[ANN] Bitcoin PoW Upgrade Initiative

[muyuu]

Any chance of coming up with something that has benefits outside Bitcoin as well?  Similar to GridCoin or CureCoin?

No, because that would be braindead unless someone comes with a breakthrough that makes an arbitrary/useful PoW rock-solid and didn't need a massive amount of extra gossiping in the network.

Sadly this doesn't exist AFAIK and these two are completely broken.

[1714735511]

1714735511

[CascadiaCC]

It's profoundly unreasonable to pass off unbacked assertions as any form of reason


I've provided sound reasoning already, refute it.

I would if I could find it, but from what I see you've taken some facts, made up a story around them, and then because your story fits the facts you say it must be true. But of course your story fits the fact, you used them to make it up.

Yes, it reads as conspiracy theory mixed with confirmation bias.

[CascadiaCC]

Why would it be too late after an attack to HF? A few txs get stolen or blocked?

For a similar reason you're giving not to pre-empt it: building support for the new idea. It's possible that too many people will be psychologically impacted by the success of the attack, and consequently do what you're suggesting is wrong with my approach (despite the fact I've made no emotional arguements at all): allow emotions to dictate their decision instead of reason.

If we engage people to support pre-emptive action, a determined mindset would replace a fatalistic reaction. It's about harnessing a positive psychological feedback loop instead of a negative psychological feedback loop.

By my estimates 95% won't preemptively fork the PoW algo ... do you really think you can convince them all to preemptively HF?

Including Bitmain's current hashrate %? Clearly not. A PoW fork only needs to get the support of the miners who don't want to be ruled by a malign majority, although I'm seeing an obvious problem; how to measure that. Setting a block height activation would invite counter measures. Not sure how it could be achieved.

Sounds like the "Coalition of the Willing" and "Weapons of Mass Destruction" argument which lead to the disaster that was the Iraq pre-emptive strike/invasion and war.

[CascadiaCC]

If you're serious about a Proof-of-Work switch I would humbly point you to what Nexus (http://nexusearth.com/features.html) is doing with ASIC and quantum computer resistant Pure SHA-3 (Using Skein-1024 and Keccak-1600) CPU pool/GPU solo mining.

Here's their thread: https://bitcointalk.org/index.php?topic=657601.0

[CascadiaCC]

If you change PoW to only remove asic mining capability, that won't stop someone throwing up racks and racks of computers in a datacenter in China again.

Racks of computers in datacenters is a given, but why only in China? Thanks to the universal availability of DRAM, those racks can now go up all over the world. That's the key difference.

China has very inexpensive power, so they can run more systems less expensively than elsewhere. However, I get your point, while it's not the silver bullet it would certainly help level the playing field again, at least for a little while.

FYI: Electricity in parts of Washington State, USA is as cheap or even cheaper than China due to the hydroelectic PUDs. That's why McAffee/Bitmain are building their facility there.

[awds1th]

changing pow would be a temporary method of opposing the chinese miners. it should be a tool used alongside a UASF if there is going to be one.

[mmgen-py]

changing pow would be a temporary method of opposing the chinese miners. it should be a tool used alongside a UASF if there is going to be one.

Introducing a very moderate (say 5% of the block reward) PoWA as a soft fork would allow the miners to stay in business while putting them on notice that if they misbehave in the future we can up that percentage with a new soft fork. This would be a permanent rather than temporary measure that would create a new class of DRAM miners.

[muyuu]

If you're serious about a Proof-of-Work switch I would humbly point you to what Nexus (http://nexusearth.com/features.html) is doing with ASIC and quantum computer resistant Pure SHA-3 (Using Skein-1024 and Keccak-1600) CPU pool/GPU solo mining.

Here's their thread: https://bitcointalk.org/index.php?topic=657601.0

Why? We're talking about Bitcoin. Unless you mean to one of their concrete PoWs for some reason. I didn't see much documentation on their PoWs there.

[CascadiaCC]

If you're serious about a Proof-of-Work switch I would humbly point you to what Nexus (http://nexusearth.com/features.html) is doing with ASIC and quantum computer resistant Pure SHA-3 (Using Skein-1024 and Keccak-1600) CPU pool/GPU solo mining.

Here's their thread: https://bitcointalk.org/index.php?topic=657601.0

Why? We're talking about Bitcoin. Unless you mean to one of their concrete PoWs for some reason. I didn't see much documentation on their PoWs there.

Yes. Specifically, we're talking about changing Bitcoin's Proof-of-Work.

OK try this then:
https://en.wikipedia.org/wiki/SHA-3

I referenced Nexus as a real-world example because of their use of a combination of Skein-1024 and Keccak-1600 algorithms which leads to an ASIC and quantum computer Proof-Of-Work which is what this thread was about.

I propose if you're going to change Bitcoin's proof-of-work to something other than the current SHA-2(56) to something else then you might as well go all in on SHA-3 to make it even more secure against near-future quantum computing technology (which governments may already have).

SHA-3 does that.

For reference here are the lifespans of various cryptographic hash functions including our beloved SHA-2(56)
http://valerieaurora.org/hash.html

As you can see SHA-3 (Keccak) is the most secure and it has been brought up earlier in this thread.

[tromp]

I propose if you're going to change Bitcoin's proof-of-work to something other than the current SHA-2(56) to something else then you might as well go all in on SHA-3 to make it even more secure against near-future quantum computing technology (which governments may already have).

SHA-3 does that.

All SHA-3 candidates are rather ASIC-friendly, and Hashcash with such a hash function is highly
vulnerable to quantum speedup with Grover's algorithm.

[zooko]

Whenever any cites that Val Aurora article, please follow-up and link to this newer, better, article:

https://z.cash/technology/history-of-hash-function-attacks.html

blog post about this article when we posted it:

https://z.cash/blog/hash-functions.html

Sincerely,

Zooko

testing image: https://z.cash/images/hash-functions-chronology.png

testing image: https://i.imgur.com/rAxg7qP.png

[muyuu]

If you're serious about a Proof-of-Work switch I would humbly point you to what Nexus (http://nexusearth.com/features.html) is doing with ASIC and quantum computer resistant Pure SHA-3 (Using Skein-1024 and Keccak-1600) CPU pool/GPU solo mining.

Here's their thread: https://bitcointalk.org/index.php?topic=657601.0

Why? We're talking about Bitcoin. Unless you mean to one of their concrete PoWs for some reason. I didn't see much documentation on their PoWs there.

Yes. Specifically, we're talking about changing Bitcoin's Proof-of-Work.

OK try this then:
https://en.wikipedia.org/wiki/SHA-3

I referenced Nexus as a real-world example because of their use of a combination of Skein-1024 and Keccak-1600 algorithms which leads to an ASIC and quantum computer Proof-Of-Work which is what this thread was about.

I propose if you're going to change Bitcoin's proof-of-work to something other than the current SHA-2(56) to something else then you might as well go all in on SHA-3 to make it even more secure against near-future quantum computing technology (which governments may already have).

SHA-3 does that.

For reference here are the lifespans of various cryptographic hash functions including our beloved SHA-2(56)
http://valerieaurora.org/hash.html

As you can see SHA-3 (Keccak) is the most secure and it has been brought up earlier in this thread.

Well, if you have been paying attention, Luke already coded a Keccak PoW change last year. It would literally take just changing the activation block if that was the change.

But thanks for your input.

I'm very familiar with it. I have coded a Keccak lib myself and a BLAKE as well.

We're looking mostly at GPU friendly (possibly memory-hard, depending on the algo) PoW that will provide a good compromise against generic botnets and ASICs to gain time.

[mmgen-py]

We're looking mostly at GPU friendly (possibly memory-hard, depending on the algo) PoW that will provide a good compromise against generic botnets and ASICs to gain time.

Here's my proposal: Implement the new PoW as a PoWA (proof-of-work additions) soft fork. New PoW is memory-hard Cuckoo Cycle (whose creator has joined the discussion here), or possibly Equihash.

Give 5% of the block reward to the new PoW. This is enough to create a new DRAM-based mining community + hardware/software infrastructure without alienating/bankrupting existing SHA2 miners.

If SHA2 miners continue misbehaving (blocking Segwit, threatening to use other implementations), we increase the new PoW's reward with another soft fork. Hopefully this option won't have to be used: the threat will be enough to keep them compliant.

Conservative approach allows us to use relatively untested PoW algorithm safely, as blockchain continues to be 95% secured by old SHA2 hashing power. Getting the larger community behind a conservative solution will also be easier. Pro-Core miners will support it, since it's a far better option for them than the current standoff and possible network fork.

[Carlton Banks]

Give 5% of the block reward to the new PoW. This is enough to create a new DRAM-based mining community + hardware/software infrastructure without alienating/bankrupting existing SHA2 miners.

If SHA2 miners continue misbehaving (blocking Segwit, threatening to use other implementations), we increase the new PoW's reward with another soft fork. Hopefully this option won't have to be used: the threat will be enough to keep them compliant.

I like the sound of that implementation. It squashes a significant argument against a PoW change, avoids a hard fork, and would keep the markets far calmer.

[muyuu]

We're looking mostly at GPU friendly (possibly memory-hard, depending on the algo) PoW that will provide a good compromise against generic botnets and ASICs to gain time.

Here's my proposal: Implement the new PoW as a PoWA (proof-of-work additions) soft fork. New PoW is memory-hard Cuckoo Cycle (whose creator has joined the discussion here), or possibly Equihash.

Give 5% of the block reward to the new PoW. This is enough to create a new DRAM-based mining community + hardware/software infrastructure without alienating/bankrupting existing SHA2 miners.

If SHA2 miners continue misbehaving (blocking Segwit, threatening to use other implementations), we increase the new PoW's reward with another soft fork. Hopefully this option won't have to be used: the threat will be enough to keep them compliant.

Conservative approach allows us to use relatively untested PoW algorithm safely, as blockchain continues to be 95% secured by old SHA2 hashing power. Getting the larger community behind a conservative solution will also be easier. Pro-Core miners will support it, since it's a far better option for them than the current standoff and possible network fork.

I think it's worth considering but I believe this would take a long time to review and test. The possible dynamics are extremely complex and we have to make sure we done introduce new attacks or vulnerabilities.

I believe we virtually have one already (Keccak) in case we needed a very quick and sudden change, and we can try to improve upon as time allows. We don't know how much time do we have but mixed systems will have to be simplified as much as possible or it will take months or years to have reasonable confidence in them.

[Mashuri]

We're looking mostly at GPU friendly (possibly memory-hard, depending on the algo) PoW that will provide a good compromise against generic botnets and ASICs to gain time.

Here's my proposal: Implement the new PoW as a PoWA (proof-of-work additions) soft fork. New PoW is memory-hard Cuckoo Cycle (whose creator has joined the discussion here), or possibly Equihash.

Give 5% of the block reward to the new PoW. This is enough to create a new DRAM-based mining community + hardware/software infrastructure without alienating/bankrupting existing SHA2 miners.

If SHA2 miners continue misbehaving (blocking Segwit, threatening to use other implementations), we increase the new PoW's reward with another soft fork. Hopefully this option won't have to be used: the threat will be enough to keep them compliant.

Conservative approach allows us to use relatively untested PoW algorithm safely, as blockchain continues to be 95% secured by old SHA2 hashing power. Getting the larger community behind a conservative solution will also be easier. Pro-Core miners will support it, since it's a far better option for them than the current standoff and possible network fork.

I think it's worth considering but I believe this would take a long time to review and test. The possible dynamics are extremely complex and we have to make sure we done introduce new attacks or vulnerabilities.

I believe we virtually have one already (Keccak) in case we needed a very quick and sudden change, and we can try to improve upon as time allows. We don't know how much time do we have but mixed systems will have to be simplified as much as possible or it will take months or years to have reasonable confidence in them.

It's worth exploring since it is a more palatable "non-emergency" solution. As for the current fork, be it HF or SF, I like the idea of a memory intensive POW. It would indeed remove China's hardware monopoly -- and subsidized electricity can be found in many countries.

[muyuu]

It's worth exploring since it is a more palatable "non-emergency" solution. As for the current fork, be it HF or SF, I like the idea of a memory intensive POW. It would indeed remove China's hardware monopoly -- and subsidized electricity can be found in many countries.

One that simply transitions progressively from SHA256 to a single cryptohash, I don't think it would be very complicated. I guess it depends on how the transition is coded concretely.

[mmgen-py]

One that simply transitions progressively from SHA256 to a single cryptohash, I don't think it would be very complicated. I guess it depends on how the transition is coded concretely.

To keep things simple, there doesn't have to be any transition at all, just a flat 5% payout to the new miners. That percentage would be increased in a new SF only in the event of miner misbehavior. On the other hand, if we do decide to go with a gradual transition, I don't see any great technical complexity with that either. Only it would have to be very gradual, otherwise we can't expect any support from the existing mining community.

This is how the system might work:

DRAM miner solves the block with no Coinbase TX but with his payout address appended. DRAM miner broadcasts block, solution and payout address to SHA2 miners. SHA2 miner adds DRAM miner's proof to the Coinbase and a 0.625 BTC output to DRAM miner's payout address in the Coinbase TX. SHA2 miner then solves block as usual. Block is now secured by two PoWs.

Some additional protocol (or messages to existing P2P protocol) will be required for DRAM miners to relay their data to the SHA2 miners, but other than this they don't need to coordinate in any way.

The only additional work required for verifying nodes is to check that payout address and amount are correct and verify DRAM miner's proof.

Not quite sure how we'd handle the matter of difficulty retargeting for the new PoW. This seems to be the trickiest problem.

Would be nice to get some feedback on all this from one of the devs.

[Carlton Banks]

What will prevent the SHA256 miners orphaning the new hashing algo blocks? Would it not be better to start at 51% share to the new hash algo to prevent that, or would an exponential rise in blocks built on using the the new hash algo as it approaches 51% of the hashrate be acceptable?

[mmgen-py]

What will prevent the SHA256 miners orphaning the new hashing algo blocks? Would it not be better to start at 51% share to the new hash algo to prevent that, or would an exponential rise in blocks built on using the the new hash algo as it approaches 51% of the hashrate be acceptable?

I doubt that any of the existing miners would agree to a proposal that immediately slashes their block reward in half, while many might agree to a 5% haircut. Especially since the miners that choose to join us will get a nice windfall at first as the difficulty adjusts downwards.

Uncooperative miners will end up on a different chain in any case—there's nothing we can do about that. We just count on the economic majority being upgraded and ignoring their chain. They can continue mining their chain at a loss or rejoin Bitcoin—the choice is theirs.