Bitcoin Forum
January 29, 2023, 08:23:31 PM *
News: Latest Bitcoin Core release: 24.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Ethereum “Dagger” PoW function is flawed (technical off-topic)  (Read 6979 times)
Sergio_Demian_Lerner (OP)
Hero Member
*****
expert
Offline Offline

Activity: 549
Merit: 588


View Profile WWW
January 17, 2014, 07:11:05 PM
 #1


One of the features in Ethereum is the use of a PoW function specially designed to be memory-hard. While this may be true (though a formal proof is missing and the design document is quite incomplete), the authors completely forgets another key property a PoW function must provide: it must be sequential-memory hard. This means that not only the function should require large amounts of RAM, but it must not allow easy parallelization. Dagger seems to provide almost the best possible scenario for parallelization. In Dagger, a certain amount of RAM is filled by pseudo-random data derived from the header and the nonce. This data is produced in rounds. Each round, a number of elements from the previous round outputs are hashed together to produce the elements of the following round. These hashes can be performed in parallel. An optimized implementation for an ASIC (or FPGA) is evident for anyone with some discrete logic design background. A speedup from 256X to 2560X seems possible.

I posted more on this issue here:

http://bitslog.wordpress.com/2014/01/17/ethereum-dagger-pow-is-flawed/

My own proposal (SeqMemoHash) solves this problem (http://bitslog.wordpress.com/2013/12/31/strict-memory-hard-hash-functions/)

Best regards,
 Sergio.
1675023811
Hero Member
*
Offline Offline

Posts: 1675023811

View Profile Personal Message (Offline)

Ignore
1675023811
Reply with quote  #2

1675023811
Report to moderator
1675023811
Hero Member
*
Offline Offline

Posts: 1675023811

View Profile Personal Message (Offline)

Ignore
1675023811
Reply with quote  #2

1675023811
Report to moderator
1675023811
Hero Member
*
Offline Offline

Posts: 1675023811

View Profile Personal Message (Offline)

Ignore
1675023811
Reply with quote  #2

1675023811
Report to moderator
The Bitcoin software, network, and concept is called "Bitcoin" with a capitalized "B". Bitcoin currency units are called "bitcoins" with a lowercase "b" -- this is often abbreviated BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1675023811
Hero Member
*
Offline Offline

Posts: 1675023811

View Profile Personal Message (Offline)

Ignore
1675023811
Reply with quote  #2

1675023811
Report to moderator
cdog
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 500


View Profile
January 21, 2014, 11:54:57 PM
 #2

Although I cant proclaim a technical understanding of the issue, making your research public is certainly appreciated. Ethereum seems quite ambitious, to say the least
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 330
Merit: 393


View Profile
January 22, 2014, 01:03:08 AM
 #3

Our updates:

1. The problem that I have with scrypt or SeqMemoHash is that they are not memory-hard enough; they are just as memory-hard to verify as they are to compute, which puts a natural cap on how high the parameters can be tweaked. The reason why I came up with Dagger in the first place was to create a PoW that is memory-hard to compute but memory-easy to verify, since you only need a small amount of memory for one nonce, so that you can tweak up the memory requirement per thread to an extremely high value.
2. We did make a simplication and improvement to Dagger (basically, we linearized the tree, so a node always theoretically can depend on the node right before it); this should mitigate this attack somewhat, and parameter tweaks that sacrifice some of its memory-hardness to compute or memory-easiness to verify can be used to mitigate the attack further as much as necessary, in the limit turning Dagger into yet another Scrypt clone.
3. We are actively researching proof of stake, and I came up with Slasher as a proof of concept next-generation PoS algorithm; we may use PoS in combination with PoW.
4. (MOST IMPORTANT) We will actually be holding a proof-of-work contest, where research groups from universities will be invited to come up with ASIC-resistant proofs of work and panels of judges will determine winners. We will have funds to pay substantial prizes, so we hope to attract a large amount of interest. Proof-of-stake, proof-of-burn and proof-of-excellence based submissions will also be welcome in some category.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 22, 2014, 06:26:57 AM
 #4

We are actively researching proof of stake, and I came up with Slasher as a proof of concept next-generation PoS algorithm; we may use PoS in combination with PoW.

So u don't use an already tested solution (Peercoin's PoS), who will do the peer review then? Sunny King? Balthazar?
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1011


bits of proof


View Profile WWW
January 22, 2014, 06:39:09 AM
 #5

4. (MOST IMPORTANT) We will actually be holding a proof-of-work contest, where research groups from universities will be invited to come up with ASIC-resistant proofs of work and panels of judges will determine winners. We will have funds to pay substantial prizes, so we hope to attract a large amount of interest. Proof-of-stake, proof-of-burn and proof-of-excellence based submissions will also be welcome in some category.

Would you please point me to arguments supporting the need of ASIC resistance?

What is PoS good for as extending any number of forks simultaneously with it costs just as much as extending the trunk?
TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
January 22, 2014, 10:24:47 AM
 #6

What is PoS good for as extending any number of forks simultaneously with it costs just as much as extending the trunk?

He covers that.  A miner is only allowed to sign one fork for a given height.  If you sign 2, there is a penalty for the miner.

It requires nodes to track multiple forks though, so they can detect the double spend (mine) attempt.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 22, 2014, 10:26:35 AM
 #7

It requires nodes to track multiple forks though, so they can detect the double spend attempt.

They could use Transparent Mining to counteract multiple forks attack.
coinrevo
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 22, 2014, 11:04:08 AM
 #8

what is the model of "transparent" fundraising? fundraising when even proof of work/proof of stake is not fixed and source is not open is pretty much a red flag given historic precedent. note that historically some of these projects turned from proof of work to proof of stake. all new models would want to avoid the same historic failures and make sure they are not considered to be the same model.
Ursium
Full Member
***
Offline Offline

Activity: 149
Merit: 100

Ethereum


View Profile WWW
January 22, 2014, 11:25:01 AM
 #9

what is the model of "transparent" fundraising? fundraising when even proof of work/proof of stake is not fixed and source is not open is pretty much a red flag given historic precedent. note that historically some of these projects turned from proof of work to proof of stake. all new models would want to avoid the same historic failures and make sure they are not considered to be the same model.

RE: source, the current state of the code is freely available on https://github.com/ethereum/.

Ethereum Twitter: @ethereumproject - Blog: blog.ethereum.org - Forum: forum.ethereum.org - Github: github.com/ethereum
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1011


bits of proof


View Profile WWW
January 22, 2014, 11:29:28 AM
 #10

What is PoS good for as extending any number of forks simultaneously with it costs just as much as extending the trunk?

He covers that.  A miner is only allowed to sign one fork for a given height.  If you sign 2, there is a penalty for the miner.

It requires nodes to track multiple forks though, so they can detect the double spend (mine) attempt.
I am not sure that cuts it. A big stake gives access to deterministic yield enhancing strategies even more than a huge mining capacity in PoW. Just like playing no-limit poker against a huge stack is not fun.
TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
January 22, 2014, 01:09:55 PM
 #11

I am not sure that cuts it. A big stake gives access to deterministic yield enhancing strategies even more than a huge mining capacity in PoW. Just like playing no-limit poker against a huge stack is not fun.

It would depend on the statistics, but requiring one fork only to be signed covers (or at least helps with) the "nothing at stake" problem.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
xeroc
Sr. Member
****
Offline Offline

Activity: 345
Merit: 250



View Profile
January 22, 2014, 01:36:55 PM
 #12

I see PoS to be superior to PoW .. Why not use 100% PoS much like nxt?
Altoidnerd
Sr. Member
****
Offline Offline

Activity: 406
Merit: 251


http://altoidnerd.com


View Profile WWW
January 22, 2014, 01:39:07 PM
 #13

Would you please point me to arguments supporting the need of ASIC resistance?

Integrated circuits are black boxes, the enemy of open source technology.

Do you even mine?
http://altoidnerd.com 
12gKRdrz7yy7erg5apUvSRGemypTUvBRuJ
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
January 22, 2014, 01:42:17 PM
 #14

Would you please point me to arguments supporting the need of ASIC resistance?

What is PoS good for as extending any number of forks simultaneously with it costs just as much as extending the trunk?
PoS and ASIC resistance is desirable to people who feel that Bitcoin's biggest flaw is not enough communism.


If you believe in the concept of market failure, and don't see the contradiction between a desire for a decentralized currency and the desire for a cartel of large stakeholders to be able to maintain control, then PoS is a perfect fit.
Altoidnerd
Sr. Member
****
Offline Offline

Activity: 406
Merit: 251


http://altoidnerd.com


View Profile WWW
January 22, 2014, 01:47:37 PM
 #15

PoS is rich get richer.  Cash doesn't earn interest; interest bearing accounts are bank-y.

Innovation is needed, rather than choosing between two defective systems.

And my Anti-Asic feelings are because fabrication of CMOS gates is extremely specialized, and once they're packaged, you cannot prove they don't do fucked up things.  Their fabrication is essentially irreversible ... everything about ICs is incompatible with "trustless systems."

Do you even mine?
http://altoidnerd.com 
12gKRdrz7yy7erg5apUvSRGemypTUvBRuJ
TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
January 22, 2014, 02:03:55 PM
Last edit: January 22, 2014, 02:20:02 PM by TierNolan
 #16

And my Anti-Asic feelings are because fabrication of CMOS gates is extremely specialized, and once they're packaged, you cannot prove they don't do fucked up things.  Their fabrication is essentially irreversible ... everything about ICs is incompatible with "trustless systems."

ASICs are just used for hashing.  All the "intelligence" is in the part of the system that creates the blocks.  That is the miner software (open source) or the maybe the firmware (coinbase changes only).

You give your ASIC a block header and have it find a nonce that hashes to the target.

The ASIC knows nothing about the block it is hashing against.

What specific attack or you thinking of?

There is an argument that going to 64 bit nonces would potentially help.  32 bit nonces may require that more functionality is added to the miners.  Even then, it is likely that they would just have the ability to update the extra-nonce in the coinbase.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
Altoidnerd
Sr. Member
****
Offline Offline

Activity: 406
Merit: 251


http://altoidnerd.com


View Profile WWW
January 22, 2014, 02:08:47 PM
 #17

What specific attack or you thinking of?

The list is infinite, because they can do anything; but just for an example, a loop counter with a shutdown...

"aw my asic broke. better buy a new one."

The technology is closed source.  It could be literally set to explode at a certain time, or include a small transmitter to wirelessly send data.  Need I go on?

It's impossible to imagine everything that an IC could be doing without your knowledge.  Using IC's requires trust...and the makers of bitcoin hardware are random startups that just got rich.  They're not TI.

Do you even mine?
http://altoidnerd.com 
12gKRdrz7yy7erg5apUvSRGemypTUvBRuJ
Altoidnerd
Sr. Member
****
Offline Offline

Activity: 406
Merit: 251


http://altoidnerd.com


View Profile WWW
January 22, 2014, 02:18:19 PM
 #18

Here's a creative one.  An ASIC manufacturer distributes many ASICs under a different company name, which are all set to stop working at 2 pm on april 4, 2016, at which time someone suddenly has most of the network, and years of foresight to plan for the event.

It's tin foily to go on.  All I am suggesting is move away from integrated circuits all together...whenever possible...because they are trust boxes in a trustless system.  Accept it as an axiom that ICs = bad; period.

Edit: ah..and furthermore, bitcoin IC makers know PRECISELY how their customers will use the device too.  24/7 doing exactly xyz...this is unlike any other situation with integrated circuits...it's particularly worrisome for me, because I am all too aware of the insane capabilities of modern ICs.

Do you even mine?
http://altoidnerd.com 
12gKRdrz7yy7erg5apUvSRGemypTUvBRuJ
TierNolan
Legendary
*
Offline Offline

Activity: 1232
Merit: 1014


View Profile
January 22, 2014, 02:22:11 PM
 #19

Here's a creative one.  An ASIC manufacturer distributes many ASICs under a different company name, which are all set to stop working at 2 pm on april 4, 2016, at which time someone suddenly has most of the network, and years of foresight to plan for the event.

That would stall the block chain.  It would have to be combined with owning a pool with a large portion of the network power.

How are you planning to sync all the ASICs?  A counter would stop when the ASIC is not connected.

It does point at the potential risk to ASICs which have network controllers.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
Altoidnerd
Sr. Member
****
Offline Offline

Activity: 406
Merit: 251


http://altoidnerd.com


View Profile WWW
January 22, 2014, 02:24:44 PM
Last edit: January 22, 2014, 02:35:39 PM by Altoidnerd
 #20

How are you planning to sync all the ASICs?  A counter would stop when the ASIC is not connected.

Not if it has a capacitor that keeps the timer ticking... how much energy does a wristwatch need?  A digital timer needs way less.

Asics not connected long term wont have the desired effect of shutting off simultaneously - so that case doesn't matter anyway.

Forget attacking the network for a moment...If I headed up a company that made bitcoin ICs, I would definitely be looking into how to pack extra functionality into them to collect data, at the very least.  Not even necessarily attack the network, but to get data - that's such an obvious move...

I mean its easier to just admit asics are dangerous than list all the risks... unless they are open source.  Then they could be OK; otherwise, do as cee-lo would do, and forget them.  You know?

Do you even mine?
http://altoidnerd.com 
12gKRdrz7yy7erg5apUvSRGemypTUvBRuJ
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!