[ANN] Bitcoin PoW Upgrade Initiative

[BitUsher]

If you're looking for a new Proof-of-Work, I can recommend the Equihash Proof-of-Work that we selected for Zcash.

Thank you for the suggestion.
I like how both Ethereum's Dagger-Hashimoto ethash and Equihash have both been relatively well tested in the wild. The concern I have with it is that there is already a FPGA developed with Equihash, and we dont want future ASICs/FPGA's from alts attacking bitcoin, but than again perhaps there could be a benefit to merge mining with either ETC or Zcash for better security .

Something to consider, definitely.

No need to be fancy, just triple SHA256 would be enough to change the current dynamic and not deviate too much from Satoshi's plan.

Hmm... but either way , this introduces the same costs and risks as Keccak and at least we can delay ASICs a bit more with Keccack

[1713574038]

1713574038

[1713574038]

1713574038

[sturle]

I think a hardfork change is too drastic, and will certainly end in a contentious hard fork.  A POW change light can be implemented as a soft fork by a requirement for an extra proof of work of a different type in the coinbase transaction or in another special transaction.  This will encourage cooperation between miners having lots of specialized SHA256 hardware and users mining the extra proof of work on their CPUs.

Good thoughts but miners will never approve this proposal with BIP 9 and I doubt even 51% so would need to be a UASF , whicj will likely end up as a HF only . This proposal is more of a HF in reaction to a 51% attack from miners which would not be as controversial.

The current miners will still have a huge advantage with the extra-POW soft-fork model, since SHA256 hashing power as well is required to find blocks, so I think a large enough economic majority will make the current miners come along in a UASF.  The miners have no interest in mining worthless coins after all.  They will have to share their power and some of their income with CPU miners, since none of them can operate alone, but will likely still have most of the payout.  It is easier to recruit another CPU miner for peanuts, than getting enough ASIC hashing power to compete at the current difficulty.  The most challenging task here is to find the right balance between first and second POW difficulty, and how to adjust this autonomously in a way compatible with the current difficulty adjustment scheme.

[shier7]

Since most of you obviously haven't read it, let me direct your attention to Section 6 of the Bitcoin white paper:

The incentive may help encourage nodes to stay honest.
If a greedy attacker is able to assemble more CPU power than all the honest nodes,
he would have to choose between using it to defraud people by stealing back his payments,
or using it to generate new coins.

He ought to find it more profitable to play by the rules,
such rules that favour him with more new coins than everyone else combined,
than to undermine the system and the validity of his own wealth.

Satoshi wasn't accounting for extrinsic economic motivations or shortcomings in miners' ability to assess what is in their own best interest.

[BitUsher]

Since most of you obviously haven't read it, let me direct your attention to Section 6 of the Bitcoin white paper:

The incentive may help encourage nodes to stay honest.
If a greedy attacker is able to assemble more CPU power than all the honest nodes,
he would have to choose between using it to defraud people by stealing back his payments,
or using it to generate new coins.

He ought to find it more profitable to play by the rules,
such rules that favour him with more new coins than everyone else combined,
than to undermine the system and the validity of his own wealth.

Satoshi isn't infallible or god ... wise , yes, but made plenty of mistakes along the way ...

here is a list of the flaws from the whitepaper-
https://gist.github.com/harding/dabea3d83c695e6b937bf090eddf2bb3
https://github.com/bitcoin-dot-org/bitcoin.org/issues/1325

[minimalB]

Is this for real or is this a joke?

[BitUsher]

Is this for real or is this a joke?

Dead serious. Should have been done years ago as we knew this moment may come.

"Speak softly, but carry a big stick"

We should welcome the miners back in a coin vote and forgive them for their miscalculation, but Jihan is threatening to attack the minority chain and steal funds from users on cores slack and twitter. He made multiple threats, may be bluffing , but we have to treat this seriously for him or any other attacker in the future. 

[shier7]

Although I never really took the coin seriously due to their spammy and scammy sounding marketing, I think it's interesting how Myriad Coin attempts to introduce a plethora of POW algorithms... Something like this... an integrated feature whereby it is trivial for nodes to introduce new POWs, which all maintain their own difficulty is interesting in this context:

It appears to be the case that any one choice of POW will lead to eventual hardware specialization, and the way to fight this is to add hooks to make investment in any one hardware specialization scheme ineffective. Dynamic POW may achieve this.

I'm no expert on the hardware implementation of ASIC SHA, and have read earlier in this thread that simply switching to 3xSHA2 would be enough to break current hardware optimizations... what if the dynamic POW affected the depth of SHA required to find a hash?

To summarize, a few ways forward include:

1)  Nodes choose POW dynamically... some single algorithm... valid for some number of blocks... before switching to a different one. Nodes communicate, perhaps with POS backing... which POW they currently accept?

2)  Difficulty is assessed in both nonce as well as hash depth... though it would seem to me that it would be possible to develop specialized hardware which can perform sequential SHA calculations... (now that I think about it... why isn't this possible with current SHA2 chips?)

3)  We just do this a few times... pick some new hash function with a HF... re-decentralize mining-- until it becomes clear that in general, it is not profitable to develop specialized mining hardware... so maybe we have to do it less in the future. maybe eventually never.

[BitUsher]

I think it's interesting how Myriad Coin attempts to introduce a plethora of POW algorithms

We want 1 secure algo , not many as that would make bitcoin more insecure

  We just do this a few times... pick some new hash function with a HF... re-decentralize mining-- until it becomes clear that in general, it is not profitable to develop specialized mining hardware... so maybe we have to do it less in the future. maybe eventually never.

Asics will happen regardless, and we do not want to have developers forcing HF changes on the community because this opens up an attack surface. A pow HF must individually be decided upon by economic users, and preferably as a reaction after an attack occurs.

[greenlion]

Interesting altcoin proposal, when can I mine it?

Any idea when Poloniex will list it?

[shier7]

I think it's interesting how Myriad Coin attempts to introduce a plethora of POW algorithms

We want 1 secure algo , not many as that would make bitcoin more insecure

  We just do this a few times... pick some new hash function with a HF... re-decentralize mining-- until it becomes clear that in general, it is not profitable to develop specialized mining hardware... so maybe we have to do it less in the future. maybe eventually never.

Asics will happen regardless, and we do not want to have developers forcing HF changes on the community because this opens up an attack surface. A pow HF must individually be decided upon by economic users, and preferably as a reaction after an attack occurs.

Agreed-- I'm not suggesting developers lobby for the POW changes. Obviously, this has to be a grassroots economic stakeholder driven process. I proposed a few mechanisms whereby the POW is somewhat dynamic to avoid the normalization of HFs in the context of, perhaps unavoidable, hardware optimization. In a perfect world, we wouldn't even have the need for this dialogue today.

Though, today, it is becoming clear that high percentage miners can hold the network ransom and make all kinds of DOS threats, so I'm not sure exactly what constitutes an attack from your perspective.

[Cryptorials]

Have you guys looked at Cuckoo cycle?

It has very strong ASIC-resistance and even a phone can mine without orders of magnitude loss in efficiency:

"The most cost effective Cuckoo Cycle mining hardware should consist of a relatively cheap and tiny many core memory controller that needs to be paired with commodity DRAM chips, where the latter dominate both the hardware and energy cost (about 1 Watt per DRAM chip)"

https://github.com/tromp/cuckoo

[BitUsher]

Interesting altcoin proposal, when can I mine it?

Any idea when Poloniex will list it?

It will not be able to be mined for profit , and not listings on exchanges. If the testnet coins for this testnet start to find value for some odd reason we will reset it just like in bitcoins main testnet.

IF we are forced to carry out this HF , than yes, there will be 3 coins / chains ... with 2 new alts created, this , BTU , and the original chain. All three groups will likely fight over the "bitcoin" brand

Have you guys looked at Cuckoo cycle?

It has very strong ASIC-resistance and even a phone can mine without orders of magnitude loss in efficiency:

"The most cost effective Cuckoo Cycle mining hardware should consist of a relatively cheap and tiny many core memory controller that needs to be paired with commodity DRAM chips, where the latter dominate both the hardware and energy cost (about 1 Watt per DRAM chip)"

https://github.com/tromp/cuckoo

Another good candidate.

[zooko]

The concern I have with it is that there is already a FPGA developed with Equihash, and we dont want future ASICs/FPGA's from alts attacking bitcoin,

I doubt that this is true. Can you point me to where you heard that?

You should probably think carefully and make up your mind whether decentralization or 51%-attack-resistance are more important to you:

https://bitcoinmagazine.com/articles/zcash-creator-on-the-upcoming-zcash-launch-privacy-and-the-unfinished-internet-revolution-1472568389/

(Search in text for "fundamental trade-off".)

[BitUsher]

I doubt that this is true. Can you point me to where you heard that?

Still more of a rumor, but I would not be surprised ... FPGA and ASIC development will be much quicker in the future, if anything the only thing keeping ASICs away from ETHhash is Vitalk's threat to switch to PoS

https://twitter.com/ZcashMiner/status/815512912546541568

You should probably think carefully and make up your mind whether decentralization or 51%-attack-resistance are more important to you:

https://bitcoinmagazine.com/articles/zcash-creator-on-the-upcoming-zcash-launch-privacy-and-the-unfinished-internet-revolution-1472568389/

(Search in text for "fundamental trade-off".)

yes, I agree... something to think about

[zooko]

Have you guys looked at Cuckoo cycle?

FWIW we evaluated Cuckoo as well for Zcash, and it was a strong second-place contender. There wasn't really anything wrong with it — it just didn't seem to have quite as much of a rigorous scientific analysis as Equihash. However, that is a very subjective thing for me to say. You could argue (and Cuckoo's author, John Tromp, does argue persuasively) that Cuckoo's history of analysis and refinement is better than Equihash's.

[Cryptorials]

Have you guys looked at Cuckoo cycle?

FWIW we evaluated Cuckoo as well for Zcash, and it was a strong second-place contender. There wasn't really anything wrong with it — it just didn't seem to have quite as much of a rigorous scientific analysis as Equihash. However, that is a very subjective thing for me to say. You could argue (and Cuckoo's author, John Tromp, does argue persuasively) that Cuckoo's history of analysis and refinement is better than Equihash's.

Interesting to hear that, thanks for sharing.

If anyone's interested Aeternity has a testnet running using Cuckoo Cycle https://github.com/aeternity/testnet

[NewLiberty]

The concern I have with it is that there is already a FPGA developed with Equihash, and we dont want future ASICs/FPGA's from alts attacking bitcoin,

I doubt that this is true. Can you point me to where you heard that?

You should probably think carefully and make up your mind whether decentralization or 51%-attack-resistance are more important to you:

https://bitcoinmagazine.com/articles/zcash-creator-on-the-upcoming-zcash-launch-privacy-and-the-unfinished-internet-revolution-1472568389/

(Search in text for "fundamental trade-off".)

Zooko has a point here.  There are trade-offs, but these are only some of the concerns.
Take Monero for example.  It is CPU/GPU but the CPUs do better for the money invested.
The issue with it is that it is highly mined by botnet.

If Bitcoin goes the CPU route with its economic heft, it will encourage botnet mining to a significantly greater extent.  This could have consequences for public relations, legality, VC investment appetite and other problematic results.

If the goal is to 'forever end the specter of miner influence on development direction', CPU PoW change might not be radical enough of a change, Bitcoin might have to go one of the more tested PoS methods, or find another solution to the Byzantine General problem.

If PoS is chosen, the longest successful, tried and tested PoS chain is probably Bitshares, which was refined again for Steem.

If a CPU PoS is chosen, may the governments of the world have mercy upon Bitcoin.

[maximian]

Thank you for taking the initiative on this.

[jaybny]

Alternative that doesn't screw over the all the miners.

https://bitcointalk.org/index.php?topic=1833046.0

[shier7]

Alternative that doesn't screw over the all the miners.

https://bitcointalk.org/index.php?topic=1833046.0

....yeah... I don't think that works... For reasons others commented in the thread.

Keep working on it though-- the mutually assured destruction angle seems interesting. It may be possible to salvage the concept. I might even give it a few cycles.