(erroneously posted to Marketplace yesterday)

Since mid-2014,
  https://github.com/tromp/cuckoo
has offered bounties for disproving that Cuckoo Cycle,
myProof-of-Work that spends most time on memory latency,
- has an optimal reference miner
- has no feasible memory-time trade-off
- offers no advantage for GPUs

These bounties are set to expire at the end of this year,
so get coding for a modest Xmas bonus!

Since mid-2014,
  https://github.com/tromp/cuckoo
has offered bounties for disproving that Cuckoo Cycle,
my Proof-of-Work that spends most time on memory latency,
- has an optimal reference miner
- has no feasible memory-time trade-off
- offers no advantage for GPUs

These bounties are set to expire at the end of this year,
so get coding for a modest Xmas bonus!

This is about the graph theoretic proof-of-work algorithm that I originally proposed in January and which is still not in use in any crypto-currency. Please see

https://bitcointalk.org/index.php?topic=707879.0

for an introduction to Cuckoo Cycle and the bounties I am offering to support its claims of optimality, memory-hardness, and GPU resistance.

[Speedup Bounty]

Cuckoo Cycle is the first graph-theoretic proof-of-work.

Proofs take the form of a length 42-cycle in a bipartite graph
with N nodes and N/2 edges, with N scalable from millions to billions and beyond.
This makes verification trivial: compute the 42*2 edge endpoints
with one initialising sha256 and 84 siphash24 computations, check that
each endpoint occurs twice, and that you come back to the
starting point only after traversing 42 edges.
A final sha256 can check whether the 42-cycle meets a difficulty target.

With siphash24 being a very lightweight hash function, this makes for
practically instant verification.

This is implemented in just 157 lines of C code (files cuckoo.h and cuckoo.c) at
https://github.com/tromp/cuckoo, where you can also find a whitepaper.

From this point of view, Cuckoo Cycle is a rather simple PoW.

Finding a 42-cycle, on the other hand, is far from trivial,
requiring considerable resources, and some luck
(for a given header, the odds of its graph having a 42-cycle are about 2.5%).

The algorithm implemented in cuckoo_miner.h runs in time linear in N.
(Note that running in sub-linear time is out of the question, as you could
only compute a fraction of all edges, and the odds of all 42 edges of a cycle
occurring in this fraction are astronomically small).
Memory-wise, it uses N/2 bits to maintain a subset of all edges (potential cycle edges)
and N additional bits (or N/2^k bits with corresponding slowdown)
to trim the subset in a series of edge trimming rounds.
Once the subset is small enough, an algorithm inspired by Cuckoo Hashing
is used to recognise all cycles, and recover those of the right length.

I'd like to claim that this implementation is a reasonably optimal Cuckoo miner,
and that trading off memory for running time, as implemented in tomato_miner.h,
incurs at least one order of magnitude extra slowdown.
I'd further like to claim that GPUs cannot achieve speed parity with server CPUs.

To that end, I offer the following bounties:

Speedup Bounty:

$500 for an open source implementation that finds 42-cycles twice as fast (disregarding memory use).

Linear Time-Memory Trade-Off Bounty:

$500 for an open source implementation that uses at most N/k bits while running up to 15*k times slower, for any k>=2.

Both of these bounties require N ranging over {2^28,2^30,2^32} and #threads ranging over {1,2,4,8},
and further assume a high-end Intel Core i7 or Xeon and recent gcc compiler with regular flags as in my Makefile.

GPU Speed Parity Bounty:

$1000 for an open source implementation for an AMD R9 280X or nVidia GeForce GTX 770 (or similar high-end GPU)
that is as fast as a high-end Intel Xeon running 16 threads. Again with N ranging over {2^28,2^30,2^32}.

Note that there is already a cuda_miner.cu, my attempted port of the edge trimming part
of cuckoo_miner.c to CUDA, but while it seems to run ok for medium graph sizes,
it crashes my computer at larger sizes, and I haven't had the chance to debug the issue yet
(I prefer to let my computer work on solving 8x8 connect-4:-)
Anyway, this could make a good starting point.

These bounties are to expire at the end of this year. They are admittedly modest in size, but then
claiming them might only require one or two insightful tweaks to my existing implementations.

I invite anyone who'd like to see my claims refuted to extend any of these bounties
with amounts of your crypto-currency of choice.

(I don't have any crypto-currencies to offer myself, but if need be, I might be able to convert
a bounty through a trusted 3rd party)

Happy bounty hunting!

-John

Please have a look!

I'd like to start a little experiment with a blockchain of posts, embedded right into this forum.

Each successive post must start by quoting the last line of the previous post, and end with a proof of work based off that post.
Specifically, it must be a cuckoo32 proof for a header consisting of the quote tag followed by the author name, followed by any nonce.
To generate the last line of this post, I ran

Code:

> git clone git://github.com/tromp/cuckoo.git
> make cuckoo32
> HEADER="[quote author=tromp link=topic=405483.msg4392708#msg4392708 date=1389205766]"
> for i in {0..99}; do ./cuckoo32 -t 4 -h "$HEADER tromp $i"; done

and waited for a 42-cycle to be found. Since the probability of a 42-cycle is about 2.2%, it should take on average 45 runs to find one.

Curiously, I found one after *exactly* 45 tries, as you can see in the transcript at the bottom, which ends this post with the required proof.
As there was no previous post in this thread, I instead quoted my original announcement of Cuckoo Cycle from Jan 8.

cuckoo32 requires 768MB of memory. You can reduce this to 512MB by running cuckoo32.1 which will take about 50% longer,
or to 384MB by running cuckoo32.2, which is much slower still. The load shows how densely loaded the hash table datastructure
will be that's used in the final phase to actually find the cycles.
This has to drop below 100% for the hash table to work (it actually requires load <90%).

The proof can be verified with

Code:

> make verify32
> ./verify32 -h "[quote author=tromp link=topic=405483.msg4392708#msg4392708 date=1389205766] tromp 45"

and feeding the solution line on standard input. This should output:

Code:

Verifying size 42 proof for cuckoo32("[quote author=tromp link=topic=405483.msg4392708#msg4392708 date=1389205766] tromp 45") with 50% edges
Solution 91353d 7044ed7 eab3c18 11cc7bd5 11dbab29 155aeb72 171fafe9 18423605 1d18e11b 1f498480 209c0518 242e865a 2dda66a3 312e6228 31dbee8c 3585254e 35dc6d39 3f2eaa8b 40a25d6c 43d2b2ab 464b2c17 48ea7ef3 4bce1ea9 4dc4d7e6 546b3e05 55f4daa3 5937c994 66961386 675c49a8 67933a95 6b4fd632 72da1d3b 74b57814 76032cbd 774cacdd 79eb4cf1 7b20cfa7 7b8f8a15 7de1f1f1 7f6b78ef 7f7cc3ef 7fbd9ecb
Verified with cyclehash 13d4d71265d1bd8f6a75c90e5ae3759086ee3d742dd9405aac9b4519fee56db1

This post will serve as the genesis "block". Non-conforming posts risk being deleted.

Happy mining!

(I'm afraid there's no reward for "mining" new posts, just bragging right for being in a post blockchain)





...
Looking for 42-cycle on cuckoo32("[ quote author=tromp link=topic=405483.msg4392708#msg4392708 date=1389205766] tromp 45") with 50% edges, 8 trims, 3 threads
Using 256MB edge and 512MB node memory.
initial load 3200%
1 trims: load 947%
2 trims: load 373%
3 trims: load 201%
4 trims: load 126%
5 trims: load 87%
6 trims: load 63%
7 trims: load 48%
8 trims: load 38%
  16-cycle found at 2:99%
 218-cycle found at 0:99%
 452-cycle found at 1:99%
  42-cycle found at 0:99%
  80-cycle found at 1:99%
 3094-cycle found at 0:99%
Solution 91353d 7044ed7 eab3c18 11cc7bd5 11dbab29 155aeb72 171fafe9 18423605 1d18e11b 1f498480 209c0518 242e865a 2dda66a3 312e6228 31dbee8c 3585254e 35dc6d39 3f2eaa8b 40a25d6c 43d2b2ab 464b2c17 48ea7ef3 4bce1ea9 4dc4d7e6 546b3e05 55f4daa3 5937c994 66961386 675c49a8 67933a95 6b4fd632 72da1d3b 74b57814 76032cbd 774cacdd 79eb4cf1 7b20cfa7 7b8f8a15 7de1f1f1 7f6b78ef 7f7cc3ef 7fbd9ecb

http://www.computerworld.com.au/article/542273/asic_examines_pause_tackle_hft_report/

Sorry, I couldn't resist :-)

Or in other words, how to make botnet operators vastly prefer other coins over yours?
I can think of 4 ways.

1) make your coin worthless.
    duh!

2) make your pow so highly parallelizable that an average CPU is 100x slower than a GPU

3) make your pow require so much memory that it typically won't fit in memory
    (in other words, limit it to high-end desktops, servers and "big" GPUs)

4) make your pow so hard that solving a single instance on an average CPU
    takes more time than the block interval.
    (limit it to many-core CPUs and GPUs, but unlike in 2) they need only be 10x faster)

Feel free to add to the list if I missed some...

The beefiest GPU card only has 6GB of memory.
Your typical botnet computer has less than 4GB of free memory.

A proof-of-work that requires more than 6GB of memory is
automatically gpu-proof and botnet-resistant.

Strangely, no coin has adopted such a proof-of-work...

I'm trying to determine how parallelizable my Cuckoo Cycle proof-of-work is. See this thread for details if you have access to a computer with more than 32 threads:

https://bitcointalk.org/index.php?topic=485170.0

As developer of the Cuckoo Cycle proof of work, I'm trying to determine the maximum number of threads that can effectively work together on a single problem instance.

The largest machine I have access to has 32 threads (dual 8 core hyperthreaded) which yield a speedup of 16.7 over single-threaded runs. I'm very curious to know how many threads it takes to saturate the memory IO, so that additional threads bring no benefit.

The Makefile provided at https://github.com/tromp/cuckoo contains a basic speedup test
  make speedup.25
that only goes up to 8 threads, using 128MB instances (size 25).

If anyone has access to a Linux machine with more than 32 threads, could you please run a variation of that test with instances of size 28 (using 1GB) and as many threads as your system supports, and post a summary of your results?

For instance, if your system supports up to 60 threads, and you only want to try a subset of thread counts, you could do

for i in 1 2 8 16 32 48 52 56 60; do echo $i; cc -o cuckoo.spd -DNTHREADS=$i -DSIZEMULT=1 -DSIZESHIFT=28 cuckoo.c -O3 -std=c99 -Wall -Wno-deprecated-declarations -pthread -l crypto; time for j in {0..9}; do ./cuckoo.spd $j; done; done

Each single threaded run at size 28 takes about half a minute, so the entire test above should take under 15 minutes.

Any help is appreciated!

Mining is generally considered to be inherently power hungry but it need not be.
It’s a consequence of making the proof of work computationally intensive.
If computation is minimized in favor of random access to gigabytes of memory
(incurring long latencies), then mining will require large investments in RAM
but relatively little power.

Bitcoin mining is all computation and no memory.

Litecoin mining requires 128KB of memory per scrypt instance but only 1024
random accesses, with negligable latency.

Primecoin mining has a sieving and a modular exponentiation component, the latter of
which is pure computation, while the former requires a few megabytes of memory
(with non-random access).

Protoshares mining with Momentum requires 512MB but performs at least one complex SHA512
computation for each memory access, with a choice of algorithms some of which avoid random access.

The memory requirements above are not absolute but allow a trade-off between time and memory.

Guess which proof-of-work system achieves the following:

1) it performs only one very cheap hash computation for several random accesses to memory,

2) its memory requirement can be set arbitrarily and doesn't allow for any time-memory trade-off.

3) verification of the proof of work is instant

Runtime is completely dominated by memory latency. It promotes the use
of commodity general-purpose hardware over custom designed single-purpose hardware,
making mining more sustainable.

(re-announcing since paper has been substantially improved, and the implementation changed hash function)

Cuckoo Cycle is the first proof of work that does little computation but lots of random accesses to RAM,
making it both CPU and power friendly.

Proofs, of size 42*4=168 byes, are trivially verifiable, using only 1/3 KB.

It can be made to require any desired amount of RAM, e.g. 4GB, which is 32x more than what fits on an ASIC,
and which will send nearly all botnet computers into swap-hell, alerting their owners.

A whitepaper and implementation is available at https://github.com/tromp/cuckoo

I finished designing and implementing a new memory-hard proof-of-work system
based on Cuckoo Hashtables.

A preliminary version of the whitepaper is available online at
https://github.com/tromp/cuckoo/blob/master/cuckoo.pdf

Please have a look!

I'm interested in alternatives to bitcoin's ASIC-friendly proof-of-work (pow).

A memory-hard pow offers two main advantages:
1) reduce energy waste
2) shift the mining balance back from ASIC-farms to desktops,
    allowing many more people fair odds in the mining lottery

scrypt was developed with memory-hardness in mind, but turned out only
very mildly successful in that regard.

More recently, Invictus Innovations proposed the Momentum pow
with the exact same goals in mind, but that turns out to allow a memory-time trade-off
as well; see the discussion at
https://bitsharestalk.org/index.php?PHPSESSID=8cf66a1c5dbb5822f255c4a37bb0e8f4&topic=22.60

The ideal pow function would require a certain amount of memory (several GB) with no
reasonable memory-time trade-off; in other words it should become grossly inefficient
with, say, only half that minimum amount of memory.

Has there been any other research done in this area?
Have any other pow schemes been proposed with memory-hardness in mind?

I have some ideas that I'm considering putting in a whitepaper,
but I'd like to make sure I'm aware of all previously published efforts.

regards,
-John