Bitcoin Forum
November 18, 2024, 11:21:43 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Poll
Question: Should LTC change POW to uphold the no-asic feature of litecoin
Yes - 719 (73.2%)
No - 186 (18.9%)
What is this I don't even - 30 (3.1%)
No, because I want LTC to fail - 24 (2.4%)
Yes, because I want LTC to fail - 23 (2.3%)
Total Voters: 982

Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
Author Topic: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining?  (Read 33299 times)
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 06, 2013, 02:37:50 AM
Last edit: December 06, 2013, 02:53:50 AM by gmaxwell
 #1

According to reports scrypt ASICs may soon exist, finally completely eliminating this feature distinguishing Litecoin from Bitcoin— at first LTC was supposed to be CPU only but that failed, then GPU only and thats failing.

I never thought much of the goal here, but at least it was a distinction— if, IMO, a kinda dumb one.  The thing I like least about alts is the lack of distinction and innovation they frequently suffer, and so being another asic mined coins but with different asics seems like such a waste to me.

If the LTC community wanted it could change POW and the practice of being willing to change it would probably be a stronger protection for general purpose hardware than the use of any particularity or set of particular schemes could ever be. Though since (it seems to me) so much of the LTC community is miners the change would have to be to another CPU+GPU friendly one so the existing miners wouldn't be left out.

There are a lot of options here— including different POWs already deployed other ALTs or something novel.  What got me musing on this subject was the question of: If I threw out an alt that used ECDSA signature validation as its POW would someone write ultra fast GPU code for ECDSA (which would be very useful in helping to scale node performance, even in Bitcoin)?

I suspect that if LTC doesn't change POW now that the introduction of fixed function hardware will mean that it never can. Perhaps its already too late, though I don't know: LTC has always advertised itself as being <s>GPU</s>ASIC proof, and a violation of that is an outright bug, which arguably should be fixed no different than if it were possible to mine more than 84 million litecoins.

Such a change could be made mostly seamlessly— a new version released, and a deadline for upgrade, not too unlike the Bitcoin 0.8 hardfork or the nversion=2 blocks. Existing miners could even use coinbase votes (indicating their ability to support the switch in the blocks they mine) to trigger the change so that it could be done in a way which is assured to not exclude too much of the existing hashrate (though, presumably, using a coinbase vote would fail if there are secretly large asic farms already). Miners would need to upgrade software, but they'd just have to update sometime before the switchover, no tricky synchronization would be required.

I wonder what people think of this? Is this the sort of thing that could get near-unanimous consensus in the LTC community?
dragon695
Full Member
***
Offline Offline

Activity: 449
Merit: 103


Decentralized Ascending Auctions on Blockchain


View Profile
December 06, 2013, 03:11:44 AM
 #2

There are a lot of options here— including different POWs already deployed other ALTs or something novel.  What got me musing on this subject was the question of: If I threw out an alt that used ECDSA signature validation as its POW would someone write ultra fast GPU code for ECDSA (which would be very useful in helping to scale node performance, even in Bitcoin)?
Maybe you could even convince CK to stop being a prick and put ScryptECDSA/GPU support back in cgminer.

I suspect that if LTC doesn't change POW now that the introduction of fixed function hardware will mean that it never can. Perhaps its already too late, though I don't know: LTC has always advertised itself as being <s>GPU</s>ASIC proof, and a violation of that is an outright bug, which arguably should be fixed no different than if it were possible to mine more than 84 million litecoins.
I think it would be funnier and just if they did the switch after BFL and the other bozos dumped 100's of thousands into developing a piece of junk.

Such a change could be made mostly seamlessly— a new version released, and a deadline for upgrade, not too unlike the Bitcoin 0.8 hardfork or the nversion=2 blocks. Existing miners could even use coinbase votes (indicating their ability to support the switch in the blocks they mine) to trigger the change so that it could be done in a way which is assured to not exclude too much of the existing hashrate (though, presumably, using a coinbase vote would fail if there are secretly large asic farms already). Miners would need to upgrade software, but they'd just have to update sometime before the switchover, no tricky synchronization would be required.

I wonder what people think of this? Is this the sort of thing that could get near-unanimous consensus in the LTC community?
+1
I don't see why anyone would object since forks and forced upgrades are a dime-a-dozen in altcoins.

iBid     ▐     Decentralized Auctions on Blockchain    (    About us    Telegram   )
▬▬▬▬▬▬▬▬▬▬▬▬▬             AN  AUCTION    ❱   All auctions start at     $0

[  ◥   Google Play      ◥   App Store  ]   ██ SIGN UP ██        with no minimum reserve
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 06, 2013, 03:15:39 AM
 #3

One possibility is just a "minimum change". E.g. changing the number of salsa rounds by a few and tossing an xor between them at some spot or another.  It would totally break any fixed function hardware, but would be a 2 LOC for any cpu/gpu miner.   I think something like that would be an unfortunate loss of an opportunity, but it would also keep open the possibility of change in the future by avoiding fixed function hardware.
Palmdetroit
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


PHS 50% PoS - Stop mining start minting


View Profile
December 06, 2013, 03:19:11 AM
 #4

One possibility is just a "minimum change". E.g. changing the number of salsa rounds by a few and tossing an xor between them at some spot or another.  It would totally break any fixed function hardware, but would be a 2 LOC for any cpu/gpu miner.   I think something like that would be an unfortunate loss of an opportunity, but it would also keep open the possibility of change in the future by avoiding fixed function hardware.

Bitcoin could use a change... Really someone could just come out with a new coin with a changing algo over time to prevent this once and for all.

And if we change LTC will just get changed Asics.

Also, We would need to make the change soon, before mining voting power is lost.

tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
December 06, 2013, 03:27:36 AM
 #5

I'm surprised to see you posting this gmaxwell.

A lot of the earlier developing staff saw this coming in 2012 and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."

The longer time goes on, the more I see this as true.  There will be other coins to fill the gap.

My response now is: no, there's no need to change the algorithm and ASICs should be embraced, when they finally do come out.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 06, 2013, 03:36:54 AM
 #6

A lot of the earlier developing staff saw this coming and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."
Indeed, I thought LTC's motivations were outright stupid here— and what you were 'quoting' there could easily have been me. I still think resisting ASICs is a not very useful goal, but it is a clearly stated goal of the system, and it does serve to distinguish it from Bitcoin.

After working with a number of ASIC makers in Bitcoin space, I have to say that some of the luster has worn off a bit from my prior enthusiasm too, not enough to disagree with my prior position, but enough to say that was more complicated than I gave it credit for:  ATI never raised their prices (usually after recovering NRE from sucker buyers who eat all the risk, even though the asics have no resale value) to the point where it was difficult to make a return on being a miner yourself, ATI never ran huge farms with substantial chunks of the network hashrate, etc. But this is an aside.  I don't mean to doom and gloom ASICs: so long as specialized hardware is possible— and it always is— having the honest users using it is good... but LTC sold a Bill of Goods that excluded this stuff, and so ASICs showing up is arguably a bug.
 
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
December 06, 2013, 03:41:20 AM
 #7

We're not at a time when BTC mining has reached maturity, really.  In 6 months the market will be flooded with devices and companies will find themselves in a fierce battle to lower prices and try to outsell their competitors.  ASIC manufacturers right now have no idea of the industry that they're seeking to enter, but people who have been involved in the microchip business since the earlier advent of computers are seeing echoes of the past.

I think that repurposing hardware is good for the next big chain, or for finally giving the incentive to complete the primecoin GPU miner, or whatever.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
December 06, 2013, 04:22:44 AM
 #8

tacotime and myself did a few benchmarks with tweaked scrypt params: https://bitcointalk.org/index.php?topic=122256.msg1316383#msg1316383

The creator of scrypt has said that the he thinks that scrypt params of Litecoin don't use enough memory (link), probably before he fully considered the tradeoffs between cost-effectiveness of ASIC and verification/propagation of blocks by Litecoin (non-mining) nodes. He later said that for the Litecoin scrypt params may be good, estimating that still would 10x advantage over SHA256 in terms of the cost-effectiveness of ASIC vs genereal-purpose hardware like GPUs (link).

gmaxwell: regarding whether it will be too late to change the PoW hash function, as you've said in the past, miners exist at the pleasure of the users (link). To take an extreme scenario, this should supposedly/hopefully mean that if say 90% of the mining power (i.e. ASIC miners) and 10% of the users decide to follow certain protocol rules while 10% of the mining power (i.e. non-ASIC miners) and 90% of the users decide to follow different protocol rules, then the fork with 90% of the users should win. But such scenarios are vague and no one can predict the future, Bitcoin could also have such conflicts with ASIC owners who e.g. wish to change the block size limit to gain higher fees, or other scenarios that we can try to come up with...

I think that doing more scrypt benchmarks with the purpose of trying to see which scrypt params give the best tradeoffs is a good idea, coblee & warren what do you think?

gmaxwell, do you an educated guess regarding which scrypt params should offer the best tradeoff between making ASIC less cost-effective and fast enough validation/propagation of blocks by regular nodes?
CoinHoarder
Legendary
*
Offline Offline

Activity: 1484
Merit: 1026

In Cryptocoins I Trust


View Profile
December 06, 2013, 04:38:47 AM
 #9

My vote is on NO.

For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.
Palmdetroit
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


PHS 50% PoS - Stop mining start minting


View Profile
December 06, 2013, 04:42:04 AM
 #10

My vote is on NO.

For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.

Not to mention the electricity that will be saved is a good thing for planet Earth! Grin

GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity.

If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing.

now PoS could be a solution to the resources thing.

CoinHoarder
Legendary
*
Offline Offline

Activity: 1484
Merit: 1026

In Cryptocoins I Trust


View Profile
December 06, 2013, 04:45:05 AM
 #11

My vote is on NO.

For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.

Not to mention the electricity that will be saved is a good thing for planet Earth! Grin

GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity.

If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing.

now PoS could be a solution to the resources thing.

You have a point. PoS is the only solution to energy savings thus far I agree. I will retract the statement about energy efficiency. Smiley

I think my first point though is very valid.
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 06, 2013, 05:07:51 AM
 #12

Nothing is ASIC proof,
A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE).  But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
December 06, 2013, 05:12:27 AM
Last edit: December 06, 2013, 05:24:41 AM by iddo
 #13

Nothing is ASIC proof,
A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE).  But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.

Hmm continuously select the params of the PoW hash function deterministically according to pseudorandom bits of future blocks? Interesting idea...

Edit: I think that maybe the idea is that if ASIC miners have a large fraction of the current hashpower, and they try to control the pseudorandom bits that will decide the next PoW params, then they will have a disadvantage in the competition against other miners because they'll have to re-solve blocks multiple times until they get params that they prefer?
CoinHoarder
Legendary
*
Offline Offline

Activity: 1484
Merit: 1026

In Cryptocoins I Trust


View Profile
December 06, 2013, 05:31:29 AM
Last edit: December 06, 2013, 05:47:36 AM by CoinHoarder
 #14

Also.. any poll held on this is going to be pretty biased IMO because of the number of GPU miners that frequent this subforum. Of course most of them will vote Yes.

As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using: http://invictus-innovations.com/s/MomentumProofOfWork.pdf

EDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so.

I admit gmaxwell, there very may well be a way to make a coin ASIC proof, but I'm not really sure how it could be done.
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
December 06, 2013, 05:55:54 AM
 #15

As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using: http://invictus-innovations.com/s/MomentumProofOfWork.pdf

EDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so.

Don't believe everything you read. These protoshare guys apparently have never heard of cycle detection algorithms (like Pollard's rho) that find collisions while avoiding the space complexity blowup, their whitepaper is nonsense.
mufa23
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001


I'd fight Gandhi.


View Profile
December 06, 2013, 06:06:10 AM
 #16

NO

Changing it will deter the price dramatically, and you will have a lot of people leaving Litecoin (including myself). Nobody wants to invest in something if the rules are just going to be changed later. Change is inevitable. Sure go ahead and modify the code. Someone somewhere will figure something out eventually and you will be doing the same thing all over again.

It's a slippery slope, and you're opening a whole new can of worms.

(and I am a GPU Litecoin Miner)

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
rph
Full Member
***
Offline Offline

Activity: 176
Merit: 100


View Profile
December 06, 2013, 06:18:50 AM
 #17

But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness.

In practice that just means the optimal mining technology will be the world's best FPGA, instead of the world's best fixed-function ASIC. Cheesy
Unless you're capable of creating a substantially different POW function every couple days to defeat skilled, well-funded, and persistent FPGA designers (and C-to-RTL synthesis tools)...

Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it. You would destroy many hundreds of thousands of dollars invested in the "evil" ASIC(s) which, in the long run, will make all cryptocurrencies less secure by encouraging private, secret, centralized ASIC development. And then there's the whole slippery slope aspect - if we can change the POW, what else can we change? How about we increase the block reward 10X so I can haz moar coinz plzz, at the expense of savers?

A significant advantage of existing cryptocurrencies is that the key attributes were made fully public up front, held constant, and not politically revised by any party (so far). If you start making up the rules as you go along, you've just created a less centralized & possibly more democratic, but still politically manipulable, imitation of a Central Bank and fiat currency. Maybe there is demand for that, maybe not, but if you want that, you should at least have the decency to launch it as a new coin, rather than corrupting an existing one.

-rph

Ultra-Low-Cost DIY FPGA Miner: https://bitcointalk.org/index.php?topic=44891
Romyen
Member
**
Offline Offline

Activity: 61
Merit: 10


View Profile
December 06, 2013, 06:20:29 AM
 #18

I vote yes because this will discourage the proliferation of unnecessary altcoins. Here's my argument. With the advent of ASICS litecoin was in the right place at the right time. Miners were stuck with obsolete hardware that could not profitably mine bitcoins, so they enthusiastically joined the litecoin community, thus providing it with substantial impetus. Once litecoin-enabled ASICS become available, the cycle will repeat itself on some other altcoin. Most altcoins are junk, and the ones that aren't should grow on their own merits, not because they rely on GPU/CPU proof-of-work. Litecoin can maintain its hegenomy by periodically buying time with tweaks to the proof-of-work.
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
December 06, 2013, 06:24:11 AM
 #19

Nobody wants to invest in something if the rules are just going to be changed later.

The miners can vote on whether they wish to change a protocol rule, as was the case with BIP16 (P2SH) in Bitcoin.
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
December 06, 2013, 06:31:02 AM
 #20

Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it.

coblee has initiated a public discussion on changing the scrypt params, a few months after Litecoin was launched (link).
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!