gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 06, 2013, 02:37:50 AM Last edit: December 06, 2013, 02:53:50 AM by gmaxwell |
|
According to reports scrypt ASICs may soon exist, finally completely eliminating this feature distinguishing Litecoin from Bitcoin— at first LTC was supposed to be CPU only but that failed, then GPU only and thats failing.
I never thought much of the goal here, but at least it was a distinction— if, IMO, a kinda dumb one. The thing I like least about alts is the lack of distinction and innovation they frequently suffer, and so being another asic mined coins but with different asics seems like such a waste to me.
If the LTC community wanted it could change POW and the practice of being willing to change it would probably be a stronger protection for general purpose hardware than the use of any particularity or set of particular schemes could ever be. Though since (it seems to me) so much of the LTC community is miners the change would have to be to another CPU+GPU friendly one so the existing miners wouldn't be left out.
There are a lot of options here— including different POWs already deployed other ALTs or something novel. What got me musing on this subject was the question of: If I threw out an alt that used ECDSA signature validation as its POW would someone write ultra fast GPU code for ECDSA (which would be very useful in helping to scale node performance, even in Bitcoin)?
I suspect that if LTC doesn't change POW now that the introduction of fixed function hardware will mean that it never can. Perhaps its already too late, though I don't know: LTC has always advertised itself as being <s>GPU</s>ASIC proof, and a violation of that is an outright bug, which arguably should be fixed no different than if it were possible to mine more than 84 million litecoins.
Such a change could be made mostly seamlessly— a new version released, and a deadline for upgrade, not too unlike the Bitcoin 0.8 hardfork or the nversion=2 blocks. Existing miners could even use coinbase votes (indicating their ability to support the switch in the blocks they mine) to trigger the change so that it could be done in a way which is assured to not exclude too much of the existing hashrate (though, presumably, using a coinbase vote would fail if there are secretly large asic farms already). Miners would need to upgrade software, but they'd just have to update sometime before the switchover, no tricky synchronization would be required.
I wonder what people think of this? Is this the sort of thing that could get near-unanimous consensus in the LTC community?
|
|
|
|
dragon695
Full Member
Offline
Activity: 449
Merit: 103
Decentralized Ascending Auctions on Blockchain
|
|
December 06, 2013, 03:11:44 AM |
|
There are a lot of options here— including different POWs already deployed other ALTs or something novel. What got me musing on this subject was the question of: If I threw out an alt that used ECDSA signature validation as its POW would someone write ultra fast GPU code for ECDSA (which would be very useful in helping to scale node performance, even in Bitcoin)?
Maybe you could even convince CK to stop being a prick and put ScryptECDSA/GPU support back in cgminer. I suspect that if LTC doesn't change POW now that the introduction of fixed function hardware will mean that it never can. Perhaps its already too late, though I don't know: LTC has always advertised itself as being <s>GPU</s>ASIC proof, and a violation of that is an outright bug, which arguably should be fixed no different than if it were possible to mine more than 84 million litecoins.
I think it would be funnier and just if they did the switch after BFL and the other bozos dumped 100's of thousands into developing a piece of junk. Such a change could be made mostly seamlessly— a new version released, and a deadline for upgrade, not too unlike the Bitcoin 0.8 hardfork or the nversion=2 blocks. Existing miners could even use coinbase votes (indicating their ability to support the switch in the blocks they mine) to trigger the change so that it could be done in a way which is assured to not exclude too much of the existing hashrate (though, presumably, using a coinbase vote would fail if there are secretly large asic farms already). Miners would need to upgrade software, but they'd just have to update sometime before the switchover, no tricky synchronization would be required.
I wonder what people think of this? Is this the sort of thing that could get near-unanimous consensus in the LTC community?
+1 I don't see why anyone would object since forks and forced upgrades are a dime-a-dozen in altcoins.
|
|
|
|
gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 06, 2013, 03:15:39 AM |
|
One possibility is just a "minimum change". E.g. changing the number of salsa rounds by a few and tossing an xor between them at some spot or another. It would totally break any fixed function hardware, but would be a 2 LOC for any cpu/gpu miner. I think something like that would be an unfortunate loss of an opportunity, but it would also keep open the possibility of change in the future by avoiding fixed function hardware.
|
|
|
|
Palmdetroit
Legendary
Offline
Activity: 910
Merit: 1000
PHS 50% PoS - Stop mining start minting
|
|
December 06, 2013, 03:19:11 AM |
|
One possibility is just a "minimum change". E.g. changing the number of salsa rounds by a few and tossing an xor between them at some spot or another. It would totally break any fixed function hardware, but would be a 2 LOC for any cpu/gpu miner. I think something like that would be an unfortunate loss of an opportunity, but it would also keep open the possibility of change in the future by avoiding fixed function hardware.
Bitcoin could use a change... Really someone could just come out with a new coin with a changing algo over time to prevent this once and for all. And if we change LTC will just get changed Asics. Also, We would need to make the change soon, before mining voting power is lost.
|
|
|
|
tacotime
Legendary
Offline
Activity: 1484
Merit: 1005
|
|
December 06, 2013, 03:27:36 AM |
|
I'm surprised to see you posting this gmaxwell.
A lot of the earlier developing staff saw this coming in 2012 and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."
The longer time goes on, the more I see this as true. There will be other coins to fill the gap.
My response now is: no, there's no need to change the algorithm and ASICs should be embraced, when they finally do come out.
|
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
|
|
|
gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 06, 2013, 03:36:54 AM |
|
A lot of the earlier developing staff saw this coming and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."
Indeed, I thought LTC's motivations were outright stupid here— and what you were 'quoting' there could easily have been me. I still think resisting ASICs is a not very useful goal, but it is a clearly stated goal of the system, and it does serve to distinguish it from Bitcoin. After working with a number of ASIC makers in Bitcoin space, I have to say that some of the luster has worn off a bit from my prior enthusiasm too, not enough to disagree with my prior position, but enough to say that was more complicated than I gave it credit for: ATI never raised their prices (usually after recovering NRE from sucker buyers who eat all the risk, even though the asics have no resale value) to the point where it was difficult to make a return on being a miner yourself, ATI never ran huge farms with substantial chunks of the network hashrate, etc. But this is an aside. I don't mean to doom and gloom ASICs: so long as specialized hardware is possible— and it always is— having the honest users using it is good... but LTC sold a Bill of Goods that excluded this stuff, and so ASICs showing up is arguably a bug.
|
|
|
|
tacotime
Legendary
Offline
Activity: 1484
Merit: 1005
|
|
December 06, 2013, 03:41:20 AM |
|
We're not at a time when BTC mining has reached maturity, really. In 6 months the market will be flooded with devices and companies will find themselves in a fierce battle to lower prices and try to outsell their competitors. ASIC manufacturers right now have no idea of the industry that they're seeking to enter, but people who have been involved in the microchip business since the earlier advent of computers are seeing echoes of the past.
I think that repurposing hardware is good for the next big chain, or for finally giving the incentive to complete the primecoin GPU miner, or whatever.
|
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
|
|
|
iddo
|
|
December 06, 2013, 04:22:44 AM |
|
tacotime and myself did a few benchmarks with tweaked scrypt params: https://bitcointalk.org/index.php?topic=122256.msg1316383#msg1316383The creator of scrypt has said that the he thinks that scrypt params of Litecoin don't use enough memory ( link), probably before he fully considered the tradeoffs between cost-effectiveness of ASIC and verification/propagation of blocks by Litecoin (non-mining) nodes. He later said that for the Litecoin scrypt params may be good, estimating that still would 10x advantage over SHA256 in terms of the cost-effectiveness of ASIC vs genereal-purpose hardware like GPUs ( link). gmaxwell: regarding whether it will be too late to change the PoW hash function, as you've said in the past, miners exist at the pleasure of the users ( link). To take an extreme scenario, this should supposedly/hopefully mean that if say 90% of the mining power (i.e. ASIC miners) and 10% of the users decide to follow certain protocol rules while 10% of the mining power (i.e. non-ASIC miners) and 90% of the users decide to follow different protocol rules, then the fork with 90% of the users should win. But such scenarios are vague and no one can predict the future, Bitcoin could also have such conflicts with ASIC owners who e.g. wish to change the block size limit to gain higher fees, or other scenarios that we can try to come up with... I think that doing more scrypt benchmarks with the purpose of trying to see which scrypt params give the best tradeoffs is a good idea, coblee & warren what do you think? gmaxwell, do you an educated guess regarding which scrypt params should offer the best tradeoff between making ASIC less cost-effective and fast enough validation/propagation of blocks by regular nodes?
|
|
|
|
CoinHoarder
Legendary
Offline
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
|
|
December 06, 2013, 04:38:47 AM |
|
My vote is on NO.
For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.
|
|
|
|
Palmdetroit
Legendary
Offline
Activity: 910
Merit: 1000
PHS 50% PoS - Stop mining start minting
|
|
December 06, 2013, 04:42:04 AM |
|
My vote is on NO. For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented. Not to mention the electricity that will be saved is a good thing for planet Earth! GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity. If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing. now PoS could be a solution to the resources thing.
|
|
|
|
CoinHoarder
Legendary
Offline
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
|
|
December 06, 2013, 04:45:05 AM |
|
My vote is on NO. For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented. Not to mention the electricity that will be saved is a good thing for planet Earth! GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity. If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing. now PoS could be a solution to the resources thing. You have a point. PoS is the only solution to energy savings thus far I agree. I will retract the statement about energy efficiency. I think my first point though is very valid.
|
|
|
|
gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 06, 2013, 05:07:51 AM |
|
Nothing is ASIC proof,
A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.
|
|
|
|
iddo
|
|
December 06, 2013, 05:12:27 AM Last edit: December 06, 2013, 05:24:41 AM by iddo |
|
Nothing is ASIC proof,
A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise. Hmm continuously select the params of the PoW hash function deterministically according to pseudorandom bits of future blocks? Interesting idea... Edit: I think that maybe the idea is that if ASIC miners have a large fraction of the current hashpower, and they try to control the pseudorandom bits that will decide the next PoW params, then they will have a disadvantage in the competition against other miners because they'll have to re-solve blocks multiple times until they get params that they prefer?
|
|
|
|
CoinHoarder
Legendary
Offline
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
|
|
December 06, 2013, 05:31:29 AM Last edit: December 06, 2013, 05:47:36 AM by CoinHoarder |
|
Also.. any poll held on this is going to be pretty biased IMO because of the number of GPU miners that frequent this subforum. Of course most of them will vote Yes. As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using: http://invictus-innovations.com/s/MomentumProofOfWork.pdfEDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so. I admit gmaxwell, there very may well be a way to make a coin ASIC proof, but I'm not really sure how it could be done.
|
|
|
|
iddo
|
|
December 06, 2013, 05:55:54 AM |
|
As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using: http://invictus-innovations.com/s/MomentumProofOfWork.pdfEDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so. Don't believe everything you read. These protoshare guys apparently have never heard of cycle detection algorithms (like Pollard's rho) that find collisions while avoiding the space complexity blowup, their whitepaper is nonsense.
|
|
|
|
mufa23
Legendary
Offline
Activity: 1022
Merit: 1001
I'd fight Gandhi.
|
|
December 06, 2013, 06:06:10 AM |
|
NO
Changing it will deter the price dramatically, and you will have a lot of people leaving Litecoin (including myself). Nobody wants to invest in something if the rules are just going to be changed later. Change is inevitable. Sure go ahead and modify the code. Someone somewhere will figure something out eventually and you will be doing the same thing all over again.
It's a slippery slope, and you're opening a whole new can of worms.
(and I am a GPU Litecoin Miner)
|
Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
|
|
|
rph
|
|
December 06, 2013, 06:18:50 AM |
|
But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness.
In practice that just means the optimal mining technology will be the world's best FPGA, instead of the world's best fixed-function ASIC. Unless you're capable of creating a substantially different POW function every couple days to defeat skilled, well-funded, and persistent FPGA designers (and C-to-RTL synthesis tools)... Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it. You would destroy many hundreds of thousands of dollars invested in the "evil" ASIC(s) which, in the long run, will make all cryptocurrencies less secure by encouraging private, secret, centralized ASIC development. And then there's the whole slippery slope aspect - if we can change the POW, what else can we change? How about we increase the block reward 10X so I can haz moar coinz plzz, at the expense of savers? A significant advantage of existing cryptocurrencies is that the key attributes were made fully public up front, held constant, and not politically revised by any party (so far). If you start making up the rules as you go along, you've just created a less centralized & possibly more democratic, but still politically manipulable, imitation of a Central Bank and fiat currency. Maybe there is demand for that, maybe not, but if you want that, you should at least have the decency to launch it as a new coin, rather than corrupting an existing one. -rph
|
|
|
|
Romyen
Member
Offline
Activity: 61
Merit: 10
|
|
December 06, 2013, 06:20:29 AM |
|
I vote yes because this will discourage the proliferation of unnecessary altcoins. Here's my argument. With the advent of ASICS litecoin was in the right place at the right time. Miners were stuck with obsolete hardware that could not profitably mine bitcoins, so they enthusiastically joined the litecoin community, thus providing it with substantial impetus. Once litecoin-enabled ASICS become available, the cycle will repeat itself on some other altcoin. Most altcoins are junk, and the ones that aren't should grow on their own merits, not because they rely on GPU/CPU proof-of-work. Litecoin can maintain its hegenomy by periodically buying time with tweaks to the proof-of-work.
|
|
|
|
iddo
|
|
December 06, 2013, 06:24:11 AM |
|
Nobody wants to invest in something if the rules are just going to be changed later.
The miners can vote on whether they wish to change a protocol rule, as was the case with BIP16 (P2SH) in Bitcoin.
|
|
|
|
iddo
|
|
December 06, 2013, 06:31:02 AM |
|
Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it.
coblee has initiated a public discussion on changing the scrypt params, a few months after Litecoin was launched ( link).
|
|
|
|
|