Why does Bitcoin keep using SHA256 in its POW?

[butka]

This is a question I've had for some time. It has to do with the hashing algorithm of Bitcoin, namely:

Why Don't We Change the SHA256 in Bitcoin's proof of work?

This question is probably naive, asked many times before, but still I would appreciate your thoughts, especially regarding the current situation.

I get it that no one could've foreseen the appearance of specialized ASIC mining equipment when Bitcoin was in its early days.
If I understand it correctly, over time this has led to centralization, with the majority of computer power for hashing in Bitcoin's POW concentrated in the hands of a few entities.
Or, would this have happened regardless of the ASIC?

How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.
The obvious disadvantage is that implementing other POW algorithms that would be ASIC resistant would require a Hard Fork and we would lose backward compatibility.

Is this the only disadvantage? What else am I missing?

Also, in light of this, and given that Bitcoin is a decentralized system, who decides whether or not changes of this type could or should happen?

[1715079016]

1715079016

[1715079016]

1715079016

[1715079016]

1715079016

[1715079016]

1715079016

[1715079016]

1715079016

[1715079016]

1715079016

[Austin Alexis]

That is a good question. Especially given AES256 is more secure (advanced encryption standards) I think its probably a case that sha is still good enough to do the job

[Carlton Banks]

It's complicated.

To simplify, this has actually already happened: I think it was Bitcoin Gold (?) that hard-forked from Bitcoin a couple of months ago, on the basis of a more decentralised mining ecosystem by changing PoW to an algo that's difficult to produce an ASIC for. Needless to say, it didn't gain much popularity.


Until the mining cartel start to affect everyday Bitcoin users in a way that forces them to act, I expect nothing will happen. Segwit2x almost forced this situation, but in the end it was averted.

In principle, I think it would be better if PoW was changed, but it needs ALOT of planning to make the change seamless, there must be a minimally disruptive way to transition to the alternative source of hashrate to ensure highest possible confidence in the change. Otherwise the BTC exchange rate could crash badly.

Exactly what that would look like... well, maybe a testnet could be running beforehand, with all the new-PoW miners testing that chain. Then a "hand-over" period of blocks could be specified to permit both SHA256 and new-PoW blocks, after which only new-PoW blocks are accepted when handover is complete. Maybe if the end of the hand-over period is specified by the percentage of blocks produced using new-PoW (say 90% or 95%), it could be a very smooth transition. There would almost certainly be people continuing to mine the SHA256 chain afterwards though, although it's unlikely to gain much traction if they're only doing 5% of the work of the main chain.

Choosing the algorithm to ensure the viability of out-hashing the SHA256 miners would be very important, but that would also be the key to success.

[Carlton Banks]

That is a good question. Especially given AES256 is more secure (advanced encryption standards) I think its probably a case that sha is still good enough to do the job

AES is an encryption algorithm, not a hashing algorithm.

[teamzeropoint]

I think this is a question that brings up some interesting points. As the Bitcoin algorithm gets harder, and the ASIC dominated mining becomes more centralised and monopolised, it's what's needed to bring it back to the people.

[aleksej996]

Is this the only disadvantage? What else am I missing?

It is the biggest one. That and the fact that SHA256 is very well tested and known to be secure.
Having ASICs mine is one thing, but having a hashing algorithm that is insecure is a complete chaos.

ASICs happen for every algorithm, but there are currencies like Monero that hard fork every time they have a doubt that ASICs are developed.

Also, in light of this, and given that Bitcoin is a decentralized system, who decides whether or not changes of this type could or should happen?

This is exactly why it never forked and it won't for a very long time. First you need for the almost entire community to agree that fork needs to happen.
Then you need a vast majority of the community to agree to which algorithm we should change.
And after all of that being discussed for years (probably decades based on how much time we needed to simply increase a block size) we would already have some company create an ASIC for the new algorithm.

It is not a simple problem and it doesn't seem to be absolutely necessary.
ASICs do hurt decentralization, but it is not widely established how much they really hurt it.
Anyone can buy ASICs and multiple companies can develop them.
And we still have big mining centers and pools in other cryptocurrencies that don't have ASICs for their algorithms.
And we still have practically only two companies developing hardware used to mine these altcoins.
Centralization in mining is not just an ASIC problem, it is a bit more complicated than that.

[Carlton Banks]

SHA256 is very well tested and known to be secure.

SHA256 won't necessarily be secure forever though (although how long for is anyone's guess). PoW algorithm will have to be changed eventually.

This is exactly why it never forked and it won't for a very long time. First you need for the almost entire community to agree that fork needs to happen.
Then you need a vast majority of the community to agree to which algorithm we should change.
And after all of that being discussed for years (probably decades based on how much time we needed to simply increase a block size) we would already have some company create an ASIC for the new algorithm.

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

And we still have practically only two companies developing hardware used to mine these altcoins.

There are only 3-4 manufacturers producing SHA256 ASICs for mining Bitcoin (and they appear to be price fixing)


The other alternative is some kind of very sophisticated 3D printing technology that can usurp traditional processor fabricators. But no such tech yet exists AFAIA (and certainly won't be able to compete with bleeding edge nm node processes at first anyway)

[butka]

Then a "hand-over" period of blocks could be specified to permit both SHA256 and new-PoW blocks, after which only new-PoW blocks are accepted when handover is complete. Maybe if the end of the hand-over period is specified by the percentage of blocks produced using new-PoW (say 90% or 95%), it could be a very smooth transition.

This is really interesting and has never occurred to me as a possibility. It doesn't seem hard to implement. I guess, one would have to modify the difficulty separately for both hashing algorithms to have equal chances to find the solution.

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

If I'm not mistaken, I think we have seen recent alogs that employ that idea, like X16R, which switches between several algos to discourage the idea hardware built specifically for the purpose of mining.

[RedWojak]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

[European Central Bank]

How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

the moment ASIC resistance returns, hundreds or thousands of researchers, scientists and programmers set to work breaking it. the rewards are too high not to try it. bitcoin could spend the rest of its days skipping from algorithm to algorithm which would be an endless cycle of ruin and disruption for little gain.

if someone could come out with something forever unbreakable then great, but i don't think anything can be certain. and even if it returned to GPUs there's enough capital out there in a small number of hands to centralise that too.

the little guy is done in bitcoin mining no matter what. it's better to have more diverse machine manufacturers and as many deep pockets as possible competing to find coins. that's about as good as it's gonna get.

[cellard]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

it is practically impossible, it's too late and anyone that thinks otherwise is most likely delusional. We are stuck with SHA256 until SHA256 is proven to be cracked somehow, which shouldn't happen in our lifetimes, but who knows.

So unless EVERYONE's money on Bitcoin is at risk, there will be no consensus to change, and even if there is a problem, I can see lack of consensus to select what algo to change to, I would like to see how that would resolve like.

[butka]

the little guy is done in bitcoin mining no matter what. it's better to have more diverse machine manufacturers and as many deep pockets as possible competing to find coins. that's about as good as it's gonna get.

We are stuck with SHA256 until SHA256 is proven to be cracked somehow, which shouldn't happen in our lifetimes, but who knows.

If that's really the future of Bitcoin mining, another question comes to mind. What happens with all specialized hardware once the number of bitcoins in circulation comes close to 21 million? As the block reward is not there any more, the usual answer is that the miners will continue to mine just to collect the transaction fees, but that sounds a little bit too far fetched to me.

[European Central Bank]

If that's really the future of Bitcoin mining, another question comes to mind. What happens with all specialized hardware once the number of bitcoins in circulation comes close to 21 million? As the block reward is not there any more, the usual answer is that the miners will continue to mine just to collect the transaction fees, but that sounds a little bit too far fetched to me.

most of us will be back in nappies before this is a real issue, but it is indeed an issue. personally i'll simply get on with my day and not sweat about it. that's the next generation or two's problem.

if bitcoin is still a thing and still important by then it's gonna get solved by brighter people than me.

[DevilOper]

I get it that no one could've foreseen the appearance of specialized ASIC mining equipment when Bitcoin was in its early days.
...
How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

What would be the point of doing so?
People move hashing from CPU to GPU, develop ASICs, etc. in  order to gain more coins, to profit more from their "mining". Just remove the reward from "mining" - and nobody will care to throw tons of dollars into developing a new HW for nothing.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

[butka]

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

[pereira4]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

Both scenarios are sci-fi, if you think about it.

Therefore the ultimate fate of Bitcoin is being stuck with SHA256, which is not necessarily a bad thing, as long as we keep seeing improvements in competition in the mining game. DragonMint is a new hope in mining competition, for instance. Other than that, thinking there's going to be achievable consensus to change SHA256, is in my opinion a waste of time.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

[butka]

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

Good point there!

[DevilOper]

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

[hatshepsut93]

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

So, in conclusion, it's a very complex subject that needs to be discussed and tested for long time before making any moves. There's no immediate need to change algo today, we have plenty of time.

[butka]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

I wouldn't discard the issue of stability so easily. To reply to your comment, there is an interesting medium article. It nicely illustrates the
concerns and danger of Bitcoin's centralization and having a lot of hash-power concentrated in the hands of several entities.

[wilwxk]

The hard fork is the first problem as mentioned.
But if you really want to change the sha256 to something "better" like a sha3 or cryptonight, you could only stop temporarily the problem with asics.
The asic is only a component specially designed to do something, the current CPUs and GPUs was made to run different things at same time, losing part of the efficiency. If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
A good case to learn with is the hard fork of the monero.

[HeRetiK]

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

And we still have practically only two companies developing hardware used to mine these altcoins.

There are only 3-4 manufacturers producing SHA256 ASICs for mining Bitcoin (and they appear to be price fixing)

There are also effectively 2 GPU and maybe 3-4 major CPU manufacturers. Lack of competition seems to be just a small part of the equation, with the main problem being that mining hardware manufacturers have a strong incentive to produce mining hardware for themselves rather than their customers.

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

SHA256 has nothing to do with curves, it's Bitcoin's private / public key algorithm -- ECDSA -- that is endangered. Which is unfortunately much worse. However it can luckily be mitigated by avoiding address re-use until a new private / public key algorithm has been deployed.

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

Good point there!

He kinda did though:
https://bitcointalk.org/index.php?topic=532.msg6306#msg6306

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

A blockchain rewrite caused by dominant hashing power is not a feature though. It's a weakness that is kept at bay by game theoretical incentives, ie. the assumption that no rational actor would waste that much money on an attack of questionable merit. Rewriting transactions is exactly what Bitcoin's consensus algorithm is trying to prevent.

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

I think that's the heart of the issue -- Bitcoin's growth has turned mining into an industrial endeavour where economics of scale is key and money available to be put into R&D is plenty.

Simply changing Bitcoin's PoW algo won't keep ASICs at bay forever, but would come with a lot of challenges -- both technologically and community-wise. Not only evaluating and selecting a new PoW algo will be challenging -- even how the selection for a new PoW algo takes place would likely result in a lot of drama and hidden agendas. Some parties may secretly benefit from one algo over another.

In other words, I too think that the downsides of changing Bitcoin's PoW algo would outweight its benefits -- for now. As much as I'd love to see a time of hobbyist GPU / CPU Bitcoin mining again, I'm afraid this train has left for good.

[Anti-Cen]

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

I will not use any microsoft black box software like AES on a windows machine because I know myself that windows copies, encrypts and uploads anything it can get
it's hands on and this is impossible to stop without making the machine useless and X-Boxes are even worse not that I or anyone has managed to get inside one.

They are even using ultrasound now to active apps from your TV on your mobile phones so they will stop at nothing to watch you.

Quantum computers are like hardware network switches, mega fast but very limited when it comes to programming which is why it's all been talk for years
with nothing really happening but the long term dangers does not come from men writing hacking code but more from A.I developing it's own computer language
that we mere humans won't understand and if you think this is science fiction then you are behind the times already.

Some of the self teaching software reconfigure itself and works better than anything the developers could write themselves and they don't even understand
how the output works, it just does and we are already seeing questions being asked about the rights of computers so we are going to be in for some interesting
times me thinks.

https://www.rt.com/op-ed/424709-sexbots-sex-dolls-rights/

[butka]

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

RavenCoin, RVN

[andrew1carlssin]

>Re: Why does Bitcoin keep using SHA256 in its POW?

Good question. I really would like to see a more useful POW. Since we burn a lot of energy... we could do it in a more intelligent way ..

I was reading this scientific paper called "Proofs of Useful Work"..

Proofs of Useful Work
Marshall Ball ∗ Alon Rosen † Manuel Sabin ‡ Prashant Nalini Vasudevan §

February 27, 2017
Abstract

We give Proofs of Work (PoWs) whose hardness is based on a wide array of computational
problems, including Orthogonal Vectors, 3SUM, All-Pairs Shortest Path, and any problem that
reduces to them (this includes deciding any graph property that is statable in first-order logic).
This results in PoWs whose completion does not waste energy but instead is useful for the
solution of computational problems of practical interest.

The PoWs that we propose are based on delegating the evaluation of low-degree polynomials
originating from the study of average-case fine-grained complexity. We prove that, beyond being
hard on the average (based on worst-case hardness assumptions), the task of evaluating our
polynomials cannot be amortized across multiple instances.

For applications such as Bitcoin, which use PoWs on a massive scale, energy is typically
wasted in huge proportions. We give a framework that can utilize such otherwise wasteful work.
Keywords: Proofs of Work, Fine-Grained, Delegation, Blockchain.

With that in mind I am huge fan of coins like, primecoin, gapcoin, and my favourite one

GridCoin
https://bitcointalk.org/index.php?topic=324118.0

Witch uses BOINC where you can choose a good projects like cancer cure, climate change, etc  ...
https://boinc.berkeley.edu/projects.php


Regards to semiconductor industry centralisation ... how many GPU/CPU manufactures do we have ? Sometimes I think that the centralisation phenomenon is more related to energy price, access to wholesaling market, etc than the hardware architecture itself...    

[DevilOper]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

I wouldn't discard the issue of stability so easily. To reply to your comment, there is an interesting medium article. It nicely illustrates the
concerns and danger of Bitcoin's centralization and having a lot of hash-power concentrated in the hands of several entities.

You don't need to refer to any kind of external media, articles, whatever: it is obvious just by common sense that ANY Proof-of-Something concept essentially trends to concentration of the abovementioned Something, and therefore to centralization.

[DevilOper]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

A blockchain rewrite caused by dominant hashing power is not a feature though.

It is a feature, since orphaning the blocks is a feature/part of algorithm.
You cannot be a half-pregnant.

[HeRetiK]

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

RavenCoin, RVN

Thanks, I'll check it out.

You don't need to refer to any kind of external media, articles, whatever: it is obvious just by common sense that ANY Proof-of-Something concept essentially trends to concentration of the abovementioned Something, and therefore to centralization.

The Pareto principle appears to be inescapable, that's true. Still it's vital for the likes of Bitcoin that the top players keep each other in check. Otherwise we're just back to traditional banking but with extra steps. Even if sub-optimal, there's still a difference between having 4-5 dominating mining operations vs a mining duopoly / monopoly.

A blockchain rewrite caused by dominant hashing power is not a feature though.

It is a feature, since orphaning the blocks is a feature/part of algorithm.
You cannot be a half-pregnant.

Following the chain with the largest accumulated work is a feature, that's true. The possibility of a single entity controlling the network with majority hashpower (ie. > 50%) however, is not. Just because the former leads to the latter doesn't mean it's a desired effect. It's a weakness of PoW that has been accepted for lack of a better alternative.

Regardless of code being law and everything working as intended, a cryptocurrency that can not be accepted for fear of history being rewritten by a third party is a useless cryptocurrency.

[DevilOper]

... doesn't mean it's a desired effect.

Well, one is the reverse side of another. As I said, there is no way to be a half-pregnant.

[Anti-Cen]

"Why does Bitcoin keep using SHA256 in its POW?"

The better question to ask would be why do we need POW and how did we ever manage to live without it
before double agent SM from Japan turned up and send Intel chip share prices upwards.

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on
about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit
$55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's
runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware
not a form of POS given the costs or should we not ask questions like that here because it upsets the
resident party faithful and invites attacks.

[ranochigo]

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit $55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

If anything, the fee is not indicative of how the developers or miners have been doing. Its a free market and they are free to decide how much to pay based on the transaction volume. Does the node trust anyone? That should be the main point of trustless.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware not a form of POS given the costs or should we not ask questions like that here because it upsets the resident party faithful and invites attacks.

Mining is not all about how fast your speed is. The speed is more about how fast it is, relative to your competitiveness. Bitcoin could go with a slower algorithm and still function. SHA256 was the newest standard for the SHA family in 2009. POS is whoever has the most coins win while POW is whoever is willing to invest and sacrifice their money for reward the most wins. With POS you don't have to incur any costs other than purchasing the coins and you won't lose any either.

[etherixdevs]

They should submit another hard fork...
In my opinion, changing the sha256 into something "better" like a sha3 or cryptonight, you could only stop with asics.

The asic is created to do something specific.

On the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

[ranochigo]

In the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

Indeed. Most algorithms that were once touted as "ASIC-resistant" are not as resistant anymore. The development of ASICs would be viable for a coin that is so valuable. What most coins has done is to have an adjustable variable to adjust and render ASICs useless. They can be expensive to develop and they can't be used for a long time.

IMO, ASICs are fine. With CPU and GPU only coins, the possibility of botnets would still be there. One CPU one vote has never been a reality.

[keesdewit]

The question that comes in my mind is not regarded to ASIC resistance, but to the security of the hash function over time. What will happen with the current SHA256 implementation when SHA256 gets depricated and declared unsafe?

[andrew1carlssin]

"Why does Bitcoin keep using SHA256 in its POW?"

The better question to ask would be why do we need POW and how did we ever manage to live without it
before double agent SM from Japan turned up and send Intel chip share prices upwards.

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on
about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit
$55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's
runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware
not a form of POS given the costs or should we not ask questions like that here because it upsets the
resident party faithful and invites attacks.

Wastage of computing cycles is indeed a terrible thing ...  

PoWs are wasteful of real resources and energy and, in the massive use case of Bitcoin, have even been called an ”environmental disaster” [And13]

source:
Proofs of Useful Work
https://eprint.iacr.org/2017/203.pdf

In the other hand I do hypothesise that build a SHA-256 miner is much simpler than build a machine to mine Keccak ...for instance ... in theory it could help spread bitcoin mining in order to avoid centralisation (word etymology from French centralisation, or centralise +‎ -ation.)

[Kakmakr]

Why is ASIC mining that bad if it is more energy efficient than CPU/GPU mining? The strength of this network is also in the amount of the hashing power that we have, compared to other networks and Alt coins.

Also, if we changed to some other ASIC resistance technology, the ASIC manufacturers will just develop something new to circumvent these restrictions. We should welcome technological advancements, but it should not be centralized or dominated by one nation or company. Let these companies compete in a free market for the best technology to improve mining of Crypto currencies.

[HeRetiK]

IMO, ASICs are fine. With CPU and GPU only coins, the possibility of botnets would still be there. One CPU one vote has never been a reality.

I also think that for the most part the upsides of ASICs outweigh their downsides. ASICs themselves are not problematic, it's when there's too little competition in the mining market that things could get ugly.

Given the recent uptick of Bitcoin's valuation I think it's likely that we'll see new players entering the mining business over the next couple of years though -- keeping the market fresh and flowing.

The question that comes in my mind is not regarded to ASIC resistance, but to the security of the hash function over time. What will happen with the current SHA256 implementation when SHA256 gets depricated and declared unsafe?

Depends on what kind of flaw is found. Keep in mind that the use case of a PoW scheme is different from the use case of eg. hashing your users' passwords.

Best case it's the kind of flaw that makes SHA256 faster to calculate, in which case we'll simply see a new generation of miners.

Worst case Bitcoin needs to hardfork to a new PoW scheme. This would come with a lot of drama on which algo to choose, possibly leading to a multitude of competing PoW hardforks, but sooner or later one blockchain would emerge as the canonical Bitcoin blockchain. Even then we might see the original, SHA256 Bitcoin, continuing its existence although at likely a much lower market rate, corresponding to the severity of the found flaw.

[DooMAD]

They should submit another hard fork...
In my opinion, changing the sha256 into something "better" like a sha3 or cryptonight, you could only stop with asics.

The asic is created to do something specific.

On the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

There is no "they" who possess the sole responsibility for announcing hardforks.  It sounds as though you're asking for someone in a position of authority to launch a fork, but we don't have those here.  We've seen BTG fork away with their desire for ASIC resistance, but for the most part, it seems to be a non-event that most people don't care about.  If people did care and it proved to be popular and started to attract lots of hashpower, manufacturers would then start the process of designing an ASIC for the new algo and the initial resistance would be short-lived.

As such, we should probably stop calling it "ASIC resistance", since it's more a case of "ASIC stalling". 

And, as others have alluded to, the more fruitful alternative is to lower the entry barriers and make ASICs more attainable, not less.  Allow time for a greater number of manufacturers to emerge, the competition will generally drive down costs, creating an environment where more people can buy the hardware and mining will become less centralised.

Conversely, if you keep moving the goalposts and changing the algorithm, only a small number of manufacturers will risk developing hardware that might eventually get bricked, which means the small number who do make the breakthrough to create an ASIC will naturally have a monopoly and only the wealthiest participants will be able to afford the hardware.

[cellard]

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

So, in conclusion, it's a very complex subject that needs to be discussed and tested for long time before making any moves. There's no immediate need to change algo today, we have plenty of time.

It only takes money at stake in order for specialized hardware to profiler and be developed to it's maximum extreme at any given point in time. So if they change the PoW and there's a ton of money to be made, there will be a new ASIC's race to get first in line for the next PoW algorithm... it's pointless and kicking-can-down-the-road approach.

As some have said, maybe, and just maybe... a random algorithm change could stop this, or at least would put the advantage in different places. Or maybe not, maybe a single entity develops the best ASIC possibles for all possible algos and the monopoly continues.

I don't see how this can be solved other than competition, and so far competition is failing to dethrone the Bitmain empire, we'll see how it goes in the future.

As of right now, forget about any PoW changes... unrealistic, will only lead to BTC and BTC-newAlgo, so that's another altcoin for you, kind of like Bitcoin Gold and so on.

[DooMAD]

Another aspect to consider is the likely effect it would have on difficulty.  Along with the new algorithm, it would almost certainly involve having to implement emergency difficulty adjustments to the code so that blocks don't come to a temporary standstill when the hashrate suddenly plummets.  Also, since Bitcoin uses the total cumulative proof of work as part of its consensus mechanism, we should keep in mind the possibility it would make future contentious hardforks easier to pull off.  

Bitcoin currently attracts both the largest accumulated proof of work and the largest economic majority.  All the myriad forks we've witnessed so far haven't been able to keep pace with the proof of work Bitcoin has accumulated, but that wouldn't be the case if those who disagreed with the new algorithm continued to support using ASICs.  The new algo would almost inevitably be the minority chain in terms of hashpower, so supporters of the new algo would have to fall back on purely the "economic majority" argument and would also have to be pretty damn sure they'd win that argument.  Quite the gamble.

CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets

And just to stress that point a little more...  Not exactly something we'd want to encourage in Bitcoin.

[cellard]

Another aspect to consider is the likely effect it would have on difficulty.  Along with the new algorithm, it would almost certainly involve having to implement emergency difficulty adjustments to the code so that blocks don't come to a temporary standstill when the hashrate suddenly plummets.  Also, since Bitcoin uses the total cumulative proof of work as part of its consensus mechanism, we should keep in mind the possibility it would make future contentious hardforks easier to pull off.  

Bitcoin currently attracts both the largest accumulated proof of work and the largest economic majority.  All the myriad forks we've witnessed so far haven't been able to keep pace with the proof of work Bitcoin has accumulated, but that wouldn't be the case if those who disagreed with the new algorithm continued to support using ASICs.  The new algo would almost inevitably be the minority chain in terms of hashpower, so supporters of the new algo would have to fall back on purely the "economic majority" argument and would also have to be pretty damn sure they'd win that argument.  Quite the gamble.

CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets

And just to stress that point a little more...  Not exactly something we'd want to encourage in Bitcoin.

Yep, it would be similar to how when BCash forked they had to do some nasty trick with the estimated difficult arguments involving a series of forks... not cool for Bitcoin. An altcoin can pull that circus off but Bitcoin is too serious to go along with that.

Also the BCash side will for sure try to profit from the chaotic period to pump and probably deploy a spam attack while things are attempting to get solved).

Simply put, it's too late for Bitcoin to change PoW. We will need to see some kind of disaster that incentives global consensus to change it, and even then it will create conspiracy theories around the fact and there may not be global consensus even there.

[ZmnSCPxj]

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

I am emphasizing the above sentence "couple of big miners centralized in those parts of the world where electricity is cheap?"

I want to ask you this: if some parts of the world have cheap electricity, do you think big miners will not arise there if the best hash implementations are runnable only on wetware brains, CPU, GPUs, or FPGAs, but NOT ASICs?

The issue is not ASICs, but about cheap electricity.

[HeRetiK]

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

I am emphasizing the above sentence "couple of big miners centralized in those parts of the world where electricity is cheap?"

I want to ask you this: if some parts of the world have cheap electricity, do you think big miners will not arise there if the best hash implementations are runnable only on wetware brains, CPU, GPUs, or FPGAs, but NOT ASICs?

The issue is not ASICs, but about cheap electricity.

Interesting argument, but the issue still lies with ASICs, in that the access to ASICs is rather restricted -- as opposed to consumer hardware such as GPUs and CPUs -- while ASICs producer also stand to gain money by simpling producing ASICs for themselves rather than the general public.

Cheap electricity leads to geographical hotspots, but the core of the problem is the centralization of power in a handful of companies, rather than territories. A multitude of companies from various nations all mining in China is less of a problem than a single company mining all over the world. Not that the first option would be optimal, mind you.

[etherixdevs]

Electricity consumption is an hard matter
Access to ASICs is restricted and not for the mass of peopl.
If we want to have real consumers to produce coins with their GPUs and CPUs, the road is not this one.

ASICs producer produce devices for their pockets, not convenient at all to  the general public.

Cheap electricity leads to geographical areas that have big probles of "regulations" and i do not know how serious they are.
The market and the goal of the white paper is too huge to leave it to under developed geographical regions of the world just for economic convenience.

Another problem is the centralization of power in the hands of few companies. Many companies from various nations, mining in China or Syberia is not a real problem. The core problem is a single company mining all over the world.

Implementation of new ideas is highly recommended.
I see equihash algo is generating new coins that are mineable from home GPUs and CPUs, creating real communities of real people.

[pereira4]

Electricity consumption is an hard matter
Access to ASICs is restricted and not for the mass of peopl.
If we want to have real consumers to produce coins with their GPUs and CPUs, the road is not this one.

ASICs producer produce devices for their pockets, not convenient at all to  the general public.

Cheap electricity leads to geographical areas that have big probles of "regulations" and i do not know how serious they are.
The market and the goal of the white paper is too huge to leave it to under developed geographical regions of the world just for economic convenience.

Another problem is the centralization of power in the hands of few companies. Many companies from various nations, mining in China or Syberia is not a real problem. The core problem is a single company mining all over the world.

Implementation of new ideas is highly recommended.
I see equihash algo is generating new coins that are mineable from home GPUs and CPUs, creating real communities of real people.

The problem is, if it can be mined with GPU's, it will sooner or later end up in specialized hardware for the task, no matter what algorithm you use, at the end of the day, it's just chips in a GPU, and they can be built upon an specialized machine that will be more efficient. GPU's are using resources for things unrelated to mining, so that power can be allocated to 100% mining in hardware.

Needless to say corporations could in any case stake massive amounts of GPU's rendering the average personal computer miner out of the game again.

[goddog]

ASIC chip to pow have to be cheap and easy to be produced, so more manufacturer can join the business at a relative low cost.
How many competitors we have producing GPU/CPU chips? thats centralization, also general purposed hardware can be resold, lowering attack costs. Datacenters miners will allways be cheaper than home miners and nothing can stop them to centralize.

Also coins mineable with GPU/CPU are often mined using maleware botnets, or stealing your workplace money so your network will be secured by evil, and thats not good. In any case honest home mining will be unprofitable y a waste of time.

Actual sha256 is great because it is very simple to produce asics to solve them.

Last days, I was thinking about how an emergency pow change can be done if something go wrong with actual double sha256 algo.

A pow change will definetly hit hard all mining industry, and I hope it will almost surely harm virtuos mininers harder than evil miners, so in the end evil will be prizewinner.

Thats a very hard problem to solve.
 think the only way to reduce damage can be, to change pow a little but not so much, so virtuos(but also evil) manufacturer can switch production easly.
In example, actual mining algo use double sha256, a solution to reduce manufacturer damage and to allow miners to get their mining hardware manufactured fast, and come back securing the blockchain ASAP, can be triple sha256.
this will make all previous hardware to be kicked out from the network, and will allow a fast substitution with new hardware.

but, this is a very ugly emergency solution it should not be used as some sort of antitrust to kill bitmain, as bitmain will come back stronger than ever. If you don't like bitmain you can support others manufacturer buying their hardware.
It is only an example, I don't think bitmain is evil, I think they are strong hard invested bitcoin believers. Some their actions can look evil, but they are only testing and provocating to make bitcoin stronger! Afterall bitcoin is an experiment !!!!