed algorithm, being practically ASIC proof is definitively possible.

Plus, regular algorithm upgrades, as long as they don't alter the basics and enjoy a semi-autonomous consensus mechanism (like some proposed signaling schemas) won't be that costly. From a programmer's perspective, I see no serious challenge here. I don't think it will be the case but having this as a doom day strategy will de-incentivize further attempts to break the algorithm.

As of your guinea pig, Cryptonight V7, I'm absolutely sure about the outcome: There will be no more crack attempts on the algorithm. The costs involved in the upgrade were negligible and the results were awesome and Sergio is threatening to repeat the procedure every 6 months. The experiment is over
and the results are more than encouraging.
 
No we don't! I'm so suspicious about this term 'community' when it is used as a concrete concept.

In Ethereum 'community' we have Vitalik Buterin who shines like a pop star at the same time he is ruining the entire ecosystem with his immature proposal about 'weak subjectivity' and Casper. Buterin is famous for his disbelief in PoW asd enthusiasm about PoS miracle that is promised to scale up blockchains magically! I don't care about Buterin and his fans, I will unite decent gpu miners and fork not only against Bitmain but also from Buterin and his fans.

As of bitcoin, things are so different here, I think once Bitmain started to play his cards in a more dirty game, we have less problems to have the community united. For now I'm just insisting on theoretical development and discussions about the possible ASIC mitigation improvements to SHA256 and the PoW of bitcoin.

Some of your points in this post was important too, I'll discuss them separately. Cheers for now :)

Stick with ETC then.

As I have argued before, induction is not a proof. You say ASIC-resistance is deemed to fail, BECAUSE 'there are many algorithms' that claim it and 'at the end' they have failed. It is a false and weak induction, not a solid reasoning.

Bitcoin and its SHA256 cracked by Bitmain because Satoshi Nakamoto was not a god to foresee everything. It was bitcoin community's mission to react but it failed to do so.

failure of X11, Scrypt and CryptoNight is just good news for designers to find better and more resistant approaches.

The details of the latest Bitmain attack against Ethash (E3) has not been publicly disclosed yet but I strongly believe it is not an ASIC attack (yet I think it should be neutralized). Ethash is a memory hard algorithm, for every single hash the processor (Being ASIC or not ) have to access random parts of the RAM bank multiple times. This way the performance will be bound to memory access, It is practically useless to implement this algorithm in ASIC.

Bitmain's E3 has been announced to have almost the same j/h efficiency as a mid-range gpu, it is not what one expects from ASICs, they have typically tens to hundreds times better efficiencies compared to general purpose systems.

Instead, I believe, Bitmain has managed for an architectural attack i.e. making special purpose systems instead of ICs. I'm proposing a theory based on a possible shared memory attack to describe E3 and I have designed a counter attack but my point is a practically ASIC-proof algorithm is absolutely feasible to design and implement and the latest bad news about failing algorithms is just good news for people like me who are committed to the purpose and have a minimum level of expertise needed for the job.


FPGA is expensive and power hungry. Don't count on it as a serious threat to gpu mining.

FACTS:
- Ethereum is not attacked by E3s yet(at least significantly)
-Monero was almost dominated by ASIC. After the tweak, network hashrate dropped to less than a half!
-We have practically no gpu miner in bitcoin. It is all about ASICs here.

So, Monero's experiment can be repeated even more successfully in Ethereum while for bitcoin it is complicated and needs a thorough analysis and planning.

Quite an option, given ETC people are ready for the hard fork against E3.

Bitmain, obviously, has not disclosed anything worth mentioning about E3 other than a picture (of an ugly mini case) plus 800 watts power consumption, 180 Mh/s Ethash power and 800$ price besides a 3 month pre-order requirement for the buyers, if it was not Bitmain, it would look  just like a scam, but it IS Bitmain and something is wrong here.

{I've quoted from this topic (https://bitcointalk.org/index.php?topic=3351075) }
{from this topic (https://bitcointalk.org/index.php?topic=2971204) }

For Bitcoin, I've come to a solution for implementing ASIC resistance with minimum side effects and risks. I'll discuss it in more details in a dedicated thread but for now I just use the core idea to show how wide is the range of possibilities:

Suppose we got a gpu mineable practically ASIC-proof algorithm implemented and tested properly and ready to launch, let's call it MemHash.

1-We would choose a blockheight N as the fork point to be mined a couple of months later. Miners , Wallets, ... would have a reasonable time to upgrade.

2- We will use a multi algorithm protocol in which 2 difficulties are independently and more dynamically (revised in shortest periods) adjusted to guarantee a fair distribution of blocks between SHA256 and MemHash.

3-By fairness we refer to a constant, name it RATIO. It is set to 8/1 in favor of SHA256 for the beginning but improves overtime (say, every 6 months ) to become 1/8 ultimately within first two years and approaches to zero within next period.  

Many things to discuss more, I know, but my point is clear: There exists so many possibilities and any challenge has a proper solution.

In a sophisticated marketing maneuver, Bitmain is selling its miner for a price far (more than 3 times) below what an ordinary gpu miner can manage to assemble a comparable mining rig. It pushes ordinary miners out of the market and is a hardware centralization threat and deserves to be classified as an attack. I'll show here that it is an special purpose machine built for taking advantage of a specific vulnerability of a modern PoW algorithm like Ethash. It is nothing less than an attack and for the convenience I'll call it Application Specific Architectured Computer, ASAC.

Like many others in this thread I also highly doubt that a hashing algorithm can be found that will remain ASIC proof for the foreseeable future (say, 10 years from deployment), especially given the size of the market and the profits to be made.

I also see a lot of practical problems with your approach -- organizing non-partisan and sound reviews of MemHash, getting the community on board, difficulty / hashrate fluctuations during the transition period for example.

That being said, I'm looking forward to read a fleshed out version of your proposal.

Thanks for the advice  :)

As of the third point, bitcoin production rate, it is already taken care of by the proposed protocol. With two (or more?) difficulties, being independently calculated, based on a 0 <= m/n < 1 ratio, legacy bitcoin sha2 miners (ASICs) can produce an average of m/n blocks every 10 minutes and the remaining (n-m)/n blocks will be produced by MemHash miners it yields exactly 1 block every 10 minutes, as an average.

Love your name spinning truth but what is this algo you speak of that uses every part of the cpu?  Surely you mean my proposed algo which is finding a specific length factor of a large number (over 100-120) digits?

I fully agree a long term asic resistant coin id possible but don't you see that trusting a central group to keep the algorithm "updated" is causing centralization of the network?  Luckily the PoW I invented which requires finding a certain length factor for a very large number is an algorithm that can't be changed in any significant way after implemented but should stay asic resistant forever because if something can carry out a general number field sieve then it is good enough to function as a personal computer.

work is underway to produce new ASIC, but not all companies advertise their work. Perhaps soon we will see a surge of new developments of ASIC from different countries.

If Bitmain attempted something stupid, this would translate in loses as the price of Bitcoin would go down, so im not really worried about that.

There's also PoH, Proof of Hitman, which could be put in practice. There are $billionaires in Bitcoin, and im sure they will not sit back and relax as Jihan Wu screws around ruining Bitcoin for some reason. Not a good idea to piss off people with enough unconfiscable funds to get to you and end your stupidity. If I was Jihan, I wouldn't certainly risk it. What's the point of all that money and power when you are buried?

So we will all just cooperate, for the sake of Bitcoin, in other words, for the sake all of us. There are no winners in a war within Bitcoin.. only uncertainty and therefore a crashing price.

The multi algo thing looks good, but still, no realistic way to get it into the system without ending up with an altcoin (Bitcoin, and Bitcoin-multiAlgo). We have to avoid such mess. Also a lot of research would need to be done to test it and guarantee we don't end up in the same scenario, even with multiple algos.

@ir.hn:

My algo is derived from a block cipher I built some years ago.  The most significant feature of that cipher is an arbitrary block size, typically a few megabytes.  It only provides one of the requirements that I think the 'ideal' asic-resistant algo should have, a very high memory-to-thread ratio.  

The ideal algo would also take advantage of other, expensive to duplicate, features of the common PC.

My project will be a proof-of-concept level effort only in that it will focus on only two of the performance characteristics that are hard to duplicate without spending nearly as much money as the core of a modern PC.  Specifically, I will limit my project to 1) Large memory-per-core, and 2) efficiently utilize the large caches in a PC.  As such, it will not attempt to be the ultimate 'asic-proof' finished product.

Therefore, it would still leave a significant cost gap that a purpose-built device could take advantage of -- but would eliminate the huge margins that current asics enjoy over PC's and GPU's.  By greatly reducing that gap, PC's would be competitive.  In fact, since PC's are already deployed with their costs justified in totally different ways, they are essentially free for the purposes of this algo.  

Current asics are economically viable only because PC's are so astoundingly inefficient at mining most algos.  An algo designed to require, for example, huge memory-per-thread,  a non-trivial portion of the more complex parts of the instrucion set, and large and very fast caches, would make an asic much more expensive to produce -- and it would *not* have an outsized performance margin above the PC.  Yet, they would still have to be designed and built from scratch to compete in only the one area.

Yeah, that is the key.

At the moment I don't have time to write a longer discussion, so for now I'll repost what I wrote in another thread. We'll see which of those new threads will get most intelligent discussion.

The thing is that it is relatively easy to write hash function that are very ASIC-proof or FPGA-proof.

Bytom folks are a good example. Their goal was not to be general-ASIC-proof but to make sure that the ASIC that is fast at implementing their hash it their ASIC. So they wrote a hash function that uses lots of floating point calculations exactly in the way that their AI-oriented ASIC does. The hard part of understanding Bytom's "Tensority" algorithm is finding exact information about the actual ASIC chips that are efficient doing those calculations.

But the general idea is very simple: if you don't want your XYZ devices to become, play to their strengths in designing the hash function.

For XYZ==GPU start with GPUs strengths. I haven't studied the recent GPU universal shader architecture, but the main idea was to optimize particular floating point computation used in 3D graphics using homogeneous coordinates, like AX=Y, where A is 4*4 matrix and X is 4*1 vector <x,y,z,w> where w==1. So include lots of those in your hash function. In particular GPUs are especially fast when using FP16, a half-precision floating point.

For XYZ==CPU made by Intel/AMD using x86 architecture, again start with their strengths. They have unique FPU unit with unique 10-byte floating point format and unique 8-byte BCD decimal integer format. Additionally they have dedicated hardware to compute various transcendental functions. So use a lot of those doing chaotic irreducible calculations like https://en.wikipedia.org/wiki/Logistic_map or https://en.wikipedia.org/wiki/Lorenz_system . Of course one could write an emulation of those formats using quad-precision floating point (pairs of double-precision floats), but it will take many months.

During those months you have additional time to research more strengths of your GPUs or CPUs. Use them in a hard-fork to assure that the preferred vendor of your mining hardware continues to be Intel/AMD/Nvidia.

Would it be worth pursuing the obverse strategy also, i.e. try to target the weaknesses of ASICs when designing the hash algorithm?


An idea I've been fond of in the past is using a series of hash algos drawn randomly from a set, with the series also changing size randomly within a range, and a random interval between changes in the composition and size of the series (credit to Meni Rosenfeld for that idea).

But could there be other techniques to use the same strategy? Could a hash be written such that the potential for physical flaws in an attempted ASIC chip die would undermine the manufacturing yield, e.g. force chip designers to make individual chips that would need to be >30 cm²?

That approach in reality becomes: play to the weaknesses of the education of the cryptocoin developers. The sad reality is that nowadays most of the computer science graduates have no idea about logic design and architecture beyond the ubiquitous https://en.wikipedia.org/wiki/Von_Neumann_architecture from 1945. Moreover, after learning what the typical fixed-program ASIC does they are still mentally stuck in the next decade: https://en.wikipedia.org/wiki/Mealy_machine (1955) https://en.wikipedia.org/wiki/Moore_machine (1956).

You really should read the other referenced threads, e.g. "ASICs mining game"

https://bitcointalk.org/index.php?topic=3788591.0

and the referenced external post https://blog.sia.tech/the-state-of-cryptocurrency-mining-538004a37f9b :

If Meni really proposed this that this is just a proof that he would have flunked the basic logic design course using an FPGA as a teaching aid. It is now being actively demolished in the other thread https://bitcointalk.org/index.php?topic=3459858.0 , profitable even when paying outrageous charges for the Amazon's EC2 F1 instances ($1.65 $0.495 per Hour) . That idea is now implemented by altcoins using x16r, x16s and similar algorithms.
You were educated in humanities, didn't you? Try finding the essay from Bruce Schneier where he explains why in order to design a strong cipher one does need experience in cipher-breaking. It is not enough to simply pile-on the complexity. In my experience his argumentation was convincing to the people with education in humanities.

Edit: corrected the Amazon's pricing point for F1.

Fascinating read.  Seems there's even more nuance and intrigue than most people realise.  The takeaway is that if general purpose hardware can do it, custom hardware can do it faster.  So adding more complexity or a larger number of randomly drawn algorithms isn't going to help:


So, in effect, we should take the opposite approach and lower the bar, not raise it.  If ASICs are inevitable, they should be as widely available as possible.  Make it easier for a greater number of manufacturers to create ASICs, not harder. 

That's the argument most Libertarians take when it comes to firearms, isn't it?  Everyone should have one so that no one can take advantage?  It's not an argument I agree with when it comes to guns, but I think it fits nicely here.

That is the general idea. Some already been arguing that the common CPUs and GPUs are ASIC, where the Specific Application that they are optimized for is a well known von Neumann architecture or 3D visualization pipeline. So the ball is on the software engineer's side and they need to find how to fully utilize the strength of the devices that everyone and their dog already have.
I would reword it to the effect that we don't really need many manufacturers, we need many alternative uses and prospective users for the hardware used for mining.

The software engineers designing PoW algorithms are mostly too focused on how to spoil other's game instead on how to improve their own game.

Anyway, Bitmain responded to the above article:

https://blog.bitmain.com/en/bitmain-sia-state-cryptocurrency-mining/

which will definitely interest the readers.

Sia dev, David Vorick, seems to me just like an ordinary hypocrite, a person who attempted a crack against his own aglo, get bribed to do so, probably. The referenced article is a part of his mission and of Bitmain's canonical propaganda these months, discouraging ASIC resistance attempts in PoW domain.

Monero did it and there is nothing Bitmain can do about it with all the resources and talents accumulated in their corporate. And yet cryptonight 7 was just a minor tweak to the algo made in a rush.

There is no flexible ASIC, it is cheap journalism, there is no bar sliding from 0% flexible ASICs to 100% flexible ones(!), it is just a pile of hype and propaganda invented by Bitmain to sustain its dominance in btc mining and expand it to other coins.

Ethash is a solid ASIC resistant algorithm, as Vorick has admitted in his embarrassing article, and I don't believe Bitmain has been able to do much about it and E3 is an architectural attack that enjoys the chaos in ram and gpu market nowadays. It is completely possible to have a practically ASIC proof PoW algorithm. Some ideas has discussed here and there is a lot to discuss more.

Saying that a cpu is an ASIC optimized for Von-Neumann range pf problems, or a gpu for 3D algebra, does not change anything, even for a bit!

Intel,  AMD, Nvidia, ...  chips are optimized chips for a very wide range of calculations, wide enough to make them usable for almost any application. An attacker can do whatever s/he wants with a specific application but when it comes to a complex enough problem, an ASIC resistant PoW algorithm, nobody can go further than a state of the art gpu unless s/he manages to become a competitor (and a winner) in gpu market as well.

Nope.  The whole idea is precisely that it won't need to perform in the same way a GPU does, so they don't have to worry about the "very wide range of calculations" a GPU would have to deal with.  That means they can engineer around the problem and focus solely on the calculations they need to worry about to do the "work".  That's why ASICs are faster to mine with than state of the art GPUs.  They are dedicated to one singular purpose.

That's what Vorrick means when he says:

It's like the difference between a high performance, yet road-legal, sports car versus a Formula One / NASCAR / Le Mans car.  The latter ones are generally going to be faster because they're purpose built for racing and never have to worry about traffic calming speed bumps like a normal sports car has to cope with.  However, you can bet that if Formula One / NASCAR / Le Mans changed the rules to say the race courses could have speed bumps, the engineers would immediately plow untold sums of money into developing a car that would still be fast over speed bumps.  Hence, why making PoW more complicated isn't going to slow them down for long.

As widely discused before, it is only a matter of time when ASICS (or just specialized hardware in general) will always arise no matter where you go with the PoW configuration. Just pick any algorithm, and I don't see how these fast as hell machines will not start appearing eventually again, so it's more can down the road kicking.

I still see the "random PoW change lottery" approach as the only way to sort of spread around the advantage, so in some cases, some people will have more hashrate, in other cases, others will.

Im not sure how viable is this and if this would help decentralization in practice. What if someone has a massive advantage in a certain hashing algorithm and we are stuck with someone clearly dominating for a while? they could use that time to perform an attack... one would need to make some sort of simulation model before venturing in such a thing.

Combinational logic design, is no magic. For instance, a floating point multiplication operation can not be optimized by means of a magical specialized circuit better than what a modern cpu/gpu is optimized for, all that can be cracked by ASICs is the controller unit, the ALU is already optimized in cpu/gpu technology.

For control unit, a memory hard algorithm like Dagger-Hashimoto (Ethash) will enforce fetch operations to become the bottleneck and no optimization will help the hypothetical ASIC design to go beyond what a modern gpu is capable of.

David Vorick is doing his job as a trojan to convince people about inevitability of ASICs by naive claims about 'fundamental limitation of general purpose hardware', I don't take it as a serious technical assertion, instead imo, it is a weak and ridiculous claim for winning a multi billion dollar war.


Sorry, but you are performing worse than Vorick, using analogy (the worst reasoning technique ever) and playing with common sense (the worst playground ever) you are trying to convince people that PoW is deemed to be cracked by some magicians overseas.

It is not "only a matter of time"  but also a matter of flaw. A well designed algorithm, being significantly memory hard while it is mostly utilizing ALU and vectorized calculations would resist ASIC attacks permanently.

"I don't see" how it is possible to see real  machines that can perform extensive multidimensional parallel calculations with a multi gigabyte memory footprint that are cheaper and more efficient than  a modern gpu. I have to emphasis, a real machine and not a magical chip made in china!

It is not "only a matter of time"  but also a matter of flaw. A well designed algorithm, being significantly memory hard while it is mostly utilizing ALU and vectorized calculations would resist ASIC attacks permanently.

Just like you but on the contrary side, "I don't see" how it is possible to see real  machines that can perform extensive multidimensional parallel calculations with a multi gigabyte memory footprint that are cheaper and more efficient than  a modern gpu. I have to emphasis, a real machine and not a magical chip made in china!

I don't need to convince them of anything.  They can see it happening with their own eyes.  All the reasoning in the world isn't going to change the fact that multiple algorithms now have ASICs designed to mine them.  I'll change my mind when, or if, an algorithm is proven to be uncrackable.  

I also don't understand why you're fixating on the geographical locale.  Would hardware that isn't manufactured overseas be more comforting to you somehow?



Cool, so should I expect to see your algorithm being used in loads of major coins soon, then?  Clearly you've got it all figured out.  An entire multi-billion dollar industry is about to be disrupted by your revelatory interpretation.

Y'know, that, or your idea won't amount to anything.  It's bound to be one or the other.   ::)

Now you are using another worthless technique: induction. It will happen because it has happened before!

First of all, it has not happened yet, actually after years of investment, the most important gpu mining algorithm, Ethash, has not been cracked by ASIC (Bitmain's E3 is not an ASIC as i have mentioned earlier) and Monero has managed to mitigate the attack in few days. We will see how easily Z9s will become obsolete similarly.


Of course I have good proposals for this problem and I will announce them whenever I found it useful and yes I'm 'nothing' compared to Jihan and his army of engineers and propaganda agents  ;), but guess what? I'm winning this war because the gpu mining industry is far bigger than Jihan's Bitmain and they will support me and guys like me eventually.