defending ahead the p2p nature of bitcoin - blending hashcash & scrypt

[adam3us]

I presume most share the view that "me too" forks of bitcoin that
tweak parameters are a bad thing and should be ignored.  However I
think litecoin is the exception, because even though I am the inventor
of hashcash (the bitcoin mining function - yes I contributed to the
40MW and growing environmental crime;) - even with that personal
interest/attachment I think the scrypto mining function used by litecoin
has advantages and should be partially merged, and I'll tell you how
why I think this, and how I think it would best be done.

The reason is litecoin is ASIC unfriendly, so that moore's law chasing
generic CPUs and GPUs will track closer to what is achievable with
custom ASICs because of the intentional memory footprint.  Ok everyone
know how litecoin works, my point is meta, coming next: when the ASIC
wall hits (if butterfly ever ships) its probably going to put the GPU
miners out of business.

I think that is a bad thing for a few reasons: GPU mining is fun, it
adds the visceral gold-like aspect for users, and its inclusive, and
p2p friendly.  ASIC mining is exclusive, not in principle - nice ASIC
PCI cards and USB boxes could be built in $100, $200, $500, $1000
increments etc - but in practice because anyone with skills to make
cards has an obvious incentive to mine them themselves rather than
sell them.

(I just placed my own butterfly order + a two 5GH baby ones for my
teenage sons, one of who is enjoying GPU mining

Now the concern is longer term.  Imagine its 3-5 years down the road.
Rows of data center racks lined with blades chock full of 14nm
hashcash mining cores.  A danger I see is that manufacturers have an
interest to hoard as long as bitcoin price supports a high profit with
next gen hardware compared to what is available to others.  So the big
boys (and I mean financial houses, venture capitalists, kind of level)
will be best placed to be able to buy their way into the line at TMSC,
front millions in design, pre-order fees, circuit board design.  The
risk is p2p miners arent going to be able to get access to equipment
that can financially compete with this equipment.  Butterfly seems like
a small player - maybe they'll ship.  But what can be done with the
above scale could eclipse their power and efficiency, probably in the
same way ASIC outclasses GPUs and I can see market reasons why
you or I wont be able to buy them.

Now some people might think so what - all's fair in a moore's law arms
race - thats part of the design.  And to some extent thats right.
Bitcoin could do fine like that, but it wont be a p2p currency any
more, not really.  That's because if all the peers are big stock market
listed companies, with corporate lawyers, very statically and easily
identifiable, they will do whatever governments tell them to do.  And
governments will tell them to convert the network into swift 2.0
including government feeds for analysis (yes bitcoin is public anyway,
but not to your legally required truename etc), and legal requests to
block this and that payment entity change the protocol by fiat etc. to
roll back transactions because of some fraud or dispute unrelated to
bitcoin, to freeze and confiscate bitcoins - we'll be back to square one.

At that point also they'd just as soon stop mining and write contracts
to each other and save the hashcash GWs.  Big companies are largely
scared enough of misbehaving or having their banking or wire transfer
revoked that they're not going to hack a block chain fork or such
tricks.


Now I think one reason you might want to listen to me, some random
crypto-hacker, is I think I've been here before.  I predicted
something similar about CAs a decade or more ago.  I said one should
not trust CAs (I can probably find the post), one should not build
ecosystems that rely on them implicitly - governments will simply get
them to issue fake certs and intercept or manipulate user traffic.
Roll forward 10 years and it eventually slips out that we have CAs on
the down-low selling rogue CA certs, and some pretty questionable
governments operate some CAs.  Mozilla is debating removing another
CA right now for some malfeasance.  (And Iranians and Syrians etc
critical of their government etc are being identified, rounded up tortured
and murdered with using the info).  Well and western companies with
government blessing or turning a blind eye are making and selling
them the equipment to do it with, and doing backroom deals with
the same dictators in the name of strategic influence


Anyway hopefully you see my point - you do want bitcoin to remain p2p
or there is a risk if too large entities evolve, of that destroying
the p2p nature, and essentially removing the need for or value of
distributed time-stamping using hashcash.

Secondly the p2p miners and users "own" and are the network.  We
should protect their interests.  Keep them interested in bitcoin via
the fun of mining.  Maybe you could do that via easy access to
competitive ASIC and above hardware built with kickstarter or open
source hardware or small companies like butterfly.  But I'm not
confident.  Or if I had influence I'd encourage implementing a backup
plan ready to roll out.


I suspect the network difficulty might even drop facing a wall of
ASICs over the next year or so if GPU mining goes the way of CPU
mining.  I say that because even though the ASICs might get 100x more
MH, they may drive out 1000 GPUs each, and then the ASICs get to
profit even more (they own a bigger than anticipated slice if
difficulty falls).  Doesnt affect bitcoin price necessarily, but
different people will be getting the mining rewards.


So if you buy any of the above here's how I think it should be done
technically.  Clearly you dont want sudden changes, or it affects
confidence in the definition of bitcoins.  Maybe there are counter
arguments or other approaches.  I understand people are atttached to
the satoshi quo - as it should be sudden changes are bad.  You guys
are now in a EU troika like position you have to be careful what you
do because it can have consequences in the confidence in the BTC.  
Maybe soon even what you say!  So I do respect the no sudden or
unconsidered moves concept.

Well my idea is this aim to get to 50:50 hashcash scrypt (or perhaps
even 66:33 so the hashcash which is potentially more vulnerable to
centralization cant control in the 50% sense of forks
if the corporates decide to fork the chain following a government edict)
hashcash and scrypt are accepted as both equally valid whoever
finds the collision of the required difficulty wins the 10min block.

Phase in, maybe be ready to phase in, but dont even do it until
trouble looms.  Start with 2% scrypt and grow every 2 weeks (same cylce
as difficulty adjustment).  But this is the trick: give hashcash and scrypt
independently calculated difficulties, the market will figure out the
fair value between them.  The custom ASIC filled rackmount corporte
guys at the high end may focus on the ASICs they hve 50% to play with.
Maybe they can help make things fast and reliable with nice servers
and bandwidth.  And everyone else can compete on a level field with
scrypt.  Now the corporate guys can get into scrypt also, but the harware
they buy is the same basic class as you or I can buy - Intel CPUs,
GPUs etc with the same power efficiency.

(A more detailed comment one may want to allow the scrypt size
parameter to be network dynamic like difficulty because if a CPU
starts to be common (or is developed custom for mining) with L3
cache larger than the avarage systems minimum assumable main
memory you have a big problem as memory bound computational puzzles like
Moderately Hard Memory Bound functions 2003 (of which scrypt
is an improved derivative)
http://research.microsoft.com/pubs/54395/memory-longer-acm.pdf
are sensitive to too much ultra fast ram.  On the plus side the argument
is in general that variation in ram speed is less than variation in core
speed between mid and top range.)

You could consider it a BTC/LTC alloy so I guess I am arguing for a
gold-silver alloy coin.  (Or the BTC shiny coin logo always seem to
be 2 tone anyway already?)  A negative version of that could be call
of currency dilution, however I argue its not because it doesnt create
any new coins, just levels the playing field to lower hardware while
no one gets any particular advantage.

(Midly disgruntled after just having escaped the ignominy of being in
the newbie trap:).  But dont be gentle - bring on he nay saying - Ive
been through USENET flame wars of the early 90s - bring it on.

(My ignominy post towards my 5 to get out of newbie trap!
https://bitcointalk.org/index.php?topic=15672.msg1873483#msg1873483 )

Adam

ps Its kind of ironic - I got emails from Satoshi in 2008/2009 about
hashcash & inviting comments on his paper, and to try the alpha
software; the irony that I invented the hashcash function all the
CPU/GPU and ASIC miners are burning 40MW on and yet I dont own (nor
ever have) a single bitcoin.  What a foolish person Surely I
should've tried it out mining at the beginning like Hal Finney did.
Well I'm going to fix that via mtgox & an asic miner but there's no
way I'm going to get to Satoshi's $100m genesis hoard level as a late
late player

[1713440859]

1713440859

[1713440859]

1713440859

[1713440859]

1713440859

[gollum]

if all the peers are big stock market
listed companies, with corporate lawyers, very statically and easily
identifiable, they will do whatever governments tell them to do.  And
governments will tell them to convert the network into swift 2.0

That would kill the whole idea of bitcoin if a few corporations would own all mining. Do you think scrypt is a long term solution or only a temporary defence in the never ending battle against moores law & specialized hardware?

[amincd]

ASIC mining is exclusive, not in principle - nice ASIC
PCI cards and USB boxes could be built in $100, $200, $500, $1000
increments etc - but in practice because anyone with skills to make
cards has an obvious incentive to mine them themselves rather than
sell them.

First of all, welcome to bitcointalk.org!

Are we sure that there won't be any ASIC manufacturers that will sell them? All it takes is one volume manufacturer to make ASICs available to the masses.

Also, won't sCrypt eventually be dominated by specialized mining rigs any way? There are already FPGAs being developed for it, and if hashing sCrypt continues growing as a business, I think it's only a matter of time before specialized hardware is designed for it and GPU mining becomes out of reach.

[gmaxwell]

I think that is a bad thing for a few reasons: GPU mining is fun, it
adds the visceral gold-like aspect for users, and its inclusive, and
p2p friendly.

I wish this were true, but the feedback I've seen constantly is that many people are insulted and angered by the small amounts they get from a single small mining setup, even some who were told what to expect going into it... even when the amounts they get will actually become non-trivial when accumulated over weeks of 24/7 mining.

There are people who find it fun, but it's certainly not everyone.

Humans are a funny breed. They seem to be demotivated by the fact that someone else is making 100x more even when that person has >100x more operating costs!

ASIC mining is exclusive, not in principle - nice ASIC
PCI cards and USB boxes could be built in $100, $200, $500, $1000
increments etc - but in practice because anyone with skills to make
cards has an obvious incentive to mine them themselves rather than
sell them.

I'm now not aware of anyone making devices without selling them. (The one party I was aware of was convinced to change their practices— consider, if they don't sell devices their consolidations may threaten the decentralized security assumptions of Bitcoin— even if this doesn't immediacy debase the coins they produce the community may change the PoW and make their hardware worthless, there are some subtle reasons why changing the PoW is more viable than you might guess).

Small devices should be available soon in a number of forms.  The fact that the first major wave of deployments will be large devices also gives some advantage to smaller participants in the long run, since they won't be saddled with big investments in 110nm infrastructure. (Not to mention, that 110nm infrastructure will probably eventually resold to people who can use the waste heat for low prices)

It's my personal hope that the somewhat reduced access to the relevant equipment will be offset from decreased competition by people who are stealing resources to mine and as a result be at least a wash in terms of equality of access.

destroying
the p2p nature, and essentially removing the need for or value of
distributed time-stamping using hashcash.

I am continually very concerned by this, but I don't think the deployment of ASIC is by far the biggest threat to the distributed nature of Bitcoin.  I think the far bigger threats are that almost all mining is done through a few centralized "pools" and that fewer and fewer users run actual network nodes that independently validate the rules of the system— instead using hosted wallets and various kinds of thin clients.   If your highly casual GPU miners are just blindly selling their computing power to a pool, it doesn't contribute much to the distributed nature of the system. (It does make the economy more distributed, but they can do that by buying coins).

I suspect the network difficulty might even drop facing a wall of
ASICs over the next year or so if GPU mining goes the way of CPU
mining

The sales from one hardware vendor alone (avalon) are right now somewhat over 1500 68GH/s units as I understand it, this is enough hash to replace the entire hashrate we had from GPUs and FPGAs in January five times over. The belief is that BFL has sold many more than this.

Well my idea is this aim to get to 50:50 hashcash scrypt

I would expect this to lower costs for an attacker to reorganize the chain to conflict transactions by giving him choice of hardware.

one may want to allow the scrypt size
parameter to be network dynamic like difficulty

This would make _validation_ expensive too. A shame, as the tiny scrypt size in LTC doesn't really achieve memory hardness... and I'd bet that dedicated hardware would get a _larger_ speedup then we get for sha256 because of this.  An interesting question is: how do you create a function which is strongly memory-hard to search but not (/less) memory-hard to validate?

There are other interesting ideas in the space of memory-hardness.  For example, you could define a POW function which is an operation over the spendable transaction index which then proves that miners have high capacity for validating transactions— perhaps better aligning the operating motivates... and eliminating the miners that just blindly sell computing power without having any interest or capacity to participate in the actual validation.   (Using data in a globally known merkle tree is potentially one way to make a asymmetrically memory-hard function)

What a foolish person

Hah. You and a lot of other people, actually. I spent time talking about cryptocurrency things with Hal due to his RPOW system before Bitcoin existed, and "used" bitcoin early on (well, as much as you can use it when almost no one else does!) but didn't bother keeping my wallet. But whatever, Bitcoin is interesting and important regardless of what value people assign the coins and how much you "could have had" but don't.

[adam3us]

Are we sure that there won't be any ASIC manufacturers that will sell them? All it takes is one volume manufacturer to make ASICs available to the masses.

Well my (A-level economics grade;) economics argument is market price is set by supply and demand, the supply and competition is limited and the barrier to entry large, so its a sellers market and so the sellers will either not-sell and mine, or sell at a small margin below utility value so the buyer takes the market risk and the seller takes most of the projected profit.  Ie they'll charge a massive margin, which yes invites competition, but unlike a normal market there is a floor to how much they'll be undercut - the mining value.  The next manufacturer will do the same thing, as they also leverage their barrier overcoming investment, so I dont think the market can fix this.

Maybe bitcoin price volatility helps somewhat while it lasts - big hardware manufacturers maybe dont want penny-stock odds - thats more VC profile - established owners of fabrication plants, chip design houses etc have a business to run, and want to reduce their projected sales volatility.  However I could see bitcoin price volatility reducing as the market matures and derivatives contracts availability appears - and that would elevate the above problem.

So I am (and was from the beginning) concerned there was a risk hashcash could end up stacked in favor of big players because they can pay for the development and contracts etc and mine their own equipment.  And with hardware - hardware hackers can get somewhere, but no where near AMD gpus and Intel cpus - the analog of that level of manufacture and design.  And the AMD & Intels investment level is huge.  I think it comes down to what the price/performance/power graph looks like between generic hardware (GPU), close to current moores' hw limit big funding hardware (VC or existing big co), small biz hardware (butterfly), and hackerspace level hardware hackers can do.  If there is a big discontinuity between hackerspace or kickstarter, the p2p nature of bitcoin may erode in a few years

Maybe bitcoin ought to community use some of that $1bil market cap to do something mega-kickstart.  Maybe there is even a self-interest in that.  If bitcoin loses its p2p nature I expect the currency value to drop.

If I was a hardware guy with like ex-intel chip designer experience - I would go for this right now.  But I know close to zip about ASIC & CPU/GPU design at layout compiler etc level.  A detailed and airtight kickstarter contract could bootstrap availability of close enough to moore's law edge to defend the p2p nature for scalable investments and profitability down to $100 level.  But on the receiving end with those kickstarter projects they look like make-money-fast schemes for the operators of unknown technical skills and execution ability.  Like butterfly but much worse.  You need hardware design credibility, execution ability history, openness and a contract that on independent legal review guarantees community access without the kickstarted employees walking off with 99% of the profit or miners.

(I figured this out the hashcash big player hw design issue in 1997 and had some other candidate cost function ideas re anti-spam - note bitcoin has pushed hashcash harder than spam might have because there is more money and motive involved so the answer may change - for hashcash anti-spam / anti-DoS for anonymous remailers and other anti-DoS applications I took the risk because my estimate was the extreme simplicity, ultra fast and simple and human readable mechanism and 100% distributed and 100% scalability prototcol was just too cool to pass up and the spamming profitability business model has ultra slim margins so even with near universal scale deployment it would be safe from mega investments .  Its not many things that can accurately claim to be 100% distributed and 100% scalable.  Not a coincidence I  was at the time a distributed systems PhD student and crypto fan - distributed systems field studies scalability limits and distributed algorithms.)

Maybe thats what Satoshi's moving on plan is - protect the p2p nature with a hw manufacturing stealth project funded with discretely siphoned post anonymity bug genesis bitcoin hoard.

If there was a way to bootstrap and keep p2p levels of market availability and profitability, you can see the advantages of keeping to the hashcash gold-standard.  It stood 16 years test of time so far cryptographically, and thats worth something, quite a lot of bitcoin's viability is based on that stability.  It also keeps the satoshi-quo, which I like.

Also, won't sCrypt eventually be dominated by specialized mining rigs any way? There are already FPGAs being developed for it, and if hashing sCrypt continues growing as a business, I think it's only a matter of time before specialized hardware is designed for it and GPU mining becomes out of reach.

I agree.  Without being a concrete design, and very much wild-discussion material - maybe a fair cryptographic p2p lottery elected function each epoch chosen at random from a massive function family. 

But its hard to design  a function family where all functions have enough variability to reduce the GPU/ASIC gap, and with hashcash-like properties (fast verification, compact storage, no shortcut).

Btw it would also be desirable to have something generic enough that as the hardware that gets built would if configurable enough (if the function family heads towards general program) it has dual uses.  Ie it IS a next gen GPGPU and that in itself could help accessibility as there is lots of market demand for such things from the scientific community.


Or a 6month design competition with review for security (no hidden trap-doors), fast verification, and then a replacement chosen via fair lottery.  I figure 6months ought to break the ASIC or higher end design cycle for a new function up a bit.


Ps I presume everyone heard of Jakobsson & Juels "Bread Pudding" protocol
http://www.rsa.com/rsalabs/node.asp?id=2049

Trying to get the miners to do useful work.

However absent an efficiently publicly auditable proof-of-work that is fairly tied to the computations of a homomorphic encryption scheme, their proposal as far as I can see not possible to scale with decentralized trust.  (Email me if you understood the import of that last sentence   And I dont like non-decentralized things.

Juels was also the same author that reinvented something hashcash-like but online (Client Puzzles).  (Offline is better as its more private, and publicly auditable, client puzzles are not).  Juels was not aware of hashcash at the time.  I have a link to that one and others on:

http://hashcash.org/papers/

Adam

[passerby]

Well, if you don't mind, I will provide a few comments without specific quotes:

1) I do not think that companies producing good ASICs would be incentivized to mine themselves on a reliable basis.
There is a large number of operational costs (and risks) that are specific to the miner but not to the party producing the specialized equipment, so depending on legal, economic, and geographical circumstances it may - and often does - make business sense to produce the boards without actually using them.

This is true for a wide array of specialized equipment manufacture - and I don't think there are enough reasons to believe it won't be true for bitcoin.

2) Empirical evidence suggests that current (GPU and a bit FPGA) mining of Bitcoin is not decentralized.

While there are indeed a cute "gold rush" and "side-business" aspects to "amateur" GPU mining, nowadays a number of circumstances have forced the supermajority of individual miners into "pools" (as correctly noted above), a few of which are accountable for the absolute majority of hashrate in both BTC and LTC nets.

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

P.P.S.:
As far as alt-coins go, I would prefer ppcoin and namecoin over litecoin.

Of course, I have my disagreements with ppcoin design, and namecoin is pretty much dead in the water, but at least those two are trying to significantly innovate, as opposed to doing some very meager PoW-algo jockeying and calling it a day.

[adam3us]

Or a 6month design competition with review for security (no hidden trap-doors), fast verification, and then a replacement chosen via fair lottery.  I figure 6months ought to break the ASIC or higher end design cycle for a new function up a bit.

If it wasnt clear that wild 1997-era hashcash design alternative idea was I meant this design competition would be on ongoing and a candidate picked via fair crypto lottery at each 6month epoch.  ASIC miners have to get fast off the mark or they wont recoup their investment.

A risk you run is its a bit like obfuscated malware C contest but in crypto - if someone manages to slip a backdoored design past the crypto reviewers (which could include the cryptographic community) maybe the designer of a picked design gets a small bitcoin bounty, and more importantly the breaker of a design after the submission cut off gets a bounty also to bring in the best cryptoanalytic minds from the community.

You dont really want any human intervention allowed after the lottery or its arguably destabilizing.

btw a way to think clearly about the economics of $100m+ ASIC investments - say it becomes possible to build economic machines to do alchemy (convert lead or other worthless stuff into gold).  It is actually possible presently and has been demonstrated in particle accelerators and what-not but the cost is phenomenal and they yield low.  Anyway say its possible to build one for $100m, with a yield 1000x what can be done for a $1m investment, and practical but almost zero yield machines are possible to build in your garage or buy - chance do you think you have buying one of those digital alchemy boards?  I didnt think so.

btw2 I like the argument put forward by a presenter in a Matonis + some economist guy discussion that come some unspecified pre-singularity events eg like self-replicated nano-bot gold miners, or genetically engineered algae to filter sea water for gold and dump it in locateable clumps.  Again thats going to be  government research lab or monsanto event not a garage event, and you can bet they will try to hoard the mechanism if the barrier to entry is high and not easily garage reproducible.  And anyway if they're not careful either way the bottom is going to fall out of the physical gold market   At that point its all bits an bitcoin is better than physical gold.  Singularity timeline projections: this century.  Some pre-singluarity events clearly earlier this century than later.

Adam

[/quote]

[passerby]

Well, I don't disagree with the argument that major ASIC-mining players, in all likelihood, will be organizations, not individuals ( I do not necessarily agree that the mining organization and the ASIC manufacturer will be the same person, as such an argument would require one to make prediction regarding future state of a highly unstable market) .

However

a) I think that, even if some "hypothetical situation magic" were to make bitcoin strictly GPU-minable, matters would eventually evolve towards organizations and "mining moguls" hogging majority of raw hash power

b) all organizations and individuals doing mining would  flock into pools irrespective of whether we're talking corp-owned ASIC farms or GPU farms or little Joe's garage mining device.

As long as pools are in the picture, the argument regarding "mining decentralization" will remain rather hollow and pedantic, IMHO.

[CIYAM]

Very nice to see you here (although perhaps you meant 2008-2009 wrt emails from Satoshi) - just as an offside (being someone who has implemented hashcash into a webmail app as a tip of the hat to the invention itself rather than anything I expect people to use) can you shed light on why it (hashcash) never actually took off wrt fighting spam (was it due to the emergence of smart phones that would have forced the difficulty to be too easy or the success of baysian equation algos or perhaps some other reasons)?

[TierNolan]

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

I think distributed verification is key with a "falseblock" message that be broadcast which proves a block is invalid.  The main difficulty is that it you can't prove data is missing from a distributed hash table.

If someone proves a key is valid then they could broadcast a missing value warning.  It isn't clear how to prevent it being spammed though.

[passerby]

Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

In the end, though, all is better than it could be - we could have had just 3 pools, and we have more. We have ASIC first-mover who is very much into decentralizing mining. I'd say all turns out fairly luckily for BTC.


_______
* as a friend once said about such folks, "mah vidja-cart is shitten teh dollerz". No offense intended to for-profit miners

[Gavin Andresen]

Howdy Adam!

I'm going to quote myself, this is from an email I wrote yesterday to somebody else concerned about chip/mining centralization:

I think it will go through waves of centralization/decentralization. I can imagine bitcoin-mining electric hot water heaters installed in homes all across the world, installed by thousands of private companies that split the profits with homeowners. And thousands of die-hard do-it-youself-ers who buy the hardware and cut out the middleman.

In the very long run, mining will be dominated by your cost of electricity and your ability to put the excess heat generated to good use.

I don't think it will matter what algorithm is used or even if the algorithm was changed every six months; if a general-purpose CPU was the only thing you could use for mining, you might see general-purpose CPUs designed to operate at thousands of degrees celsius being designed so that aluminum smelting plants can also mine bitcoins with all that electricity they use turning bauxite into aluminum.

In the short run... I think there is zero chance that "we" will decide to change the hashing algorithm.

[TierNolan]

Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

I don't think they are necessarily insurmountable, but yeah, missing data is hard to handle.

If a transaction 20k blocks before the end of chain goes missing, does that invalidate the chain?

[kjj]

I'm going to take the pro-SHA/pro-ASIC stance.

Having a single simple hashing algorithm is better than having a difficult one, or having a pool of them chosen randomly.  The reason is that it keeps the barrier to entry lowish for new ASIC producers.

You simply cannot make an algorithm that is, in general, resistant to ASICs.  If a general purpose CPU can do it, then a purpose-built CPU can do it faster.  The best you can do is make it expensive for someone to develop an effective ASIC.  Also, time is money, so if you use a random pool of algorithms, then the only people that will have ASICs are those that can afford to develop them quickly.

Building an ASIC for SHA-256 is pretty simple.  At least 3 different groups have already done it, on shoestring budgets and somewhat quickly.  Increase that to maybe dozens if you include the not-suitable-for-bitcoin streaming hasher chips that are commercially available.  If (heh) they abuse their position as first movers, the barrier to their competition is very, very low, on the order of tens of thousands of dollars and several months to get started.

Making ASIC development more difficult will keep out the people that we want to include, and do nothing whatsoever to exclude the people that some would like excluded.

[passerby]

Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

I don't think they are necessarily insurmountable, but yeah, missing data is hard to handle.

Personally, I think adoption / social issues may turn out to be worse than technical ones (though the latter have not been surmounted yet, either).

Your typical pool, and your typical for-profit miners don't give a single rat's ass about decentralization or whatever. They're in it for the money, which isn't necessarily a bad thing, but could easily lead to a kind of "tragedy of the commons" scenario.

If a transaction 20k blocks before the end of chain goes missing, does that invalidate the chain?

I'm not really the To Go Guy in this regards, but it seems to me that for various "distributed work generation" systems to work, pool's clients must be kept aware about all the transactions that need to go into the block OR ELSE.

You simply cannot make an algorithm that is, in general, resistant to ASICs.  If a general purpose CPU can do it, then a purpose-built CPU can do it faster.   

While probably true in general sense and almost certainly true in the "efficiency" ("performance/J") sense, I am not convinced that the difference between ASIC and CPU can not be made to be rather unimpressive by clever algo design. There's clearly not enough work in this are, however.

Also, if you, at the very least, can drive ASIC development and manufacture costs high enough (which isn't impossible), you can render any ASIC operation economically unsound.

P.S.:

If we're talking an economically irrational opponent with virtually unlimited funds, then ASIC resistance, theoretical or otherwise, becomes irrelevant.

Such an opponent would buy up whatever equipment he needs to dominate your chain, be it CPU rigs, ASICs, or goddamn Blue Gene.

[TierNolan]

I'm not really the To Go Guy in this regards, but it seems to me that for various "distributed work generation" systems to work, pool's clients must be kept aware about all the transactions that need to go into the block OR ELSE.

There are 2 separate issues.  Distributed verification of the block chain can be slow.  A 1 hour delay before an error is detected is not that big a deal, only the latest transactions are affected.

However, if miners know that any illegal transaction in the block chain will be reversed within an hour, then they will make sure their blocks are ok.

Producing new blocks in a distributed way is harder.  You have to produce and verify the block within a very short period of time.

[gglon]

In the very long run, mining will be dominated by your cost of electricity and your ability to put the excess heat generated to good use.

In 2011 in Germany less than 25% power¹ from renewable energy sources was actually used due to the volatility of sources (something we are used to:). This number might improve much when the big network of clean energy will be build in EU. But still there will be lot time when unused power will be basically for free. And mining, unlike other activities, can be perfectly adjusted for those periods. Worldwise there will always be places where there is excess of power, so the hashrate will be somewhat stable.

I don't think electricity is the best source of heat. Especially from asics, which must operate at quite low temperatures to be efficient. And with the development of new technologies, the logic elements are smaller and smaller, which will require lower temperatures to operate properly (otherwise quantum tunneling will cause errors). So actually availability of cooling material will be important (imagine a farm on Antarctica).

¹http://www.erneuerbare-energien.de/fileadmin/ee-import/files/pdfs/allgemein/application/pdf/ee_zeitreihe.pdf

[adam3us]

In the very long run, mining will be dominated by your cost of electricity and your ability to put the excess heat generated to good use.

[...]

In the short run... I think there is zero chance that "we" will decide to change the hashing algorithm.

Go the satoshi-quo -- I am not displeased -- you're using my mining function (with pretty much no wikipedia attribution anywhere btw other than Satoshi's paper *), and I am also attached to it, and frankly I did guess that would be the likely, and with some justification, community response.  And indeed as I said in another post I appreciate the Satoshi-quo quite strongly for concept stability that may affect investors confidence.  And I'm game to see how that turns out.  It'll be an interesting ride.

It remains to be seen whether ASICs become available to the user-level participants in enough volume to mean that the network remains > 50% controlled by users.  The economics dynamic is too hard to tell.  I do very much hope it works out that way to strongly enough to keep the network well in excess of 50% p2p controlled.

What the community can do is try to bootstrap garage, kickstart, small co mining manufacturing enterprises to help retain the p2p power balance.  Unfortunately I dont have the direct skills to help with that much because I am not a hardware hacker.

If the corporate controlled entities amassed enough of a majority of network hash power (eg > 90%) for a year or so period they may feel confident enough to fork the protocol.  Dont forget they may be forced to, as advised by conservative corp lawyers, even if it may likely destroy the p2p aspects of the bitcoin network, and indirectly perhaps their own profit.  (Which they may or may not see coming).  If that happens I would be worried for the longevity of bitcoins distinguishing features (other than virtual hashcash gold based paypal like concept with the usual seizure, blocking, payment roll back etc issues).

And I suppose there is an implicit backup plan if bitcoin devolves into non-p2p, corporate controlled, stripped of most useful p2p era functions, but still working in a paypal like way (balance seizures, account blocks, transaction rollbacks included) system, then a replacement more agile mining process or other innovation crypto-currency may rise up from the ashes or be adapted by the p2p community as a continuation of the p2p bitcoin ethos.

if a general-purpose CPU was the only thing you could use for mining, you might see general-purpose CPUs designed to operate at thousands of degrees celsius being designed so that aluminum smelting plants can also mine bitcoins with all that electricity they use turning bauxite into aluminum.

Well actually that would be of general utility as a (faster at all costs) next gen CPU, and so it would more tend to have universal availability - the market for CPUs is much larger than miners - and scientific computing would love to use it.  Its also an inherently useful innovation force (in a bread pudding protocol like way) whereas ASIC hashcash miners are laser focused and of little non-bitcoin use.

There is an estimate that there is (massive) computing physical limit - that does involve very high temperatures.  I forgot the number of groups of 000s on the operations per second the physicist's paper i read had estimated, but it would make a unbelievably ferocious miner indeed if humanity could ever get that close to the physics computing limit.  (That physical limit model assumes no quantum computing).


But I've said my piece, and maybe it'll inspire people to poke at various alternatives (though please no gratuitous no-innovation bitcoin forks!).  Got the bitcoin equivalent of my 1990s "CAs are going to be abused by governments to issue rogue certs" warning in.

And I'm just warming up on the crypto suggestions...

Adam

(*) I added the hashcash ref on bitcoin wiki, or it also didnt reference as I recall, and I had a go at adding something on wikipedia but the editors/moderators didnt seem inclined and I didnt have the energy to argue with them.

[adam3us]

Well, if you don't mind, I will provide a few comments without specific quotes:

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

Well I dont think thats as dangerous a problem as corporate control by a long way.  A pool cant misbehave much.  If it does the users will realize and pull out and it'll go under.

P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

P.P.S.:
As far as alt-coins go, I would prefer ppcoin and namecoin over litecoin.

ppcoin seems interesting.  I think I reinvented it or something similar, had another post in draft form, though ppcoin seems complicated at least the way its explained on the wiki  (not sure I fully understood it from quick skim of wiki).  Will post my similar idea next.

Adam

[adam3us]

Very nice to see you here (although perhaps you meant 2008-2009 wrt emails from Satoshi)

I did - quite significant typo/braino there    I also dont know who Satoshi is and the first I heard of bitcoin was a 2008 email from him as I mentioned.  (Or one of the crypto lists I cant remember which came first or which I saw first).

just as an offside (being someone who has implemented hashcash into a webmail app as a tip of the hat to the invention itself rather than anything I expect people to use) can you shed light on why it (hashcash) never actually took off wrt fighting spam (was it due to the emergence of smart phones that would have forced the difficulty to be too easy or the success of baysian equation algos or perhaps some other reasons)?

Not clear.  Maybe failed to achieve enough momentum on the network effect.

Its use is clearly small, but it maybe like SMIME, it may have many more clients deployed who would act on it if anyone would bother sending them some hashcash (mainly server located hashcash capable spamassassin) relative to the small the number of stamps.

There was also a nay-sayer article about the economics of it all claiming it would be insufficient to deter spammers.  "Proof of Work proves not to work" (I put it on http://hashcash.org/papers/ also.)

Also you may or may not know microsoft did their own hashcash fork (chosing it over their own R&D labs memory bound functions (first version of the concept scrypt is based on).  They deployed it I think into exchange, outlook maybe hotmail.  I didnt follow it too closely.  They released on an open spec, and one could even implement the changes into the open source hashcash.  Was on my to do list for a while, still languishing.  But who can work on spams when there are bitcoins for enciphering minds to think about

Kind of lame that I didnt put that microsoft hashcash fork link on the hashcash site that I can see now.

btw it also occurred to me recently that you could recycle low bitcount bitcoin failed hash attempts for hashcash, just stuff the email in a bitcoin ignored field.  Sure the format is binary and different, and big but maybe it could be tweaked somehow to include hash( bitcoin stuff ) to be ignored by hashcash email other than as a randomization or ignored field, in a way that still makes sense to bitcoin.  Combined anti-spam with bitcoin as a freebie   Or something the ASIC miners could do as a sideline is spam like crazy   Ok for the GPU users though.

However I do worry about the privacy implications of that.  If you mined a 25 blocker and have to disclose a recipient thats not ideal.  You could probably fix that eg though a separate field that is encrypted, before hashing, and the encryption key sent with the hashcash for the recipient to verify, but kept private from the bitcoin network.  Maybe they'd even have an indirect satoshi level value for email postage uses.  Though they are not transferable as hashcash is fully decentralized and scalable.  ie the miner has to be the mail sender generally, because the stamp includes the email recipient in the hash.  (Though the encrypt the recipient address before hash trick, would allow moderately privately outsourcing the work.  I say moderately because the miner can still correlate the stamp issued to the email if it got logged.  Dont forget these things were also meant to cope with anonymous remailers.  even for regular email it just not smart to scatter around electronic breadcrumbs in the name of outsourcing a few seconds of CPU without some cryptographic unlinkable blinding, which seems doable but I didnt explore)

Adam