DooMAD
Legendary
Offline
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
|
|
April 29, 2018, 11:09:53 PM |
|
Plus, I have no idea of such a hypothetical botnet to be sophisticated enough to participate in a PoW protocol effectively.
It's not like the threat is imaginary. Mining botnets do exist, it's just that they just aren't particularly profitable for any of the coins with a high enough difficulty. As such, ASICs make it considerably less tempting for anyone to bother trying to create one for Bitcoin. I'd say the fact people aren't aware of the issues with botnets is a pretty good indicator that we're on the right path, being that people are usually only aware of things like that once they actually become an issue for them. When it's not a problem for us, we turn a blind eye, even though it might affect others. Overtaking a PoW network can't be accomplished by a temporary virus/bot infection, the owners will eventually figure out the attack and do a fresh bootstrap. In other words, a long range attack against the network using botnets isn't feasible.
Overtaking the network doesn't have to be the end goal for it to be an issue. It still places a large number of coins into the hands of people who are more likely to be bad actors than those who mine using legitimately purchased hardware. It's probably better if people writing malware designed to infect users' machines aren't rewarded for their efforts solely because we mistakenly decided to declare war on the miners by bricking their ASICs. When you create a power vacuum, it will often be filled by people who aren't exactly noble in their motives.
|
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
April 30, 2018, 07:24:57 PM Last edit: April 30, 2018, 07:57:16 PM by aliashraf |
|
Plus, I have no idea of such a hypothetical botnet to be sophisticated enough to participate in a PoW protocol effectively.
It's not like the threat is imaginary. Mining botnets do exist, it's just that they just aren't particularly profitable for any of the coins with a high enough difficulty. As such, ASICs make it considerably less tempting for anyone to bother trying to create one for Bitcoin. I'd say the fact people aren't aware of the issues with botnets is a pretty good indicator that we're on the right path, being that people are usually only aware of things like that once they actually become an issue for them. When it's not a problem for us, we turn a blind eye, even though it might affect others. botnets are real, of course, and they can mine, yes. But the scenario proposed by @quoheleth, which I was trying to reject, is more complicated than just mining, it is about short range attack on PoW chains and double spending coins. It needs synchronization between the bots to lie in ambush as I have mentioned, by the sentence you quoted, I'm implying that it just doesn't look that easy to write a malware to participate both maliciously and effectively in the protocol. It is why we have not experienced such an attack. It was my fault not formulating my argument properly, perhaps. Botnets should be categorized as a general computing problem rather than a cryptocurrency one. Typically miners are much more careful about stealing their hash power, when it comes to gpu mining but even for Cryptonight and cpu mineable algorithms in which botnets are more effective, it is not about anything other than stealing a very small fraction of block rewards with no general impact on the blockchain. Overtaking a PoW network can't be accomplished by a temporary virus/bot infection, the owners will eventually figure out the attack and do a fresh bootstrap. In other words, a long range attack against the network using botnets isn't feasible.
Overtaking the network doesn't have to be the end goal for it to be an issue. It still places a large number of coins into the hands of people who are more likely to be bad actors than those who mine using legitimately purchased hardware. It's probably better if people writing malware designed to infect users' machines aren't rewarded for their efforts solely because we mistakenly decided to declare war on the miners by bricking their ASICs. When you create a power vacuum, it will often be filled by people who aren't exactly noble in their motives. No it is not about 'a large number' of coins. It is just about stealing a small fraction of cpu power from people which is bad generally for cryptocurrency and any other computing technology, but not an ultimate threat. Attackers can target cpu mineable coins for a fraction of their fresh block rewards, they can't put any crucial characteristic of the blockchain in danger. Using this as an excuse for saying welcome to an obvious attack like cracking the algorithm by ASIC (it is a crack,, both historically and analytically) is the most weakest argument ever. It looks to me just insane, putting everything in the hands of Jihan Wu and praying for him to keep us safe against botnets!
|
|
|
|
DooMAD
Legendary
Offline
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
|
|
April 30, 2018, 09:53:56 PM Last edit: April 30, 2018, 10:29:52 PM by DooMAD |
|
Using this as an excuse for saying welcome to an obvious attack like cracking the algorithm by ASIC (it is a crack,, both historically and analytically) is the most weakest argument ever. It looks to me just insane, putting everything in the hands of Jihan Wu and praying for him to keep us safe against botnets!
It would be a weak argument if I was asking to put everything in the hands of Jihan Wu, but that's not the case. You might want to consider the possibility that changing the algorithm could even be advantageous to Wu, since his company would almost certainly react fastest to any newly announced algorithm. It would effectively kill any opportunity for another manufacturer to catch up. You might end up handing them monopoly on a plate through your desire to beat them. I'd say at least wait to see how quickly it is before another Monero ASIC is designed before you dismiss this notion. I don't think it'll take that long. Let them be the guinea pig before we start meddling with things that are largely theoretical at this stage. As you stated yourself: 2- The very first company that manages to crack the algorithm and produce a specialized machine, will save its position almost forever because of the gains.
So it makes sense that the company that cracks it first will keep cracking it each time you change it. Therefore, it's actually more sensible to allow other manufacturers the opportunity to catch up. Plus, as stated in other threads, botnets aren't the only issue with changing the algorithm: First you need for the almost entire community to agree that fork needs to happen.
the moment ASIC resistance returns, hundreds or thousands of researchers, scientists and programmers set to work breaking it. the rewards are too high not to try it. bitcoin could spend the rest of its days skipping from algorithm to algorithm which would be an endless cycle of ruin and disruption for little gain.
And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems
Simply changing Bitcoin's PoW algo won't keep ASICs at bay forever, but would come with a lot of challenges -- both technologically and community-wise. Not only evaluating and selecting a new PoW algo will be challenging -- even how the selection for a new PoW algo takes place would likely result in a lot of drama and hidden agendas. Some parties may secretly benefit from one algo over another.
Bitcoin currently attracts both the largest accumulated proof of work and the largest economic majority. All the myriad forks we've witnessed so far haven't been able to keep pace with the proof of work Bitcoin has accumulated, but that wouldn't be the case if those who disagreed with the new algorithm continued to support using ASICs. The new algo would almost inevitably be the minority chain in terms of hashpower, so supporters of the new algo would have to fall back on purely the "economic majority" argument and would also have to be pretty damn sure they'd win that argument. Quite the gamble.
It would also unfairly punish a lot of good actors in the space in an attempt to punish Bitmain.
Also note that requiring ASICs to mine BTC makes it less susceptible to hashrate fluctuations caused by rising alt coins. We got a glimpse of the possible impact of such competition during the early days of BCH. Most alts that share BTC's PoW scheme are irrelevant today, but if BTC were CPU / GPU mineable again this could have serious implications regarding the stability and security of the network. Back then BTC was the only game in town, but nowadays sudden alt price surges could result in network slowdown and thus congestion.
And those are just the things that foresight permits us to see. Consider the pain when hindsight bites us in the ass with all the repercussions we didn't anticipate. You keep talking about this like it's a simple change that magically fixes everything with no consequences. It just isn't going to pan out that way. And with this many unknown variables, the first example becomes the most poignant. You need to get almost everyone to agree. How can we do that if we can't even tell what all the problems are going to be?
|
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
May 01, 2018, 04:23:18 PM |
|
Using this as an excuse for saying welcome to an obvious attack like cracking the algorithm by ASIC (it is a crack,, both historically and analytically) is the most weakest argument ever. It looks to me just insane, putting everything in the hands of Jihan Wu and praying for him to keep us safe against botnets!
It would be a weak argument if I was asking to put everything in the hands of Jihan Wu, but that's not the case. You might want to consider the possibility that changing the algorithm could even be advantageous to Wu, since his company would almost certainly react fastest to any newly announced algorithm. It would effectively kill any opportunity for another manufacturer to catch up. You might end up handing them monopoly on a plate through your desire to beat them. I'd say at least wait to see how quickly it is before another Monero ASIC is designed before you dismiss this notion. I don't think it'll take that long. Let them be the guinea pig before we start meddling with things that are largely theoretical at this stage. As you stated yourself: 2- The very first company that manages to crack the algorithm and produce a specialized machine, will save its position almost forever because of the gains.
So it makes sense that the company that cracks it first will keep cracking it each time you change it. Therefore, it's actually more sensible to allow other manufacturers the opportunity to catch up. I'm completely against the hypothesis that states every PoW algorithm is vulnerable and will be cracked sooner or later by ASICs or other special purpose systems. There is no basis for this assumption other than a false induction or a kind of tautological manipulation of the terms involved. A cautiously designed algorithm, being practically ASIC proof is definitively possible. Plus, regular algorithm upgrades, as long as they don't alter the basics and enjoy a semi-autonomous consensus mechanism (like some proposed signaling schemas) won't be that costly. From a programmer's perspective, I see no serious challenge here. I don't think it will be the case but having this as a doom day strategy will de-incentivize further attempts to break the algorithm. As of your guinea pig, Cryptonight V7, I'm absolutely sure about the outcome: There will be no more crack attempts on the algorithm. The costs involved in the upgrade were negligible and the results were awesome and Sergio is threatening to repeat the procedure every 6 months. The experiment is over and the results are more than encouraging. Plus, as stated in other threads, botnets aren't the only issue with changing the algorithm: First you need for the almost entire community to agree that fork needs to happen.
No we don't! I'm so suspicious about this term 'community' when it is used as a concrete concept. In Ethereum 'community' we have Vitalik Buterin who shines like a pop star at the same time he is ruining the entire ecosystem with his immature proposal about 'weak subjectivity' and Casper. Buterin is famous for his disbelief in PoW asd enthusiasm about PoS miracle that is promised to scale up blockchains magically! I don't care about Buterin and his fans, I will unite decent gpu miners and fork not only against Bitmain but also from Buterin and his fans. As of bitcoin, things are so different here, I think once Bitmain started to play his cards in a more dirty game, we have less problems to have the community united. For now I'm just insisting on theoretical development and discussions about the possible ASIC mitigation improvements to SHA256 and the PoW of bitcoin. Some of your points in this post was important too, I'll discuss them separately. Cheers for now
|
|
|
|
f3tus
|
|
May 01, 2018, 06:32:20 PM |
|
I will unite decent gpu miners and fork not only against Bitmain but also from Buterin and his fans. Stick with ETC then.
|
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
May 01, 2018, 07:08:17 PM Last edit: May 02, 2018, 07:25:37 AM by aliashraf |
|
{....}
I'd disagree since there are many algorithm which says ASIC-resistance, but in the end all of these algorithm have their own ASIC. As long as the there's cryptocurrency with big market cap which that use ASIC-resistance algorithm, i'm sure people can manufacture ASIC even though it will be big challenge, costly and time-consuming. As I have argued before, induction is not a proof. You say ASIC-resistance is deemed to fail, BECAUSE 'there are many algorithms' that claim it and 'at the end' they have failed. It is a false and weak induction, not a solid reasoning. Bitcoin and its SHA256 cracked by Bitmain because Satoshi Nakamoto was not a god to foresee everything. It was bitcoin community's mission to react but it failed to do so. failure of X11, Scrypt and CryptoNight is just good news for designers to find better and more resistant approaches. The details of the latest Bitmain attack against Ethash (E3) has not been publicly disclosed yet but I strongly believe it is not an ASIC attack (yet I think it should be neutralized). Ethash is a memory hard algorithm, for every single hash the processor (Being ASIC or not ) have to access random parts of the RAM bank multiple times. This way the performance will be bound to memory access, It is practically useless to implement this algorithm in ASIC. Bitmain's E3 has been announced to have almost the same j/h efficiency as a mid-range gpu, it is not what one expects from ASICs, they have typically tens to hundreds times better efficiencies compared to general purpose systems. Instead, I believe, Bitmain has managed for an architectural attack i.e. making special purpose systems instead of ICs. I'm proposing a theory based on a possible shared memory attack to describe E3 and I have designed a counter attack but my point is a practically ASIC-proof algorithm is absolutely feasible to design and implement and the latest bad news about failing algorithms is just good news for people like me who are committed to the purpose and have a minimum level of expertise needed for the job. But i think the real problem is FPGA which still can be used after algorithm-tweak to kill/prevent ASIC with small tweak.
FPGA is expensive and power hungry. Don't count on it as a serious threat to gpu mining. Also, hard-fork which change the algorithm where ASIC already have domination would be difficult. Monero/Cryptonight V7 works well because the ASIC haven't dominate the hashrate and the community have good faith on the developer. I'm sure Monero approach won't work well on other Cryptocurrency such as Bitcoin and Ethereum, at least without community-split and chain-split.
FACTS: - Ethereum is not attacked by E3s yet(at least significantly) -Monero was almost dominated by ASIC. After the tweak, network hashrate dropped to less than a half! -We have practically no gpu miner in bitcoin. It is all about ASICs here. So, Monero's experiment can be repeated even more successfully in Ethereum while for bitcoin it is complicated and needs a thorough analysis and planning.
|
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
May 01, 2018, 07:16:17 PM |
|
I will unite decent gpu miners and fork not only against Bitmain but also from Buterin and his fans. Stick with ETC then. Quite an option, given ETC people are ready for the hard fork against E3.
|
|
|
|
starskylarkm9
Newbie
Offline
Activity: 9
Merit: 1
|
|
May 01, 2018, 08:23:43 PM |
|
Bitmain, obviously, has not disclosed anything worth mentioning about E3 other than a picture (of an ugly mini case) plus 800 watts power consumption, 180 Mh/s Ethash power and 800$ price besides a 3 month pre-order requirement for the buyers, if it was not Bitmain, it would look just like a scam, but it IS Bitmain and something is wrong here.
|
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
May 02, 2018, 08:30:34 AM Last edit: May 04, 2018, 02:18:40 PM by aliashraf |
|
Bitcoin currently attracts both the largest accumulated proof of work and the largest economic majority. All the myriad forks we've witnessed so far haven't been able to keep pace with the proof of work Bitcoin has accumulated, but that wouldn't be the case if those who disagreed with the new algorithm continued to support using ASICs. The new algo would almost inevitably be the minority chain in terms of hashpower, so supporters of the new algo would have to fall back on purely the "economic majority" argument and would also have to be pretty damn sure they'd win that argument. Quite the gamble.
{I've quoted from this topic } It would also unfairly punish a lot of good actors in the space in an attempt to punish Bitmain.
{from this topic } For Bitcoin, I've come to a solution for implementing ASIC resistance with minimum side effects and risks. I'll discuss it in more details in a dedicated thread but for now I just use the core idea to show how wide is the range of possibilities: Suppose we got a gpu mineable practically ASIC-proof algorithm implemented and tested properly and ready to launch, let's call it MemHash. 1-We would choose a blockheight N as the fork point to be mined a couple of months later. Miners , Wallets, ... would have a reasonable time to upgrade. 2- We will use a multi algorithm protocol in which 2 difficulties are independently and more dynamically (revised in shortest periods) adjusted to guarantee a fair distribution of blocks between SHA256 and MemHash. 3-By fairness we refer to a constant, name it RATIO. It is set to 8/1 in favor of SHA256 for the beginning but improves overtime (say, every 6 months ) to become 1/8 ultimately within first two years and approaches to zero within next period. Many things to discuss more, I know, but my point is clear: There exists so many possibilities and any challenge has a proper solution.
|
|
|
|
starskylarkm9
Newbie
Offline
Activity: 9
Merit: 1
|
|
May 02, 2018, 11:48:36 AM |
|
In a sophisticated marketing maneuver, Bitmain is selling its miner for a price far (more than 3 times) below what an ordinary gpu miner can manage to assemble a comparable mining rig. It pushes ordinary miners out of the market and is a hardware centralization threat and deserves to be classified as an attack. I'll show here that it is an special purpose machine built for taking advantage of a specific vulnerability of a modern PoW algorithm like Ethash. It is nothing less than an attack and for the convenience I'll call it Application Specific Architectured Computer, ASAC.
|
|
|
|
HeRetiK
Legendary
Offline
Activity: 3150
Merit: 2184
Playgram - The Telegram Casino
|
|
May 02, 2018, 12:39:45 PM |
|
For Bitcoin, I've come to a solution for implementing ASIC resistance with minimum side effects and risks. I'll discuss it in more details in a dedicated thread but for now I just use the core idea to show how wide is the range of possibilities:
[...]
Like many others in this thread I also highly doubt that a hashing algorithm can be found that will remain ASIC proof for the foreseeable future (say, 10 years from deployment), especially given the size of the market and the profits to be made. I also see a lot of practical problems with your approach -- organizing non-partisan and sound reviews of MemHash, getting the community on board, difficulty / hashrate fluctuations during the transition period for example. That being said, I'm looking forward to read a fleshed out version of your proposal.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
aliashraf (OP)
Legendary
Offline
Activity: 1456
Merit: 1176
Always remember the cause!
|
|
May 02, 2018, 09:04:39 PM |
|
{...} For Bitcoin, I've come to a solution for implementing ASIC resistance with minimum side effects and risks. I'll discuss it in more details in a dedicated thread but for now I just use the core idea to show how wide is the range of possibilities:
Suppose we got a gpu mineable practically ASIC-proof algorithm implemented and tested properly and ready to launch, let's call it MemHash.
1-We would choose a blockheight N as the fork point to be mined a couple of months later. Miners , Wallets, ... would have a reasonable time to upgrade.
2- We will use a multi algorithm protocol in which 2 difficulties are independently and more dynamically (revised in shortest periods) adjusted to guarantee a fair distribution of blocks between SHA256 and MemHash.
3-By fairness we refer to a constant, name it RATIO. It is set to 8/1 in favor of SHA256 for the beginning but improves overtime (say, every 6 months ) to become 1/8 ultimately within first two years and approaches to zero within next period.
Many things to discuss more, I know, but my point is clear: There exists so many possibilities and any challenge has a proper solution.
That's interesting solution. But there are few technical difficulty such as : 1. Make sure the algorithm reviewed/audited by professional and at least extreme difficult to make ASIC for that algorithm. 2. Manage MemHash hashrate and it's block reward during transition. 3. Ensuring Bitcoin production rate isn't affected. Also, getting majority community approval is extremely difficult even if you/the developers manage to fix all technical difficulty. Thanks for the advice As of the third point, bitcoin production rate, it is already taken care of by the proposed protocol. With two (or more?) difficulties, being independently calculated, based on a 0 <= m/n < 1 ratio, legacy bitcoin sha2 miners (ASICs) can produce an average of m/n blocks every 10 minutes and the remaining (n-m)/n blocks will be produced by MemHash miners it yields exactly 1 block every 10 minutes, as an average.
|
|
|
|
ir.hn
Member
Offline
Activity: 322
Merit: 54
Consensus is Constitution
|
|
May 06, 2018, 06:46:00 AM |
|
Thanks for the thoughtful article. I'm working in a similar area and thought I'd add my own perspective on how to deal with the centralization-as-an-attack cryptocurrency problem.
We seem to agree on the idea that the best defense against ASIC's (and other approaches that fill the same functional and economic niche) is an economic defense. For example, my approach to POW is to leverage PC's in a way that is uneconomic to duplicate in a fixed-purpose device. Since many people already own PC's their machines don't have to be counted as part of the cost of decentralized POW.
On the other hand, someone building a dedicated mining farm would have to outlay *extra* money to compete with something that the decentralized community already has in abundance.
This approach failed for bitcoin because the POW algo was too trivial; it required only a few instructions of the CPU and a tiny amount of memory. A $1000 PC was making use of only a tiny fraction of its cost for mining. This left a huge window for exploitation by ASIC's (and GPU's).
A better approach would have been to use more instructions and more complex instructions as well as far more memory in the POW algo, obviously. Further, as as you point out above, the memory should be dynamically used rather than static to reduce the possibility of shortcuts. Ideally, the algo would make use of as many capabilities of the (common) PC as possible. Successfully implemented, this approach would not make ASIC and GPU mining 'impossible', merely impractical.
But, as you say, ASIC resistance, as defined economically, *is* ASIC proof.
My algo is pretty basic in that it mostly makes use of lots of memory and memory bandwidth for each thread, but that alone addresses a significant subset of the 'ideal' requirements of my approach. A GPU would be able to run a few threads, for example, but its performance should pale in comparison to a CPU. It might be worth the electricity at the low usage level -- but the ROI would not be worth the capital outlay of building a GPU rig.
An ASIC (or ASAC) could still be made to be more efficient than a PC, but should not be drastically so. As long as the pay-off period for a piece of special-purpose equipment is measured in multiple years, the risk would be too great for a prudent investment -- especially in the fast-moving space of cryptocurrencies. And, more importantly, it would not provide the economic foundation for a few companies to quickly rise to dominate the space.
Love your name spinning truth but what is this algo you speak of that uses every part of the cpu? Surely you mean my proposed algo which is finding a specific length factor of a large number (over 100-120) digits?
|
|
|
|
ir.hn
Member
Offline
Activity: 322
Merit: 54
Consensus is Constitution
|
|
May 06, 2018, 07:09:54 AM |
|
Using this as an excuse for saying welcome to an obvious attack like cracking the algorithm by ASIC (it is a crack,, both historically and analytically) is the most weakest argument ever. It looks to me just insane, putting everything in the hands of Jihan Wu and praying for him to keep us safe against botnets!
It would be a weak argument if I was asking to put everything in the hands of Jihan Wu, but that's not the case. You might want to consider the possibility that changing the algorithm could even be advantageous to Wu, since his company would almost certainly react fastest to any newly announced algorithm. It would effectively kill any opportunity for another manufacturer to catch up. You might end up handing them monopoly on a plate through your desire to beat them. I'd say at least wait to see how quickly it is before another Monero ASIC is designed before you dismiss this notion. I don't think it'll take that long. Let them be the guinea pig before we start meddling with things that are largely theoretical at this stage. As you stated yourself: 2- The very first company that manages to crack the algorithm and produce a specialized machine, will save its position almost forever because of the gains.
So it makes sense that the company that cracks it first will keep cracking it each time you change it. Therefore, it's actually more sensible to allow other manufacturers the opportunity to catch up. I'm completely against the hypothesis that states every PoW algorithm is vulnerable and will be cracked sooner or later by ASICs or other special purpose systems. There is no basis for this assumption other than a false induction or a kind of tautological manipulation of the terms involved. A cautiously designed algorithm, being practically ASIC proof is definitively possible. Plus, regular algorithm upgrades, as long as they don't alter the basics and enjoy a semi-autonomous consensus mechanism (like some proposed signaling schemas) won't be that costly. From a programmer's perspective, I see no serious challenge here. I don't think it will be the case but having this as a doom day strategy will de-incentivize further attempts to break the algorithm. As of your guinea pig, Cryptonight V7, I'm absolutely sure about the outcome: There will be no more crack attempts on the algorithm. The costs involved in the upgrade were negligible and the results were awesome and Sergio is threatening to repeat the procedure every 6 months. The experiment is over and the results are more than encouraging. Plus, as stated in other threads, botnets aren't the only issue with changing the algorithm: First you need for the almost entire community to agree that fork needs to happen.
No we don't! I'm so suspicious about this term 'community' when it is used as a concrete concept. In Ethereum 'community' we have Vitalik Buterin who shines like a pop star at the same time he is ruining the entire ecosystem with his immature proposal about 'weak subjectivity' and Casper. Buterin is famous for his disbelief in PoW asd enthusiasm about PoS miracle that is promised to scale up blockchains magically! I don't care about Buterin and his fans, I will unite decent gpu miners and fork not only against Bitmain but also from Buterin and his fans. As of bitcoin, things are so different here, I think once Bitmain started to play his cards in a more dirty game, we have less problems to have the community united. For now I'm just insisting on theoretical development and discussions about the possible ASIC mitigation improvements to SHA256 and the PoW of bitcoin. Some of your points in this post was important too, I'll discuss them separately. Cheers for now I fully agree a long term asic resistant coin id possible but don't you see that trusting a central group to keep the algorithm "updated" is causing centralization of the network? Luckily the PoW I invented which requires finding a certain length factor for a very large number is an algorithm that can't be changed in any significant way after implemented but should stay asic resistant forever because if something can carry out a general number field sieve then it is good enough to function as a personal computer.
|
|
|
|
Sam San
|
|
May 06, 2018, 02:09:41 PM |
|
It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo.
" ASIC resistant algorithm" is somewhat of a misnomer, since it's only "resistant" up to the point where someone designs a new ASIC for it. Most altcoins who claim to be ASIC resistant can get away with making that claim, simply because their coin isn't valuable enough for anyone to bother designing a custom chip for it. Resistance through obscurity, in effect. The problem Bitcoin has is that it obviously is quite valuable, so the moment you change the algo, all the big manufacturers will start work an a new ASIC designed to work with that algo. There's simply too great an incentive for it. It doesn't matter what algorithm you pick, it's always going to be inherently less resistant to ASICs by mere virtue of the fact that it's Bitcoin and ASICs are what all the miners will naturally want to have, so there will always be an overwhelming demand for someone to manufacture one. Sooner or later, it's inevitable we'll have ASICs once again. It's only ever going to be a temporary reprieve and will likely involve a hardfork every time it needs changing again. You might have noticed, but hardforks tend to be somewhat controversial round these parts. While I don't really keep up with Monero, I read that it somehow managed to split into 4 distinct chains because no one could agree on how their attempt at blocking ASICs should work. We don't really want a repeat of that omnishambles in Bitcoin. My take is that we just need a wider variety of manufacturers involved. Other hardware companies need to step up their game and challenge Bitmain's current stranglehold. Bricking hardware would likely escalate tensions and could even provoke some pools or perhaps Bitmain themselves into some form of retaliation. That might sound silly, but it's worth pointing out there's a tremendous amount of money involved and when people with lots of money see a threat to their financial future, offence is often seen as the best form of defence. It may even have other potential consequences like needing to include emergency difficulty adjustments due to a sudden plummet in hashrate, which could potentially unbalance the release schedule of newly minted coins into circulation. One of Bitcoin's primary strengths is its predictable supply, so not something we should jeopardise lightly. Caution is strongly advised. work is underway to produce new ASIC, but not all companies advertise their work. Perhaps soon we will see a surge of new developments of ASIC from different countries.
|
|
|
|
cellard
Legendary
Offline
Activity: 1372
Merit: 1252
|
|
May 06, 2018, 06:41:43 PM |
|
If Bitmain attempted something stupid, this would translate in loses as the price of Bitcoin would go down, so im not really worried about that.
There's also PoH, Proof of Hitman, which could be put in practice. There are $billionaires in Bitcoin, and im sure they will not sit back and relax as Jihan Wu screws around ruining Bitcoin for some reason. Not a good idea to piss off people with enough unconfiscable funds to get to you and end your stupidity. If I was Jihan, I wouldn't certainly risk it. What's the point of all that money and power when you are buried?
So we will all just cooperate, for the sake of Bitcoin, in other words, for the sake all of us. There are no winners in a war within Bitcoin.. only uncertainty and therefore a crashing price.
The multi algo thing looks good, but still, no realistic way to get it into the system without ending up with an altcoin (Bitcoin, and Bitcoin-multiAlgo). We have to avoid such mess. Also a lot of research would need to be done to test it and guarantee we don't end up in the same scenario, even with multiple algos.
|
|
|
|
SpinningTruth
Jr. Member
Offline
Activity: 44
Merit: 1
|
|
May 14, 2018, 01:53:22 PM Last edit: May 14, 2018, 02:09:45 PM by SpinningTruth |
|
@ir.hn: My algo is derived from a block cipher I built some years ago. The most significant feature of that cipher is an arbitrary block size, typically a few megabytes. It only provides one of the requirements that I think the 'ideal' asic-resistant algo should have, a very high memory-to-thread ratio. The ideal algo would also take advantage of other, expensive to duplicate, features of the common PC. My project will be a proof-of-concept level effort only in that it will focus on only two of the performance characteristics that are hard to duplicate without spending nearly as much money as the core of a modern PC. Specifically, I will limit my project to 1) Large memory-per-core, and 2) efficiently utilize the large caches in a PC. As such, it will not attempt to be the ultimate 'asic-proof' finished product. Therefore, it would still leave a significant cost gap that a purpose-built device could take advantage of -- but would eliminate the huge margins that current asics enjoy over PC's and GPU's. By greatly reducing that gap, PC's would be competitive. In fact, since PC's are already deployed with their costs justified in totally different ways, they are essentially free for the purposes of this algo. Current asics are economically viable only because PC's are so astoundingly inefficient at mining most algos. An algo designed to require, for example, huge memory-per-thread, a non-trivial portion of the more complex parts of the instrucion set, and large and very fast caches, would make an asic much more expensive to produce -- and it would *not* have an outsized performance margin above the PC. Yet, they would still have to be designed and built from scratch to compete in only the one area. Thanks for the thoughtful article. I'm working in a similar area and thought I'd add my own perspective on how to deal with the centralization-as-an-attack cryptocurrency problem.
We seem to agree on the idea that the best defense against ASIC's (and other approaches that fill the same functional and economic niche) is an economic defense. For example, my approach to POW is to leverage PC's in a way that is uneconomic to duplicate in a fixed-purpose device. Since many people already own PC's their machines don't have to be counted as part of the cost of decentralized POW.
On the other hand, someone building a dedicated mining farm would have to outlay *extra* money to compete with something that the decentralized community already has in abundance.
This approach failed for bitcoin because the POW algo was too trivial; it required only a few instructions of the CPU and a tiny amount of memory. A $1000 PC was making use of only a tiny fraction of its cost for mining. This left a huge window for exploitation by ASIC's (and GPU's).
A better approach would have been to use more instructions and more complex instructions as well as far more memory in the POW algo, obviously. Further, as as you point out above, the memory should be dynamically used rather than static to reduce the possibility of shortcuts. Ideally, the algo would make use of as many capabilities of the (common) PC as possible. Successfully implemented, this approach would not make ASIC and GPU mining 'impossible', merely impractical.
But, as you say, ASIC resistance, as defined economically, *is* ASIC proof.
My algo is pretty basic in that it mostly makes use of lots of memory and memory bandwidth for each thread, but that alone addresses a significant subset of the 'ideal' requirements of my approach. A GPU would be able to run a few threads, for example, but its performance should pale in comparison to a CPU. It might be worth the electricity at the low usage level -- but the ROI would not be worth the capital outlay of building a GPU rig.
An ASIC (or ASAC) could still be made to be more efficient than a PC, but should not be drastically so. As long as the pay-off period for a piece of special-purpose equipment is measured in multiple years, the risk would be too great for a prudent investment -- especially in the fast-moving space of cryptocurrencies. And, more importantly, it would not provide the economic foundation for a few companies to quickly rise to dominate the space.
Love your name spinning truth but what is this algo you speak of that uses every part of the cpu? Surely you mean my proposed algo which is finding a specific length factor of a large number (over 100-120) digits?
|
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1073
|
|
May 14, 2018, 03:29:38 PM |
|
a non-trivial portion of the more complex parts of the instrucion set
Yeah, that is the key. At the moment I don't have time to write a longer discussion, so for now I'll repost what I wrote in another thread. We'll see which of those new threads will get most intelligent discussion. As a miner, this frightens me because when this era of "flexible ASICs" arrive, GPU miners will definitely be obsolete. Add this to the threat of Ethereum going POS, it seems like the odds are stacked against us regular home-based miners. This might be a signal that now is a good time to liquidate mining rig assets and just directly invest in coins.
The thing is that it is relatively easy to write hash function that are very ASIC-proof or FPGA-proof. Bytom folks are a good example. Their goal was not to be general-ASIC-proof but to make sure that the ASIC that is fast at implementing their hash it their ASIC. So they wrote a hash function that uses lots of floating point calculations exactly in the way that their AI-oriented ASIC does. The hard part of understanding Bytom's "Tensority" algorithm is finding exact information about the actual ASIC chips that are efficient doing those calculations. But the general idea is very simple: if you don't want your XYZ devices to become, play to their strengths in designing the hash function. For XYZ==GPU start with GPUs strengths. I haven't studied the recent GPU universal shader architecture, but the main idea was to optimize particular floating point computation used in 3D graphics using homogeneous coordinates, like AX=Y, where A is 4*4 matrix and X is 4*1 vector <x,y,z,w> where w==1. So include lots of those in your hash function. In particular GPUs are especially fast when using FP16, a half-precision floating point. For XYZ==CPU made by Intel/AMD using x86 architecture, again start with their strengths. They have unique FPU unit with unique 10-byte floating point format and unique 8-byte BCD decimal integer format. Additionally they have dedicated hardware to compute various transcendental functions. So use a lot of those doing chaotic irreducible calculations like https://en.wikipedia.org/wiki/Logistic_map or https://en.wikipedia.org/wiki/Lorenz_system . Of course one could write an emulation of those formats using quad-precision floating point (pairs of double-precision floats), but it will take many months. During those months you have additional time to research more strengths of your GPUs or CPUs. Use them in a hard-fork to assure that the preferred vendor of your mining hardware continues to be Intel/AMD/Nvidia.
|
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3080
|
|
May 14, 2018, 09:30:38 PM |
|
a non-trivial portion of the more complex parts of the instrucion set
Yeah, that is the key. At the moment I don't have time to write a longer discussion, so for now I'll repost what I wrote in another thread. We'll see which of those new threads will get most intelligent discussion. As a miner, this frightens me because when this era of "flexible ASICs" arrive, GPU miners will definitely be obsolete. Add this to the threat of Ethereum going POS, it seems like the odds are stacked against us regular home-based miners. This might be a signal that now is a good time to liquidate mining rig assets and just directly invest in coins.
But the general idea is very simple: if you don't want your XYZ devices to become, play to their strengths in designing the hash function. Would it be worth pursuing the obverse strategy also, i.e. try to target the weaknesses of ASICs when designing the hash algorithm? An idea I've been fond of in the past is using a series of hash algos drawn randomly from a set, with the series also changing size randomly within a range, and a random interval between changes in the composition and size of the series (credit to Meni Rosenfeld for that idea). But could there be other techniques to use the same strategy? Could a hash be written such that the potential for physical flaws in an attempted ASIC chip die would undermine the manufacturing yield, e.g. force chip designers to make individual chips that would need to be >30 cm 2?
|
Vires in numeris
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1073
|
|
May 14, 2018, 10:41:49 PM Last edit: May 14, 2018, 11:53:21 PM by 2112 |
|
Would it be worth pursuing the obverse strategy also, i.e. try to target the weaknesses of ASICs when designing the hash algorithm?
That approach in reality becomes: play to the weaknesses of the education of the cryptocoin developers. The sad reality is that nowadays most of the computer science graduates have no idea about logic design and architecture beyond the ubiquitous https://en.wikipedia.org/wiki/Von_Neumann_architecture from 1945. Moreover, after learning what the typical fixed-program ASIC does they are still mentally stuck in the next decade: https://en.wikipedia.org/wiki/Mealy_machine (1955) https://en.wikipedia.org/wiki/Moore_machine (1956). You really should read the other referenced threads, e.g. "ASICs mining game" https://bitcointalk.org/index.php?topic=3788591.0and the referenced external post https://blog.sia.tech/the-state-of-cryptocurrency-mining-538004a37f9b : The vast majority of ASIC-resistant algorithms were designed by software engineers making assumptions about the limitations of custom hardware. These assumptions tend to be incorrect.
An idea I've been fond of in the past is using a series of hash algos drawn randomly from a set, with the series also changing size randomly within a range, and a random interval between changes in the composition and size of the series (credit to Meni Rosenfeld for that idea).
If Meni really proposed this that this is just a proof that he would have flunked the basic logic design course using an FPGA as a teaching aid. It is now being actively demolished in the other thread https://bitcointalk.org/index.php?topic=3459858.0 , profitable even when paying outrageous charges for the Amazon's EC2 F1 instances ( $1.65 $0.495 per Hour) . That idea is now implemented by altcoins using x16r, x16s and similar algorithms. But could there be other techniques to use the same strategy? Could a hash be written such that the potential for physical flaws in an attempted ASIC chip die would undermine the manufacturing yield, e.g. force chip designers to make individual chips that would need to be >30 cm2?
You were educated in humanities, didn't you? Try finding the essay from Bruce Schneier where he explains why in order to design a strong cipher one does need experience in cipher-breaking. It is not enough to simply pile-on the complexity. In my experience his argumentation was convincing to the people with education in humanities. Edit: corrected the Amazon's pricing point for F1.
|
|
|
|
|