Resurrecting the Champ: PoW to become Bitmain/Buterin resistant

[aliashraf]

Hi all,
In this series of articles, I'm going to share my technical analysis of Bitmain's latest attack on Ethash along with my own counterattack proposal. I have not started coding my algorithm tweak proposal yet but will do it in next few days.

It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo. The endless scalability debate (faked/escalated by Bitmain?   ) was just a distraction for the community to seat and watch what was happening to the most unique, unprecedented feature of bitcoin, decentralization powered by PoW, being put in danger by an old fashioned way of crack: Application Specific Integrated Circuit, ASIC.

As a direct consequence of this passivitism, Jihan earned billions of dollars and became powerful enough to attack other coins  by investing more on ASIC design and production (besides taking malicious positions in bitcoin ecosystem) Scrypt, X11, Blake, ... cracked one after another in a short period of time. Each time an ASIC miner with crazy efficiency advantage over gpu mining was introduced by Bitmain after it has mined enough of each coin before the disclosure.

Now, the monster has become so reach and self confident to attack the second largest cryptocurrency and one of the most promising ones, Ethereum and its Ethash PoW, by introducing E3. It isn't an ASIC attack, as I'll argue through this topic, but deserves to be classified as an attack, possibly a new class of attack that can be accomplished only by such a resourceful monster and again its purpose is hardware monopolization.

Monero and its Sergio reacted almost instantly, they have already forked the chain and are very committed to their ASIC resistance strategy but Ethereum Foundation and Buterin on the contrary are showing no interest. They have not responded yet, instead, Buterin recently has coldly proposed to take advantage of this threat and boost Ethereum's migration to PoS, using his new toy, Casper.

PoW is not a toy to be replaced childishly, and I'm sure Ethereum Foundation will have a lot of trouble to manage for such a destructive hard fork,( personally I'll fully support any resistance against their agenda), so, I will deliberately eliminate Casper and PoS as a solution, firstly because I don't recognize a coin based on PoS as Ethereum( Posethereum? May be ) ) and secondly I think it is more about Ethash. Pos may save or destroy Ethereum but it has nothing to do with Ethash.

Actually it is more about PoW rather than Ethash, improving bitcoin's SHA256 PoW is not that unlikely to be supposed totally off the table forever (even after the  failed BTG experiment). I think Bitmain is increasingly getting stronger and more dangerous and will take more aggressive positions against the community and one solution for the crisis would be enhancing PoW to get rid of Bitmain. This is why I have labeled this topic as a resurrection attempt toward PoW rather than Ethash, the later is just an interesting case chosen to be studied more precisely.

The upcoming debate in bitcoin over this issue and its result won't be as radical as what Buterin and his mates feel free to do with Ethereum. Bitcoin is three times bigger (in terms of market cap) and unlike the way Buterin and Ethereum Foundation (inappropriately) treat their coin, it is not an experimental project, there will be no PoS or proof of anything migration debate ever in bitcoin but a PoW tweak to become more resistant to Bitmain attcks? Who knows?

So I see stakes here for bitcoin community to get involved in ASIC resistance debate actively, and it is not that surprising:
Cryptocurrencies have a lot of technology and experience to share and PoW issues are on the top of the list.

After all PoW has gone through, there is disappointment in the air and many give up proposals on the table. Some people argue that because 'ASIC resistant' is not equal to 'ASIC proof '(?) the failure of  Scrypt, Cryptonight, X11, ... algorithms (and supposedly Ethash now), are enough evidences for us to be convinced  that PoW is inherently vulnerable and will lead to hardware centralization. Some use this to suggest approaches other than PoW for securing blockchain ('proof of something' discourse and the trending PoS vaariant) while others recommend coping with the claimed flaw and pray for other ASIC manufacturers to come to the scene and compete, or claim that there is no centralization threat at all(honestly, aren't they payed by Bitmain?  ).

I'm strongly against this arguments and believe that ASIC resistance is the same as ASIC Proof (practically) and if some algorithms have failed their promise it does not imply anything other than they have to upgrade and fix their vulnerabilities.

Plus I think a more general hardware centralization threat should be addressed (including but not limited to ASIC), it is substantially because of my perception of the latest Bitmain E3 which I have come to the conclusion that it is not ASIC but yet a serious hardware centralization threat.

Bitmain's E3 seems to be a new type of attack on PoW based blockchains, It is not an Application Specific Integrated Circuit(ASIC) because it has not the required signature of ASICs being orders of magnitude enhancement in efficiency. From what Bitmain has officially announced, E3 is not more efficient than a 6x570 based gpu rig (it consumes 800 watts to produce 180 Mh/s Ethash mining power) definitely it is not what you expect from an ASIC.

But if Bitmain has not achieved more efficiency, how is it possible to categorize its E3 as an attack? The trivial answer is cost efficiency.

In a sophisticated marketing maneuver, Bitmain is selling its miner for a price far (more than 3 times) below what an ordinary gpu miner can manage to assemble a comparable mining rig. It pushes ordinary miners out of the market and is a hardware centralization threat and deserves to be classified as an attack. I'll show here that it is an special purpose machine built for taking advantage of a specific vulnerability of a modern PoW algorithm like Ethash. It is nothing less than an attack and for the convenience I'll call it Application Specific Architectured Computer, ASAC.

Bitmain, obviously, has not disclosed anything worth mentioning about E3 other than a picture (of an ugly mini case) plus 800 watts power consumption, 180 Mh/s Ethash power and 800$ price besides a 3 month pre-order requirement for the buyers, if it was not Bitmain, it would look  just like a scam, but it IS Bitmain and something is wrong here.

Just like any other technology, the most important secret that will be disclosed once it has been introduced, is always its feasibility. When you announce a product, you have already compromised the most important secret about it: its existence!

My assumption here is Bitmain has managed to reduce costs dramatically and the very few days  after the announcement, I have been busy finding how.

Obviously, I had to review Ethash again, this time, under the lights of E3 disclosure and being 100% convinced that there exists a vulnerability and Bitmain has taken advantage of it to manage for the attack.

I have found a possible answer and a proper solution both not very hard to guess: I think it is a shared memory attack (not the old Dagger vulnerability thou) and mitigation is possible by enforcing dedicated memory requirements, which I'll share in next few days,  but before proceeding anymore, I would like to hear from other forum members about this issue.

[1713489163]

1713489163

[1713489163]

1713489163

[trgnn]

POS

[SpinningTruth]

Thanks for the thoughtful article.  I'm working in a similar area and thought I'd add my own perspective on how to deal with the  centralization-as-an-attack  cryptocurrency problem.

We seem to agree on the idea that the best defense against ASIC's (and other approaches that fill the same functional and economic niche) is an economic defense.   For example, my approach to POW is to leverage PC's in a way that is uneconomic to duplicate in a fixed-purpose device.  Since many people already own PC's their machines don't have to be counted as part of the cost of decentralized POW. 

On the other hand, someone building a dedicated mining farm would have to outlay *extra* money to compete with something that the decentralized community already has in abundance.   

This approach failed for bitcoin because the POW algo was too trivial; it required only a few instructions of the CPU and a tiny amount of memory.  A $1000 PC was making use of only a tiny fraction of its cost for mining.  This left a huge window for exploitation by ASIC's (and GPU's).

A better approach would have been to use more instructions and more complex instructions as well as far more memory in the POW algo, obviously.  Further, as as you point out above, the memory should be dynamically used rather than static to reduce the possibility of shortcuts.  Ideally, the algo would make use of as many capabilities of the (common) PC as possible.  Successfully implemented, this approach would not make ASIC and GPU mining 'impossible', merely impractical.

But, as you say, ASIC resistance, as defined economically, *is* ASIC proof. 

My algo is pretty basic in that it mostly makes use of lots of memory and memory bandwidth for each thread, but that alone addresses a significant subset of the 'ideal' requirements of my approach.  A GPU would be able to run a few threads, for example, but its performance should pale in comparison to a CPU.  It might be worth the electricity at the low usage level -- but the ROI would not be worth the capital outlay of building a GPU rig.

An ASIC (or ASAC) could still be made to be more efficient than a PC, but should not be drastically so.  As long as the pay-off period for a piece of special-purpose equipment is measured in multiple years, the risk would be too great for a prudent investment -- especially in the fast-moving space of cryptocurrencies.  And, more importantly, it would not provide the economic foundation for a few companies to quickly rise to dominate the space.

[ABCbits]

I've made thread about similar problem at Do you think Bitcoin need to change it's PoW algorithm?. But changing/tweak/modify PoW algorithm is difficult once ASIC is available for public, hashrate dominated by ASIC or the algorithm isn't designed to combat ASIC (such as SHA-256).

For Monero, tweak CryptoNight algorithm isn't difficult since mining with CPU/GPU still profitable (which means ASIC haven't take over the network/hashrate), tweak CryptoNight don't change hash speed of CPU/GPU and most importantly majority community agree with their Core team decision.

For Bitcoin, it's hard task because :
1. ASIC completely dominate Bitcoin mining.
2. Changing algorithm to ASIC resistance is difficult since the network hashrate would be very low which makes block generation very slow and make Bitcoin network vulnerable during transaction since that means attacking bitcoin network 51% attack will be far easier. Even when considering there are ways to "tweak" SHA-256 just to break ASIC
3. Getting community approval over tweak/change which require hard-fork is difficult, especially from ASIC miners.

I think tweak Ethash algorithm at this point is good idea since the ASIC isn't available for public yet, but without Ethereum Foundation or majority community approval, your idea won't happen (at least without chain-split).
But i think enforcing dedicated memory requirements won't do much since ASIC/FPGA manufacture simply can add more memory, unless your solution is similar with CryptoNight which force high-speed/low-latency for efficient mining such as L2/L3 cache which is expensive in big capacity. CMIIW.

[aliashraf]

POS

thumbs down

PoS is out of context, firstly because it is a naive and immature idea that is not and will not be approved under multi billion dollars incentivized attacks and secondly Ethereum is not a PoS based system and the (hypothetical) PoS based Ethereum, as I mentioned above, should be called Posethereum or something like that.

I doubt you have read my article at all, but thanks for sharing your idea anyway.

[aliashraf]

I've made thread about similar problem at Do you think Bitcoin need to change it's PoW algorithm?. But changing/tweak/modify PoW algorithm is difficult once ASIC is available for public, hashrate dominated by ASIC or the algorithm isn't designed to combat ASIC (such as SHA-256).

For Monero, tweak CryptoNight algorithm isn't difficult since mining with CPU/GPU still profitable (which means ASIC haven't take over the network/hashrate), tweak CryptoNight don't change hash speed of CPU/GPU and most importantly majority community agree with their Core team decision.

For Bitcoin, it's hard task because :
1. ASIC completely dominate Bitcoin mining.
2. Changing algorithm to ASIC resistance is difficult since the network hashrate would be very low which makes block generation very slow and make Bitcoin network vulnerable during transaction since that means attacking bitcoin network 51% attack will be far easier. Even when considering there are ways to "tweak" SHA-256 just to break ASIC
3. Getting community approval over tweak/change which require hard-fork is difficult, especially from ASIC miners.

I think tweak Ethash algorithm at this point is good idea since the ASIC isn't available for public yet, but without Ethereum Foundation or majority community approval, your idea won't happen (at least without chain-split).

For bitcoin, as I see it and have mentioned above somehow, this option (tweaking PoW to resist against ASICs) is both an open possibility and an unavoidable  destiny in the middle term. For the latter my argument is based on Bitmain situation as an over-bloated center that happens to reside in China. Bitcoin community eventually will be united, no choice.

For Ethereum it is an inevitable almost urgent agenda. I'll do it and I don't care about a foundation and its crypto idol who have gone too far this time by breaking their contract and taking position against the majority of the users and miners. They will pay for their strategic mistake on this issue.

Back to your arguments about hashrate drop problem after the fork:
I know you are an expert by your own, but I have to make it clear that two different PoW algorithms are not comparable, all that matters is security and it is directly related to the costs of attacks like sybil or 50%+1 attack.

After the hypothetical fork, if it is supported by enough users (wallets) and a significant amount of mining power, Bitmain have no choice other than sticking with old chain and trying to manipulate the price of the upgraded bitcoin, desperately. This can be easily mitigated by a smart and well organized campaign, imo.

[SpinningTruth]

...ASIC/FPGA manufacture simply can add more memory...

Assume I start with 128MB/thread.  How many threads are ASIC's running to achieve their impressive hashrate/$ ratio?  Unless they can maintain their performance with a PC-like low thread count, their costs will quickly spiral out of control.  Of course, if I guess to the low side on memory footprint and an ASIC emerges for my hypothetical cryptocoin, I can double my memory requirements with a parameter change and recompile, rendering existing hardware devices obsolete. 

Note that this is not a technical solution but an economic one.  Who would do the R&D, manufacture a production run of ASIC's, and ship them to customers when the target algo is designed from the outset to trivially increase its memory requirements with one parm change?  Also, who would buy it?

[Slava79]

POS

thumbs down

PoS is out of context, firstly because it is a naive and immature idea that is not and will not be approved under multi billion dollars incentivized attacks and secondly Ethereum is not a PoS based system and the (hypothetical) PoS based Ethereum, as I mentioned above, should be called Posethereum or something like that.

I doubt you have read my article at all, but thanks for sharing your idea anyway.

Interesting,

In the first part you say "PoS is out of context" because  "it is a naive and immature idea", but provide not support for this statement. Could you please explain why is it naive and immature, especially in the light that some of the multimillion dollars cryptocurrencies are running on it?

Secondly, you mention Posethereum and state as it is not Ethereum, then PoS won't work.

I often see there is no much love for PoS in some circles, genuinely interested why?

[Xynerise]

I often see there is no much love for PoS in some circles, genuinely interested why?

There are a lot of reasons why some people do not like proof-of-stake:
There's nothing extrinsic to the network at stake unlike in proof of work where electricity costs and computing power, are used to secure the network.
In POS systems, whatever you're staking is already present in the network, so you're not really adding anything of value. You can make a case for the value of bitcoin being the electricity costs used to mine a block.

It's not as battle tested as proof of work.

Rewards on staking are usually proportional to the amount of the currency a user holds so the rich get richer. I suppose a similar argument could be made for mining.

Also there's the "nothing at stake" problem where forgers can vote for multiple blockchain histories.
There's no definite mitigation to the problem so far, current attempts only rescale the problem, and others just use a POW + POS hybrid.

[Anti-Cen]

Also there's the "nothing at stake" problem where forgers can vote for multiple blockchain histories.
There's no definite mitigation to the problem so far, current attempts only rescale the problem, and others just use a POW + POS hybrid.

I find myself having to agree with you, well presented argument but "proof a-b-c-" is just a basis for "Trust" and this runs
against the manter here about "Trustless" network.

PoW is not so bad if it's useful work and not just 20,000 nodes clogging up the CPU and network but that's not whats happening with Bitcoin
but what is happening is CPU-Wars have been created and that only keep Intel rich and the miners competing against each other.

What might had been acceptable if we only had the 1000 miners we needed to maintain the network does
not work when you have 20,000 of more or them and lets save the none debate about the 51% attack

[aliashraf]

POS

thumbs down

PoS is out of context, firstly because it is a naive and immature idea that is not and will not be approved under multi billion dollars incentivized attacks and secondly Ethereum is not a PoS based system and the (hypothetical) PoS based Ethereum, as I mentioned above, should be called Posethereum or something like that.

I doubt you have read my article at all, but thanks for sharing your idea anyway.

Interesting,

In the first part you say "PoS is out of context" because  "it is a naive and immature idea", but provide not support for this statement. Could you please explain why is it naive and immature, especially in the light that some of the multimillion dollars cryptocurrencies are running on it?

Secondly, you mention Posethereum and state as it is not Ethereum, then PoS won't work.

I often see there is no much love for PoS in some circles, genuinely interested why?

I'm not here to argue about PoS and I think it is off topic. They want go PoS let them go and why in the hell they haven't do this already? You know why? Because there is no straight and simple model, no mathematical proof for PoS to be a reliable approach to secure a distributed system and all its proponents  have to say is something like 'this or that kind of attack never happens in real world' ... the most worthless argument ever.

To understand what is wrong about PoS, one should understand the importance of Satoshi's PoW innovation. We had reputation based proposals for decentralized distributed systems, no one capable of solving the problem. It was before Satoshi Nakamoto and his brilliant PoW proposal.

PoS is a descendent of those naive reputation based proposals (your stakes are an index of your reputation) it shares the same 'subjectivity' property in its pure form. Once a participant is staking her coins, she is risking a subjective, virtual asset (her coins/reputation) it is nothing-at-stake, nothing objective. In practice it leads to the infamous nothing-at-stake attack for which Ethereum's idol, Vitalik Buterin has proposed a ridiculous algorithm called 'slasher' just like a undereducated technician who tries to file a patent for his invention of an ideal machine that violates the second law of thermodynamics  

PoS proponents, optimistically embrace such junior programmer's tricks and try to convince us that they have not wasted their lives  on a subjective, impractical approach to decentralized systems and they can compete using 'light' versions of subjectivity (Vitalik words).

There is no 'light subjectivity', imo, a subjective algorithm is poisoned as much as it is subjective. Hybrids, fail because of their inherent weak genes, ultimately and in long term. If it was legitimate and feasible to produce money from air, central banks would be the most legitimate bodys for this job.

Instead, PoW is an objective solution to decentralization, one should consume 'real' resources (computing power, electricity, ...) and there is a cost for every single action in the network and a reward for the well formed protocol compliant behaviors. This is why PoW is rigid and a masterpiece, it is objective, btc, eth, ltc, ... are gaining their values not from a compromise between members of a community (it is not fiat money) but because they consume resources to generate them.

Slasher algorithm (Vitalik's masterpiece  ) or other proposed algorithms for nothing-at-stake attack in PoS based systems, can do nothing about this weakness, specifically, I'm telling you, a childish punishment algorithm (for preventing stakeholders from playing in multiple forks)  has nothing to do with the fact that these 'stakes' are nothing, have come from nowhere with no cost.

Current criticism around PoW is worthless, imo. Satoshi's legacy is far more important to be criticized that trivially.

Talking about environmental issues is irrelevant in the first place. It is an industry, you love planet? Go find me some clean and price effective electricity to consume, as a miner, I consume energy to produce a valuable asset that can be used for resisting corrupted banking and financial systems, the most important use case in modern history!

Accusing PoW to be vulnerable to ASIC and its hardware centralization consequences is not acceptable too. I'll do this fork and show the way, the accuser has the same obligation or has to follow me (take the lead or just follow). ASIC vulnerability is not an inherent property, despite some claims, an ASIC proof algorithm is achievable (one may call his general purpose processor ASIC, but it is not).

Naggers, like Vitalik who constantly complain about scalability and performance, are the worst people ever. There are a handful of approaches (sharding, off-chain solutions, ... ) ready to be implemented, if bitcoiners fail to converge and has a governance crisis to overcome, Ethereum community has this idiot idol in charge, hasn't it? Instead of wasting time and resources on a 'light version' of subjectivism (believe it? What an idiot   ) wasn't it ways better to improve the protocol and produce complementary components to prevent the network from being congested by something like 'cryptokitties' ?

[Slava79]

PoS proponents, optimistically embrace such junior programmer's tricks and try to convince us that they have not wasted their lives  on a subjective, impractical approach to decentralized systems and they can compete with 'light' versions of subjectivity (Vitalik words).

I agree with your criticism of Slasher and how it's presented to be the "breaking through" idea.

There is no 'light subjectivity', imo, a subjective algorithm is poisoned as much as it is subjective.

"Weak subjectivity" is the term aimed to hide the fact the long-range attack is not solved in PoS. So that, if you selected "wrong nodes" joining the network, you are screwed then.

But won't you have the same set of problems in Bitcoin if: you download wrong client (broken or hacked), someone hacked Bitcoin's main site and patched the wallet, someone hacked DNS service and changed the list of bootstrap nodes? In other words, there is also some kind of subjectivity - not in consensus algorithm, but in other areas.

One can argue that PoS cryptocurrencies are also not immune to these things, but I think what stands them out is that they can deliver real decentralization, not like a PoW coin, mining of which is concentrated in hands on 9-10 organizations.

Instead of wasting time and resources on a 'light version' of subjectivism (believe it? What an idiot   ) wasn't it ways better to improve the protocol and produce complementary components to prevent the network from being congested by something like 'cryptokitties' ?

Right, but will Lightning Network and SegWit help to scale Bitcoin to the level that it is possible to run an app store, full of "cryptokitties", which is what mass adoption means?

[aliashraf]

PoS proponents, optimistically embrace such junior programmer's tricks and try to convince us that they have not wasted their lives  on a subjective, impractical approach to decentralized systems and they can compete with 'light' versions of subjectivity (Vitalik words).

I agree with your criticism of Slasher and how it's presented to be the "breaking through" idea.

Thank you! It's just ridiculous, isn't it? covering the mess with tv style ads

There is no 'light subjectivity', imo, a subjective algorithm is poisoned as much as it is subjective.

"Weak subjectivity" is the term aimed to hide the fact the long-range attack is not solved in PoS. So that, if you selected "wrong nodes" joining the network, you are screwed then.

But won't you have the same set of problems in Bitcoin if: you download wrong client (broken or hacked), someone hacked Bitcoin's main site and patched the wallet, someone hacked DNS service and changed the list of bootstrap nodes? In other words, there is also some kind of subjectivity - not in consensus algorithm, but in other areas.

One can argue that PoS cryptocurrencies are also not immune to these things, but I think what stands them out is that they can deliver real decentralization, not like a PoW coin, mining of which is concentrated in hands on 9-10 organizations.

PoS eventually will lead to a very limited number of 'banks' taking deposits from users, using them as stakes ,  ... leading to ways worse scenarios than what PoW coins are experiencing with pools.
I agree that 'resource sharing' is a problem for both paradigms bot PoS suffers more and implies more threats because of so-called 'mitigation' proposals like Slasher and others which require long term deposit contracts that lead to less flexibility to switch between centres (in PoW you can simply point your miners to whichever pool of your choice).

Plus, running a pool service requires a much less investment compared to what a 'bank' needs, just like a traditional bank does.

As of hacked DNS service and alike, if pools have any bad thing to do with PoW, they are good in this respect and generally speaking a 'bootstrap poisoning' attack for a solo miner or any full node in PoW is very unlikely to succeed while PoS is inherently vulnerable to this attack in its core consensus algorithm, the only mitigation being programming tricks like Slasher that put the network in even more serious centralization dangers because of what I have reminded above.

Instead of wasting time and resources on a 'light version' of subjectivism (believe it? What an idiot   ) wasn't it ways better to improve the protocol and produce complementary components to prevent the network from being congested by something like 'cryptokitties' ?

Right, but will Lightning Network and SegWit help to scale Bitcoin to the level that it is possible to run an app store, full of "cryptokitties", which is what mass adoption means?

Sidechains are more favorable solutions for me and sharding is the second while I have very little sympathy to Segwit and don't take lightning serious enough to list it as an ultimate solution.

I think scalability is a major problem and it needs step by step solutions and improvements to be tackled until the ultimate solution (which I believe is of a sidechain class) is operational. We are in no rush, right now.

[DooMAD]

It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo.

"ASIC resistant algorithm" is somewhat of a misnomer, since it's only "resistant" up to the point where someone designs a new ASIC for it.  Most altcoins who claim to be ASIC resistant can get away with making that claim, simply because their coin isn't valuable enough for anyone to bother designing a custom chip for it.  Resistance through obscurity, in effect.  The problem Bitcoin has is that it obviously is quite valuable, so the moment you change the algo, all the big manufacturers will start work an a new ASIC designed to work with that algo.  There's simply too great an incentive for it.  

It doesn't matter what algorithm you pick, it's always going to be inherently less resistant to ASICs by mere virtue of the fact that it's Bitcoin and ASICs are what all the miners will naturally want to have, so there will always be an overwhelming demand for someone to manufacture one.  Sooner or later, it's inevitable we'll have ASICs once again.  It's only ever going to be a temporary reprieve and will likely involve a hardfork every time it needs changing again.  You might have noticed, but hardforks tend to be somewhat controversial round these parts.  

While I don't really keep up with Monero, I read that it somehow managed to split into 4 distinct chains because no one could agree on how their attempt at blocking ASICs should work.  We don't really want a repeat of that omnishambles in Bitcoin.

My take is that we just need a wider variety of manufacturers involved.  Other hardware companies need to step up their game and challenge Bitmain's current stranglehold.  Bricking hardware would likely escalate tensions and could even provoke some pools or perhaps Bitmain themselves into some form of retaliation.  That might sound silly, but it's worth pointing out there's a tremendous amount of money involved and when people with lots of money see a threat to their financial future, offence is often seen as the best form of defence.  It may even have other potential consequences like needing to include emergency difficulty adjustments due to a sudden plummet in hashrate, which could potentially unbalance the release schedule of newly minted coins into circulation.  One of Bitcoin's primary strengths is its predictable supply, so not something we should jeopardise lightly.

Caution is strongly advised.

[aliashraf]

It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo.

"ASIC resistant algorithm" is somewhat of a misnomer, since it's only "resistant" up to the point where someone designs a new ASIC for it.  Most altcoins who claim to be ASIC resistant can get away with making that claim, simply because their coin isn't valuable enough for anyone to bother designing a custom chip for it.  Resistance through obscurity, in effect.  The problem Bitcoin has is that it obviously is quite valuable, so the moment you change the algo, all the big manufacturers will start work an a new ASIC designed to work with that algo.  There's simply too great an incentive for it.  

The "ASIC resistant not ASIC proof" theory has one important implication that we should beware of: It question's Nakamoto's PoW innovation to be instrumental for securing decentralized, permissionless systems like bitcoin, Ethereum and alike. Actually proposing such a duality is not less than saying something like:

"The rise of proprietary, closed systems, under the control of corporates that outperform commodity cpu/gpu based computers and monopolize the network, is an inevitable destiny for any network that is secured by a consensus protocol, based on PoW algorithm, it is just a matter of incentive and how much the coin's market cap is and does it worth it?"


It is nothing less than  burying PoW, not a surprise that people like Vitalik Buterin and other PoS enthusiasts never get tired of repeating such claims and they are not alone, we have Jihan Wu and his paid journalism that escalate and propagate this theory just like a proven mathematical theorem.

If anybody is willing to do so, burying PoW, I'm no enthusiast, just asking for paperwork.

Although, It is on claimant to prove the claim, apparently with all these advertisements we have no choice to prove that such duality is ridiculous:
Once you have a good ASIC resistant algorithm (unlike bitcoin's SHA2) you have a 'practical' ASIC proof algorithm in hand. And the practical adjective here is not a weakening factor because this field, public blockchain is a practical context and every single technology or protocol discussed here yields a practical assumption.

Claiming that with enough incentive, resourceful attackers can crack every PoW algorithm by making an ASIC is just saying that PoW can not achieve a practical security et se, as long as it is PoW.
I'm here to show the falsehood of such a predict. But I think I have done half of the job by revealing the importance and destructive nature of such a claim.

I'm deliberately avoiding to criticize 'ASIC is not that bad' discourse for now, first things, first.

While I don't really keep up with Monero, I read that it somehow managed to split into 4 distinct chains because no one could agree on how their attempt at blocking ASICs should work.  We don't really want a repeat of that omnishambles in Bitcoin.

There is no split in monero and it doesn't make sense to call it split. Monero users are happy and their balances are safe, miners are happier and their profits are becoming interesting. Forks happen, I can fork bitcoin overnight and nobody gets hurt (other than myself, I suppose, because of wasting my resources).

It is all about the community and the devs to reach a consensus, the rest is a piece of cake (at least compared to reaching to a consensus).

My take is that we just need a wider variety of manufacturers involved.  Other hardware companies need to step up their game and challenge Bitmain's current stranglehold.  Bricking hardware would likely escalate tensions and could even provoke some pools or perhaps Bitmain themselves into some form of retaliation.  That might sound silly, but it's worth pointing out there's a tremendous amount of money involved and when people with lots of money see a threat to their financial future, offence is often seen as the best form of defence.  It may even have other potential consequences like needing to include emergency difficulty adjustments due to a sudden plummet in hashrate, which could potentially unbalance the release schedule of newly minted coins into circulation.  One of Bitcoin's primary strengths is its predictable supply, so not something we should jeopardise lightly.

Caution is strongly advised.

Monopoly is not the only or even the biggest threat when it comes to ASICs.

Other facts like that manufacturers are always one or two step ahead of the community or they know the exact mission of the device they are building and selling and this gives them options to plant everything they wish in the firmware and ... are of critical importance, too.

[DooMAD]

The "ASIC resistant not ASIC proof" theory has one important implication that we should beware of: It question's Nakamoto's PoW innovation to be instrumental for securing decentralized, permissionless systems like bitcoin, Ethereum and alike. Actually proposing such a duality is not less than saying something like:

"The rise of proprietary, closed systems, under the control of corporates that outperform commodity cpu/gpu based computers and monopolize the network, is an inevitable destiny for any network that is secured by a consensus protocol, based on PoW algorithm, it is just a matter of incentive and how much the coin's market cap is and does it worth it?"


It is nothing less than  burying PoW

I don't think that's the case at all.  The existence of ASICs neither undermines the innovation of PoW, nor ensues its demise.  It merely encapsulates the most efficient means of performing the work currently.  Rather than trying to fight against the natural incentive to utilise the most efficient means, it's healthier to make ASICs more attainable for a wider number of both mining participants and hardware manufacturers to level each respective playing field.

Monopoly is not the only or even the biggest threat when it comes to ASICs.

Other facts like that manufacturers are always one or two step ahead of the community or they know the exact mission of the device they are building and selling and this gives them options to plant everything they wish in the firmware and ... are of critical importance, too.

How certain are we that CPUs and GPUs are immune to malicious code in the firmware?  Mining is always going to rely on hardware in some form and we'll have to trust someone to make that hardware.  Declaring war on ASICs doesn't absolve this.  At least monopoly can be somewhat negated.  We may as well focus on the things we can actually fix.

[aliashraf]

The "ASIC resistant not ASIC proof" theory has one important implication that we should beware of: It question's Nakamoto's PoW innovation to be instrumental for securing decentralized, permissionless systems like bitcoin, Ethereum and alike. Actually proposing such a duality is not less than saying something like:

"The rise of proprietary, closed systems, under the control of corporates that outperform commodity cpu/gpu based computers and monopolize the network, is an inevitable destiny for any network that is secured by a consensus protocol, based on PoW algorithm, it is just a matter of incentive and how much the coin's market cap is and does it worth it?"


It is nothing less than  burying PoW

I don't think that's the case at all.  The existence of ASICs neither undermines the innovation of PoW, nor ensues its demise.  It merely encapsulates the most efficient means of performing the work currently.  Rather than trying to fight against the natural incentive to utilise the most efficient means, it's healthier to make ASICs more attainable for a wider number of both mining participants and hardware manufacturers to level each respective playing field.

Both historically and theoretically the sole purpose of Satoshi's PoW is perceivable as a practical solution to Byzantine Generals problem which any distributed permissionless decentralized system that is open to untrusted players (like bitcoin) should consider it as its canonical challenge.

Care should be taken that in the context of Byzantine Generals Problem, the participants are supposed to be human beings and not machines, because machines have no incentive to take part in any conspiracy, or remain loyal to an agenda. They are simply, tools and devices used by their owners.

PoW is not a protocol to solve machine's malicious behavior, mainly it is about the owner's.

For unfaithful owners reaching to critical majorities (50%+ and 2/3+) needed to break/takeover a well formed consensus protocol (like a blockchain) is much harder when their cardinality is higher and they are more divergent in terms of power, interests, geographical location etc.

If a PoW based system could not guarantee a minimum level of diversity between miners (human beings behind the miners not the machines) it should not be considered safe and needs immediate upgrades.

If it is a normal consequence of PoW and it is a matter of time for any PoW based system to become unsafe, then PoW should not be considered a solution for Byzantine Generals problem at all! Not a good news for Satoshi fans.

The threats involved in introduction of ASICs to a PoW based system are more than obvious:

1- Regarding its technological leverage, the manufacturer uses its advantage to mine far more efficiently it yields a situation in which the ordinary miners disappear gradually and the manufacturer becomes more powerful with almost an unlimited access to required resources for accelerating the process even more, reducing the cardinality and diversity of the participant to a dangerous level.

2- The very first company that manages to crack the algorithm and produce a specialized machine,  will save its position almost forever because of the gains. There will be no room left for competition and leveling the situation and delaying the disaster a bit to buy some time.

3- Such a system no longer could be classified as permissionless because practically you should get permission (buy the hardware) from the manufacturer to participate, i.e. you can not use your general purpose device to take part/leave  whenever you wish without undergoing significant cost.

In bitcoin we are already in the process of experiencing all the above mentioned challenges.

Of course Bitmain plays a sophisticated strategy that keeps everything in a fragile balance, but it is Bitmain's incentives that are summarized to  a determinant. This is not how decentralization is defined and understood.

Monopoly is not the only or even the biggest threat when it comes to ASICs.

Other facts like that manufacturers are always one or two step ahead of the community or they know the exact mission of the device they are building and selling and this gives them options to plant everything they wish in the firmware and ... are of critical importance, too.

How certain are we that CPUs and GPUs are immune to malicious code in the firmware?  Mining is always going to rely on hardware in some form and we'll have to trust someone to make that hardware.  Declaring war on ASICs doesn't absolve this.  At least monopoly can be somewhat negated.  We may as well focus on the things we can actually fix.

Although I'm a critic of all closed systems it is important to mention that there is a huge difference between CPU/GPU reliability problems and ASICs.

Once you go to the market and buy a general purpose AMD GPU for instance, neither AMD nor the shopkeeper have a clue about what you are going to do with their product. Mining Ethereum with that gpu is your decision. It is impractical for them (or very unlikely) to take ownership of your system to act maliciously in Ethash protocol. You choose to participate without their permission, you can leave and use the gpu to play game or render 3D images, whatever, you are free and safe, well almost.

Obviously purchasing and running a specialized device like a S9 is totally different and vulnerable to trojan attack schemas that can take ownership of the device and participate in the protocol maliciously, because they know exactly how you will use it, you are just following their instructions.

[Qoheleth]

Any real solution that makes a cryptocurrency's Sybil resistance closer to democratic (1 person ≈ 1 vote) rather than plutocratic ($1 ≈ 1 vote) is fine by me.

That said, I still have doubts that a good solution exists within traditional PoW.

(this paragraph edited after the fact; I reread and got a better idea of what you were talking about)
The first reason is that, even if specialized hardware doesn't make sense for a pure mining operation, it will always make sense for an entity trying to execute a double-spend. Such an entity isn't bound by the traditional mining payoff chart; provided they have the start-up capital, all they need to do is reverse some high-profile transactions (or extort "insurance payments" from those trying to transact) to make their money back. For them, only the fixed cost of the hardware - and not the marginal cost of electricity - matters, because they only need to mine when they have someone's kneecaps to break.

But for the sake of argument, let's say you figure it out. Let's say you actually come up with a proof of work scheme that can't benefit meaningfully from custom hardware.

In this situation, the attacker's optimal strategy just shifts from "build a huge fuck server farm" to "build a huge fuck botnet". This is something organized crime groups do today anyway, to great success and populations in the millions. How many Bitcoin full nodes are there today? Something like 10,000? They would be drowned out like a sprinkler in a hurricane. Even if you assume that most BTC users, in a world where they could mine, were to install their own full node, that's maybe 30 million users if you make optimistic assumptions - Bredolab could still have outvoted them, or credibly threatened to do so.

What's your plan for mitigating such a strategy?

[Anti-Cen]

How certain are we that CPUs and GPUs are immune to malicious code in the firmware?  Mining is always going to rely on hardware in some form and we'll have to trust someone to make that hardware.  Declaring war on ASICs doesn't absolve this.  At least monopoly can be somewhat negated.

Well said, "They" try to cover all bases and Intel chip firmware was exposed by a russian company, best blame Putin
like they always do.

Wow the Ministry of Bitcoin Propaganda (MBTCP) took seconds to deleted my last comment, must be using bot's now
or our I am keeping our nazi moderator awake.

[aliashraf]

{...} even if specialized hardware doesn't make sense for a pure mining operation, it will always make sense for an entity trying to execute a double-spend. Such an entity isn't bound by the traditional mining payoff chart; provided they have the start-up capital, all they need to do is reverse some high-profile transactions (or extort "insurance payments" from those trying to transact) to make their money back. For them, only the fixed cost of the hardware - and not the marginal cost of electricity - matters, because they only need to mine when they have someone's kneecaps to break.

But for the sake of argument, let's say you figure it out. Let's say you actually come up with a proof of work scheme that can't benefit meaningfully from custom hardware.

In this situation, the attacker's optimal strategy just shifts from "build a huge fuck server farm" to "build a huge fuck botnet". {...}

What's your plan for mitigating such a strategy?

Overtaking a PoW network can't be accomplished by a temporary virus/bot infection, the owners will eventually figure out the attack and do a fresh bootstrap. In other words, a long range attack against the network using botnets isn't feasible. Current Ethereum network worth 70+ $billions,  and we have no evidence of such an attack while more than enough incentives exist.

The scenario you suggest, according to which the attacker can benefit from a short range attack for the sake of double spending on a specific transaction  is unlikely because typically, large volume transactions take place in a more cautious way by participants and the attacker has to rewrite more blocks with the same long range attack problems. It is worth mentioning that such attack attempts are always discouraged by the weapon disclosure risk. The attacker(s) should lie in  ambush for a multi-million dollars trade (with a foolhardy partner who will release the valuable assets after few confirmations)  worth the disclosure risk.

Plus, I have no idea of such a hypothetical botnet to be sophisticated enough to participate in a PoW protocol effectively.