Bendr0id
commented
5 years ago Then why not switching to an algo which is asic/gpu/cpu and nature friendly?
Closed stoffu closed 5 years ago
Bendr0id
commented
5 years ago Then why not switching to an algo which is asic/gpu/cpu and nature friendly?
plavirudar
commented
5 years ago Your title There is no such thing as ASIC resistant PoW. is misleading. Of course an algo can be resistant to hardware speedup (key derivation functions are designed to have a much lower ratio of ASIC:general purpose hardware speedups vs fast hashes), it's the degree of resistance that matters. There is no ASIC immunity, in the sense that it's impossible to make an algorithm that has zero speedup when implemented in hardware, but it's not clear if there exists an algorithm that has a small enough speedup (high enough resistance) in order for ASICs to be unprofitable.
Implementing an ASIC-friendly POW will likely result in no ASICs being manufactured in the current market due to unprofitability, and if/when a manufacturer chooses to do so, they will likely be the only one (again, due to the tiny market), resulting in conditions ripe for 51% attack. No sane manufacturer will sell their ASICs under such conditions, since it will only eat into their own profitability by increasing the proportion of hash they don't control.
In any case, if an ASIC friendly PoW is somehow chosen, the shift should obviously change over a long period in time, similar to what Grin is doing with their choice of PoW.
thinkpol2
commented
5 years ago @Bendr0id such as?
Bendr0id
commented
5 years ago Cuckaroo cycles for example
shigutso
commented
5 years ago My reply: https://www.reddit.com/r/Aeon/comments/aw2xhn/proposal_to_switch_to_sha3_proof_of_work/ehjq7sf/
The Aeon community is too small at the moment to do this. All small pools will die. I'll probably shut down PoolTupi, because nobody is South America will be able to afford ASICs. Aeon will become a mine-and-dump coin (which is at the moment with ASIC farms). ASICs are mining Aeon now because they have limited options on what to mine. They are not mining because they believe the coin is worth something. Mining is and will be centralized. This is not BTC, ETH with thousands of people interested. This is Aeon, with a tiny community that wants a place in the crypto space. Coins released in 2017/2018 with no purpose (meme/scam) have a LARGER community than Aeon. Switching to SHA-3 will kill the coin. But that's just my opinion.
EDIT: also, a good read on the subject: https://medium.com/@CobraBitcoin/the-sad-story-of-sha-256-and-why-we-need-a-new-pow-algorithm-6ffe9d919cfb
bobbieltd
commented
5 years ago I still like CPU friendly algos. Easier to reach wider range of miners (even though mining at lost).
iamsmooth
commented
5 years ago @plavirudar Key derivation functions and mining have some similarities but also some critical differences. A 20% or 50% or even perhaps 99% improvement in a KDF is nearly useless in terms of enabling brute forcing but these are absolutely effective in terms of mining. The intense competitive nature of mining means that small to moderate differences are very important and this makes the ASIC-resistance task far more difficult and less likely to succeed than for KDFs.
iamsmooth
commented
5 years ago @stoffu
simply because the market was too small
I think the point is that for a given degree of resistance relative to the fixed cost of ASICs and the extent of any efficiency improvement, the market may always be too small, or at least may stay too small for a sufficient period of time as to not require frequent forking. Many algorithms became fully GPU-, FPGA-, and/or ASIC-dominated a lot faster than CN did, because CN did indeed have a degree of resistance. That degree of resistance turned out to be insufficient once Monero got to a certain size. Increase the resistance and the necessary size becomes larger, potentially (theoretically) to the point where no cryptocurrency would ever reach that size, even if it became the global standard currency.
To be fair I don't think anyone has demonstrated this is feasible in practice, but it isn't impossible in theory.
BigslimVdub
commented
5 years ago Sha3 is not currently crowded with ASICS, so it would be at it current state, a cpu/gpu mining friendly pow change.
People say fork to cnR and if it doesn’t work then fork to sha3. Imo this creates additional work and if you were going to switch anyway in the long run why not omit that task in the first place then.
I believe that this drastic change will allow AEON to stand out from the pool of CN coins and step into the eye of developers who may not have paid any attention to AEON in the first place. This also may increase the value of Aeon as those developers (or early investors) step in.
It may work.
It may not work.
But if you do not try you will never know the outcome.
EDIT: I will support whatever decision the community makes on this matter. I will not leave the community if one or the other decision is made.
ArqTras
commented
5 years ago 2 sats from old pool owner. You have to respect miners, they are who drive the network with their actions and behavior. In my opinion, it is a mistake to think that the miners of those living, community, can be exchanged/replaced for/by ASICs. ASICS are mining only for profit/dump coins, miners also but if they have other purpose of use they go that way too. And if thoughts are going in this direction, whether cn-lite variant 0 was not enough to draw conclusions.
Sorry for my eng but even i understand stoffu point of view and thinking long term it should be always way to allow general purpose of what aeon have described on their web page. Now it looks like big change. There is no offend to anyone here just I always thought that aeon is "for aeon community" even large part of it is not so active as before. I wish all the best for this project
stoffu
commented
5 years ago @iamsmooth
That degree of resistance turned out to be insufficient once Monero got to a certain size. Increase the resistance and the necessary size becomes larger, potentially (theoretically) to the point where no cryptocurrency would ever reach that size, even if it became the global standard currency.
I disagree with this argument. Efficiency increase by ASICs varies depending on how much resource was put into development; i.e. producing less optimized ASICs is cheaper than producing more optimized ones. But those less optimized ASICs will still be measurably faster than CPUs/GPUs driving them away from mining. I don't think it's reasonable to assume that there can exist a PoW algorithm that is so ASIC resistant that any kind of efficiency improvement over CPUs/GPUs can never be devised even when the currency becomes the global standard.
thriftyMinnow
commented
5 years ago Posted this on Reddit as well:
The arguments for SHA-3 are sound in the long run ... eventually. But I believe as a community coin, Aeon is not ready to advertise as an ASIC-friendly coin. Feel free to disagree. I just offer it for the discussion.
The Individual Miner will Avoid Anything Branded ASIC-Friendly
I am speaking from the standpoint of an individual miner. I am a computer guy, so I wanted to learn by doing ... by participating in the technology ... by mining. That is how I found Aeon, and if Aeon had not been CPU-friendly, I would have not given it a thought. Conclusion: if Aeon had been marketed as asic-friendly coin 2 years ago, I would not be here.
The Individual Miner Often Becomes Active in the Community
I am also speaking from the standpoint of Community Contributor over the past year or so. I am regularly on the Discord channel, I made a lot of general Aeon information available via some How-To's. I was instrumental in standing up the Community pages on github. I have contributed and plan to contribute more to testing ... PR-testing is a critical function that requires basic technical skills ... the skills an Individual Miner has.
The Aeon Community Is Still Small, evidenced in several ways:
ASIC Makers Will Not Become Community Members
Does anyone believe that ASIC creators and ASIC-Farmers will become active in the Aeon Community and contribute to our growth? Network stability is nothing in the face of a small community that cannot take the coin forward more than a few halting steps a year.
WHO will replace the lost potential of pulling in a few more thriftyMinnows and Camthegeeks?
We better have a compelling answer to that question!
Will Aeon Get Recognition for Moving to SHA-3? Probably Not.
Who, exactly, is going to tell anybody about this if it happens?
Our small community will tell some of our tech friends maybe. A small % of the Monero community will know about it, and maybe tell some people ... and then go back to working on Monero.
We need to get our act together with some real Marketing plans, and have some Marketing avenues that draw attention to our message ... otherwise we will adopt SHA-3 and there will still be exactly 100 people that know Aeon exists. (That's slightly sarcastic, but not much.)
Here are my thoughts: a variation on the SHA-3 theme.
When We Near the Emission Tail Phase, SHA-3 Makes More Sense
iamsmooth
commented
5 years ago @stoffu
Efficiency increase by ASICs varies depending on how much resource was put into development
Yes but only to a point. The big CPU and GPU makers already put many billions of dollars into designing their chips, and then benefit from enormous economies of scale in producing them.
If the "work" being performed is close enough to what those chips are designed to do (which is what approaches like CN-R and randomX are attempting to do) then you are at or very close to the point of diminishing returns where no amount of money will result in significant improvements.
I'm not claiming this will be accomplished but I also am not convinced by arguments that it is impossible. A lot of the intuition about ASICs comes from simple hash functions such as SHA, scrypt, or even cryptonight (which is a scrypt variant). No one questions that simple hash functions can be computed much more efficiently by ASICs. That's very different from claiming that there does not exist any function which can not be computed much more efficiently by ASICs.
stoffu
commented
5 years ago @iamsmooth
This argument seems to imply that a perfectly ASIC resistant PoW is something which commodity CPUs/GPUs would perform the best (i.e. creating ASICs better than CPUs/GPUs would be impossible) to complete the hash calculation. But CPUs/GPUs are designed to best perform a variety of tasks in common people's daily life, such as:
CPU/GPU manufactures make decisions on a good balance between different aspects of processors (e.g. memory bandwidth, branch prediction, etc) so as to best serve the largest customer base and thus maximize their profit. Let's call this balance "the average computational need". The perfect ASIC resistant PoW must adhere to this average computational need, which seems very problematic because:
It requires the block verification task (i.e. calculating PoW hash per block ) to be as complex as the average computational tasks performed by common people. It'll surely be much much more complex than RandomX which seems already unacceptably complex.
Identifying the average computational need in itself seems infeasible (only some guesswork would be possible).
iamsmooth
commented
5 years ago @stoffu
The reason manufacturers make decisions on a good balance is because it is not economical to create specialized solutions for every single customer application. Even the identifiable market segments that do exist (such as gaming) end up with products which are small variants of the general solution (higher clock rate, etc.) and not fully-specialized. This all benefits from many billions of dollars going into a processor family R&D and unit costs advantages of producing huge volumes of the same product (or small variations thereof).
I'm not really sure what you mean by 'as complex' or 'too complex'. That term seems poorly defined if at all.
As for your last point about identifying the 'average computational need', I don't believe that is required in any specificity. Anything that is within the general cloud of all the applications you listed and others is fine. The market tells us that a general solution is fine because no one builds specialized chips any of those. At most you see some variations of the same chips (workstation version with more cores/cache, etc. vs. consumer version)
With non-ASIC resistant mining you can imagine all of the sorts of applications you mentioned (as well as many others) being in some cloud of 'best performed by a general purpose solution' and mining being well outside that cloud. The goal of ASIC-resistant is to move it closer or inside that cloud. I don't know of a way to prove that is impossible, though clearly no one has yet accomplished it.
iamsmooth
commented
5 years ago BTW, I think a better argument for why it might be impossible would be to focus on ways in which mining is profoundly different, not so much the workload itself. For example, mining calculations don't need to be reliable at all. A 10% failure or error rate is perfectly acceptable if doing so give you an 11% increase in hash rate/efficiency. No one builds any sort of general purpose computers like that at all, afaik. It is a completely different sort of animal.
stoffu
commented
5 years ago @iamsmooth
I'm not really sure what you mean by 'as complex' or 'too complex'. That term seems poorly defined if at all.
By 'complex' I mean the power consumption needed for calculating a single hash being high. 'Too complex' is indeed subjective, and can vary depending on how much weight one puts on what. The 'too complex' bar for Bitcoin is kept very low while ASICs are accepted. Monero is currently lifting that bar higher and higher to keep resisting ASICs. No one knows how high it can go and still remain practically relevant, only time will tell. I personally thought Aeon is aiming for keeping that bar as low as possible, ideally to the level of Bitcoin's. Thus ASIC friendliness seemed to make sense to me, but I could be wrong (in which case I'd stop supporting Aeon).
iamsmooth
commented
5 years ago I would definitely consider lower cost per hash for verification to be a major positive. It is true that as far as I know, no one has any idea whatsoever how to make a randomX-type ASIC-resistant (maybe) algorithm with low cost per hash. So that is a certainly a good point.
enerc
commented
5 years ago SHA-3 will be PFGA first. Where an atomMiner (700$) does 500 MH/s at 17W, an RX580 does 310 MH/s at 225W. Those FPGAs will be bought in batches by big farms. For average Joe, the item will be "out of stock". CPU/GPUs will be out since day 1.
shigutso
commented
5 years ago By 'complex' I mean the power consumption needed for calculating a single hash being high. [...] The 'too complex' bar for Bitcoin is kept very low while ASICs are accepted.
@stoffu I'm confused about this argument. A Bitcoin ASIC consumes +1000W, while an AMD Vega 64 ~200W. The algo is lighter, but the machines created to mine it are big and power hungry (because they need to be as fast as possible to compete with other ASICs). Could you please elaborate?
BigslimVdub
commented
5 years ago By 'complex' I mean the power consumption needed for calculating a single hash being high. [...] The 'too complex' bar for Bitcoin is kept very low while ASICs are accepted.
@stoffu I'm confused about this argument. A Bitcoin ASIC consumes +1000W, while an AMD Vega 64 ~200W. The algo is lighter, but the machines created to mine it are big and power hungry (because they need to be as fast as possible to compete with other ASICs). Could you please elaborate?
I did not know that one of Aeons core values was being designed to be the most efficient crypto in regards to mining power consumption. Did I miss something?
shigutso
commented
5 years ago @BigslimVdub I believe stoffu compared SHA256 complexity and power consumption with Cryptonight. SHA3 is not much different from SHA256. Just trying to understand his point on "power consumption", because Bitcoin ASIC farms consume more Watts than GPU farms.
BigslimVdub
commented
5 years ago Ahh yes. If you were to compare consumption between cpu,gpu,asic at the same hash rates, Asic would consume a fraction of the power for the same hash rate so they would be the best for efficiency. However, as noted, farms of ASICS typically do consume far more power than any other large scale mining outfits.
stoffu
commented
5 years ago @shigutso
The power consumption I mentioned earlier is what it takes to compute a single PoW hash which is necessary every time a node verifies one block. Let's say it takes X joule for a typical mobile phone CPU to compute one PoW hash, and the blockchain has N blocks. Then this phone will consume X*N joule in total for computing PoW hashes for all the blocks (in addition to PoW hashes, it also needs to verify all the ring signatures and some other checks). X would be small for SHA-256 and even smaller for SHA-3, while large for CryptoNight and RandomX.
The power consumption for some ASIC or GPU devices has nothing to do with this discussion. Let's say an ASIC consumes Y joule to compute one PoW hash, and produces R hashes per second. Then the power consumption for this ASIC is given as Y*R watt. Pay attention to the unit that is consistent: [joule/hash] * [hash/second] = [joule/second] = [watt]. As such, the power consumption in watt for any GPU or ASIC can vary arbitrarily depending on how you choose R.
stoffu
commented
5 years ago @iamsmooth
BTW, I think a better argument for why it might be impossible would be to focus on ways in which mining is profoundly different, not so much the workload itself. For example, mining calculations don't need to be reliable at all. A 10% failure or error rate is perfectly acceptable if doing so give you an 11% increase in hash rate/efficiency. No one builds any sort of general purpose computers like that at all, afaik. It is a completely different sort of animal.
I don't quite agree with this argument. Regarding accuracy, floating point for GPUs in the early days was not very accurate (but is fixed by now, https://stackoverflow.com/a/12111435). I think this is because initially GPUs were developed to improve graphics capability which is useful for gaming. Over time, people started to use GPUs for general purpose computing and demanded accuracy, so it got later improved. The point I'm making here is that even inaccurate computation is acceptable as long as there's a demand in the market. I don't see mining as some completely different kind of task compared to other tasks.
stoffu
commented
5 years ago @iamsmooth
As for your last point about identifying the 'average computational need', I don't believe that is required in any specificity. Anything that is within the general cloud of all the applications you listed and others is fine.
I disagree. A CPU contains various components of different degrees of capability (core, cache, etc) in a particular layout such that the average computational task can be best performed. If a PoW algorithm utilizes only some part of the entire layout, an ASIC designer can drop the unused part and direct money to improving the efficiency of the parts needed by the PoW. In order to force an ASIC to become exactly the same as a typical CPU, the PoW needs to be designed to make use of the entirety of the CPU's components with the exact same (relative) degree of workload for each component.
Designing SHA-256 ASICs was relatively easy because the function is straightforward and compute-intensive. Designing CryptoNight ASICs was also not so hard because the function is still fixed and only needs a good cache capacity. Designing RandomX ASICs seems relatively hard, but I expect it to be quite possible because it's still some very specific process vastly different from the average computational task, such that there should be a large room for dropping unneeded parts and investing in what's needed by the PoW.
iamsmooth
commented
5 years ago components of different degrees of capability (core, cache, etc) in a particular layout such that the average computational task can be best performed. If a PoW algorithm utilizes only some part of the entire layout, an ASIC designer can drop the unused part and direct money to improving the efficiency of the parts needed by the PoW.
You could say the same thing for other workloads. Likely gaming would benefit, to some extent, from a different layout or different set of components. Likewise office computing. Likewise media processing. But for the most part you don't see those products existing. It costs too much relative to the billions of dollars that already goes into designing a (mostly) single product that gets reasonably good performance across a range/cloud of usages. Further microoptimizing does not pay in terms of the added engineering costs and reduced production volumes.
the PoW needs to be designed to make use of the entirety of the CPU's components with the exact same (relative) degree of workload for each component
No, because typical computing workloads already do not use the entirety of all CPU components, especially not with the same relative degree of workload, and we see that it does not pay to design and build many different chips for different workloads (at most, we get a few small variations with different number of cores, etc.)
If a PoW algorithm utilizes only some part of the entire layout, an ASIC designer can drop the unused part and direct money to improving the efficiency of the parts needed by the PoW
Only to the extent there is enough of a gain here to justify designing and manufacturing a separate product in smaller quantities.
For example, many workloads are very light on floating point, some may be light on cache usage, memory bandwidth, etc. There are many other examples. It doesn't pay (as it did in earlier years of computing) to build CPUs without floating point. In fact, even in cases where CPUs are built with less cache or fewer cores, sometimes this is done by soft-locking them solely for market segmentation purposes, rather than actually designing and manufacturing a separate optimized chip.
RandomX ASICs seems relatively hard, but I expect it to be quite possible because it's still some very specific process vastly different from the average computational task
The goal of RandomX is to not have the task be vastly different from the average computational task, but inhabit some point in the workload space that is relatively close to the others. Each randomX hash attempt is supposed to imitate at least some typical computational tasks in some broad sense in terms of mix of operations, memory references, etc. If it doesn't do that, then it will likely fail. It is likely not perfect, but I simply don't see a strong argument why it can not be close enough and not fail.
[regarding inaccurate results] I think this is because initially GPUs were developed to improve graphics capability which is useful for gaming. Over time, people started to use GPUs for general purpose computing and demanded accuracy, so it got later improved
Okay, this is another example where it doesn't pay to build two separate products for every specialized application. GPU manufacturers could continue to build inaccurate GPUs for gaming, video rendering, etc. where precise accuracy is not needed, and perfectly accurate ones for general parallel computing, but they don't. There is more to be gained by building designing a single product satisfactory to both workloads and focusing engineering effort on it than there would be from specialization. So maybe this is a further argument in favor of ASIC-resistance (or at least not an argument against it).
stoffu
commented
5 years ago @iamsmooth
You could say the same thing for other workloads. Likely gaming would benefit, to some extent, from a different layout or different set of components. Likewise office computing. Likewise media processing. But for the most part you don't see those products existing. It costs too much relative to the billions of dollars that already goes into designing a (mostly) single product that gets reasonably good performance across a range/cloud of usages. Further microoptimizing does not pay in terms of the added engineering costs and reduced production volumes.
The reason why there are no specialized hardware for these daily tasks is, as you pointed out, because there are not enough demand in the market to justify the cost for producing such hardware. And for mining, though this is only my speculation, due to its outstanding importance compared to other daily tasks, the demand will grow to an overwhelming level such that it'll definitely be worthwhile to build dedicated hardware for mining.
No, because typical computing workloads already do not use the entirety of all CPU components, especially not with the same relative degree of workload
I guess there was some misunderstanding. I defined above the average computational task as the global weighted average of all kinds of various computational tasks for common people on this planet, and a typical CPU is (or aims to be) optimized for best performing this average computational task. So by definition, typical (average) computational workload does fully make use of the entirety of all CPU components. This is not an argument, just an axiom I made up for discussion. In practice, I think identifying such an average computational need is quite an ambiguous/undefined problem requiring the full knowledge of the market, but I imagine CPU manufacturers are trying to make best guesses.
Only to the extent there is enough of a gain here to justify designing and manufacturing a separate product in smaller quantities.
Yes, exactly. And I believe the demand will grow exponentially and justify the creation of ASICs.
Each randomX hash attempt is supposed to imitate at least some typical computational tasks in some broad sense in terms of mix of operations, memory references, etc. If it doesn't do that, then it will likely fail.
I completely agree. This is the point I tried to make in my earlier comment.
It is likely not perfect, but I simply don't see a strong argument why it can not be close enough and not fail.
This is subjective again, but I believe that the demand will grow so significantly that any imperfection of this attempt to imitate makes for a large enough room for optimization and justifies the creation of ASICs.
After all, almost all of different options in the cryptocurrency scene are something that cannot be proven mathematically. We don't even know whether PoW blockchain itself is really feasible or viable. For this ASIC resistance vs ASIC friendliness debate, I just want to bet on the healthy growth of the market (i.e. ASICs being commoditized and no 51% attacks occur) rather than on our human being's ability to design some perfectly ASIC resistant PoW in an undefined amount of time. There seems to exist some large enough set of people supporting ASIC friendliness, and I see a definite demand for a SHA-3 CryptoNote. I thought Aeon can serve this demand, but if not due to strong oppositions, a new coin must be created.
plavirudar
commented
5 years ago Yes, exactly. And I believe the demand will grow exponentially and justify the creation of ASICs.
How do you think the demand will grow exponentially? From what source will this exponential demand come from?
Aeon clearly doesn't have anywhere close to enough of a market to support an ASIC. Unless a larger coin adopts it (in which case the coin will be at the mercy of 51% attackers from their network), or if there is another massive bull-run bubble, there doesn't seem to be a path to this demand.
stoffu
commented
5 years ago @plavirudar
How do you think the demand will grow exponentially? From what source will this exponential demand come from?
My prediction comes from observing Bitcoin's history. I should also probably rephrase my sentence since 'exponentially' is a mathematical term and may be unsuitable for expressing what I meant: I seriously look for a future where Aeon truly becomes the global currency adopted worldwide, something like what US dollar is today (or even more).
Aeon clearly doesn't have anywhere close to enough of a market to support an ASIC.
The current market size doesn't matter. Bitcoin was like Aeon for its first few years. I expect the market to grow organically.
Again, this is all subjective and speculative by nature. You're free to disagree with me and have different opinions, but you can't deny my perspective conclusively because there's no proofs whatsoever on either sides. I just see a legitimate need for exploring a different PoW strategy alternative to Monero's.
shigutso
commented
5 years ago I just see a legitimate need for exploring a different PoW strategy alternative to Monero's.
What if this SHA-3 exploration kills a portion of the already small community and makes the coin even smaller? Is there a Plan B?
BigslimVdub
commented
5 years ago Hmm https://github.com/wownero/meta/issues/21
So will Aeon sit around and watch wownero move to sha3 or alike?
stoffu
commented
5 years ago @shigutso
What if this SHA-3 exploration kills a portion of the already small community and makes the coin even smaller? Is there a Plan B?
Nope. If SHA-3 Aeon gets 51% attacked all the time and its price crashes to zero and stays there, Aeon dies. Too bad, our experiment failed, despite our genuine belief in success.
The same can be said for any cryptocurrencies including Monero and Bitcoin though. Even fiat are not guaranteed to keep functioning (central bankers make promises solely backed by 'good faith').
I see a real risk in keeping ASIC resistance. That approach is already being explored by Monero, so there should be a coin that would explore the other approach. Which one will succeed, no one knows (but probably not both). If Aeon sticks to take the same approach as Monero, I don't see much point in supporting this coin, so I'll move on to something else.
shigutso
commented
5 years ago If Aeon sticks to take the same approach as Monero, I don't see much point in supporting this coin, so I'll move on to something else.
You have been talking a lot about this "moving to something else". I'm curious, where that would be?
camthegeek
commented
5 years ago If Aeon sticks to take the same approach as Monero, I don't see much point in supporting this coin, so I'll move on to something else
This is roughly the same thing I have been thinking for some time. I think it's far beyond time for AEON to evolve into something else.
stoffu
commented
5 years ago @shigutso
You have been talking a lot about this "moving to something else". I'm curious, where that would be?
To stop caring about Aeon and launch a new coin.
caokun320
commented
5 years ago 我的回复:https: //www.reddit.com/r/Aeon/comments/aw2xhn/proposal_to_switch_to_sha3_proof_of_work/ehjq7sf/
永旺社区目前太小,无法做到这一点。所有小池都会死。我可能会关闭PoolTupi,因为南美没有人能够买得起ASIC。永旺将成为一个矿山和转储硬币(目前是ASIC农场)。ASIC现在正在开采永旺,因为他们对采矿的选择有限。他们不是采矿,因为他们相信硬币是值得的。采矿已经并将集中化。这不是BTC,ETH有数千人感兴趣。这是永旺,有一个小社区,想要在加密空间中占有一席之地。2017/2018发布的没有任何目的的硬币(meme /骗局)拥有比Aeon更大的社区。切换到SHA-3会杀死硬币。但那只是我的个人意见。
编辑:同样,关于这个主题的一个很好的阅读:https: //medium.com/@CobraBitcoin/the-sad-story-of-sha-256-and-why-we-need-a-new-pow-algorithm- 6ffe9d919cfb
yes,you are right
iamsmooth
commented
5 years ago @stoffu We could go back and forth on philosophy but let's just agree to disagree to an extent. Where we agree is that effective ASIC resistance does not exist right now. CN-R is not likely to be strongly ASIC-resistant, even if perhaps a bit better than previous CNs. RandomX is not ready and I have doubts about its first iteration (at least to the extent the first iteration looks a lot like its current in-progress state) being all that resistant.
I would suggest that we proceed to the PR stage. There is significant support (definitely more than I originally expected) for it and while there are some disagreeing, I don't believe we can realistically expect nor require unanimity. Further, I don't see any other coherent proposals from anyone willing to do the work, or even really any at all. Those who don't support it are free to continue to use the old chain as some did for a time with Monero, or create their own fork/coin.
shigutso
commented
5 years ago Those who don't support it are free to continue to use the old chain as some did for a time with Monero, or create their own fork/coin.
That's a very bad joke :)
tevador
commented
5 years ago @stoffu
Designing RandomX ASICs seems relatively hard, but I expect it to be quite possible because it's still some very specific process vastly different from the average computational task,
RandomX is actually much broader and harder than your average computational task. It aims to utilize most of the 'useful' parts of the CPU. It scores higher than most other workloads in many metrics such as IPC, power consumption or memory accesses per second.
@iamsmooth
RandomX is not ready and I have doubts about its first iteration (at least to the extent the first iteration looks a lot like its current in-progress state) being all that resistant.
RandomX has gone through two major changes since its conception, so you could call it the third iteration. Not sure which one you are referring to. If you want to share the reasons for your doubts, feel free to drop a comment in the RandomX repository.
Anyways, I hope Aeon can be the pioneer for Monero's eventual switch to Keccak/SHA-3. We'll see how it plays out.
timolson
commented
5 years ago Hi, I'm one of the people who wrote the FOSS CryptoNight ASIC and thought I'd chime in with a few points.
I think ProgPoW will probably succeed in preventing ASICs from being more efficient than the existing GPUs that are already optimized with billions in effort. RandomX has a chance of succeeding as well, but it's much trickier with CPU's. IMHO these PoWs would just hand an ASIC duopoly to the incumbent companies, and long-term I wouldn't be surprised to see an AMD or Intel ASIC for RandomX. No-one else would be able to compete with them. What then? You think they will be "nice?" They have shareholders.
Keccak is an excellent choice for ASIC-friendly PoW, not only because it's extremely efficient in hardware, but also because it's easy to implement. That means a low barrier to entry and maximum competition from ASIC manufacturers.
ASIC miners have strong incentive to help the coin, as long as their mining hardware can only be used for that one coin. Claims of "mine & sell" are true because miners have operating costs to cover, but overall they need the coin to be healthy or they are the owners of useless bricks. To keep ASIC miner incentives aligned with your coin, you might consider using your own parameterization of Keccak's f and C parameters to intentionally make the PoW NOT COMPATIBLE with SHA-3. The SHA-3 variant of Keccak is not its most natural configuration; the specific parameters for SHA-3 were chosen because of the requirement to be a drop-in replacement for SHA-2.
In any case, Aeon doesn't have the market cap to support ASIC development. There's at least $5m in sunk costs to get any chip off the ground, so the coin needs to be mining something on the order of $50-100m annually before chip makers will take notice. Even if you switch to an ASIC-friendly PoW, I wouldn't expect ASIC's to be built.
If moving to Keccak doesn't generate an ASIC market, you should be mindful that FPGA's might possibly supplant GPU miners. For almost every PoW, FPGA's are wayyy too expensive for mining, but since Keccak is especially fast in hardware, FPGA's might actually be economically viable. We synthesized the Athena project's VHDL for Keccak on the Intel (Altera) Arria 10. Something like this $410 part would get about 140 Gbit/s for Keccak-1600. Of course it would also need a logic board and system around it. Note that the Athena VHDL is from the SHA-3 Finalist round and has some minor differences from the accepted SHA-3 specification. Anyway, if we assume another $100-200 for system stuff on top of the $410 part, you get something around $3.50 - $4.50 capex cost per Gbps. You can compare to existing GPU implementations.
caokun320
commented
5 years ago Hi, I'm one of the people who wrote the FOSS CryptoNight ASIC and thought I'd chime in with a few points.
I think ProgPoW will probably succeed in preventing ASICs from being more efficient than the existing GPUs that are already optimized with billions in effort. RandomX has a chance of succeeding as well, but it's much trickier with CPU's. IMHO these PoWs would just hand an ASIC duopoly to the incumbent companies, and long-term I wouldn't be surprised to see an AMD or Intel ASIC for RandomX. No-one else would be able to compete with them. What then? You think they will be "nice?" They have shareholders.
Keccak is an excellent choice for ASIC-friendly PoW, not only because it's extremely efficient in hardware, but also because it's easy to implement. That means a low barrier to entry and maximum competition from ASIC manufacturers.
ASIC miners have strong incentive to help the coin, as long as their mining hardware can only be used for that one coin. Claims of "mine & sell" are true because miners have operating costs to cover, but overall they need the coin to be healthy or they are the owners of useless bricks. To keep ASIC miner incentives aligned with your coin, you might consider using your own parameterization of Keccak's
fandCparameters to intentially make the PoW NOT COMPATIBLE with SHA-3. The SHA-3 variant of Keccak is not its most natural configuration but was chosen because of the requirement to be a drop-in replacement for SHA-2.In any case, Aeon doesn't have the market cap to support ASIC development. There's at least $5m in sunk costs to get any chip off the ground, so the coin needs to be mining something on the order of $100m annually before chip makers will take notice. Even if you switch to an ASIC-friendly PoW, I wouldn't expect ASIC's to be built.
If moving to Keccak doesn't generate an ASIC market, you should be mindful that FPGA's might possibly supplant GPU miners. For almost every PoW, FPGA's are wayyy too expensive for mining, but since Keccak is especially fast in hardware, FPGA's might actually be economically viable. We synthesized the Athena project's VHDL for Keccak on the Intel (Altera) Arria 10. Something like this $410 part would get about 140 Gbit/s for Keccak-1600. Of course it would also need a logic board and system around it. Note that the Athena VHDL is from the SHA-3 Finalist round and has some minor differences from the accepted SHA-3 specification. Anyway, if we assume another $100-200 for system stuff on top of the $410 part, you get something around $3.50 - $4.50 capex cost per Gbps. You can compare to existing GPU implementations.
professional
sebseb7
commented
5 years ago Of course an algo can be resistant to hardware speedup
no
tevador
commented
5 years ago I wouldn't be surprised to see an AMD or Intel ASIC for RandomX. No-one else would be able to compete with them. What then? You think they will be "nice?" They have shareholders.
I'm not saying Intel and AMD are perfect, but they are closely watched publicly traded companies. I don't think they could pull off some of the things that private ASIC companies do: imposing arbitrary constraints on the purchase of their products (KYC rules, not shipping to certain countries etc.) or mining secretly with their equipment before selling it.
sebseb7
commented
5 years ago All small pools will die.
already dead, because of mining centralization due to a few highly efficient miners.
stoffu
commented
5 years ago @timolson
The SHA-3 variant of Keccak is not its most natural configuration; the specific parameters for SHA-3 were chosen because of the requirement to be a drop-in replacement for SHA-2.
Thanks a lot for bringing up an interesting point; could you elaborate a bit more? What do you mean by 'natural configuration'? What implications does the SHA-3 variant have (other than being just different)? Is it better or worse in some aspects? What makes the SHA-3 variant a drop-in replacement for SHA-2 and why can't other variants be the drop-in replacement?
tevador
commented
5 years ago @stoffu I think @timolson is talking about this: https://en.wikipedia.org/wiki/SHA-3#Capacity_change_controversy The SHA-3 variants have double the "capacity" parameter than would be needed for given collision resistance.
tevador
commented
5 years ago @sebseb7
Of course an algo can be resistant to hardware speedup
no
SHA256d CPU (AMD Ryzen 1700) 40 MH/s at 80 W ~ 2 MJ/TH ASIC (28 nm TSMC) 4.73 TH/s at 1300 W ~ 270 J/TH
ASIC is ~7500 times more efficient.
CryptoNight CPU (AMD Ryzen 1700) 540 H/s at 80 W ~ 150 kJ/MH ASIC (28 nm TSMC) 1 MH/s at 600 W ~ 600 J/MH
ASIC is ~250 times more efficient.
So clearly CryptoNight is more resistant to hardware speedup.
And CryptoNight doesn't use DRAM and barely uses the CPU core, so there is further room to close the gap.
caokun320
commented
5 years ago 看到用于RandomX的AMD或Intel ASIC,我不会感到惊讶。没有人能够与他们竞争。然后怎样呢?你认为他们会“很好吗?” 他们有股东。
我不是说英特尔和AMD是完美的,但他们是受到密切关注的公开交易公司。我不认为它们可以解决私营ASIC公司所做的一些事情:对其产品的购买施加任意限制(KYC规则,不运往某些国家等)或在销售之前秘密地使用其设备进行采矿。
I wouldn't be surprised to see an AMD or Intel ASIC for RandomX. No-one else would be able to compete with them. What then? You think they will be "nice?" They have shareholders.
I'm not saying Intel and AMD are perfect, but they are closely watched publicly traded companies. I don't think they could pull off some of the things that private ASIC companies do: imposing arbitrary constraints on the purchase of their products (KYC rules, not shipping to certain countries etc.) or mining secretly with their equipment before selling it.
yes, i see bitman sell they used E3 on 250$,my friend want to buy.
Jamyye
commented
5 years ago I am a pool operator, and I am for this change.
One bonus of SHA3 would be faster syncing for mobile. CN hashes take much more resources and time to complete versus SHA3, which is important for a mobile coin.
(Original post: https://www.reddit.com/r/Aeon/comments/aw2xhn/proposal_to_switch_to_sha3_proof_of_work/)
I believe now is the right time for Aeon to become ASIC friendly by switching to SHA-3 PoW (the most recent Secure Hashing Algorithm standardized by NIST). Below I'll try to explain why:
There is no such thing as ASIC resistant PoW.
Whether someone creates an ASIC or not is not determined by how technologically difficult it is to do so, but how economically sensible it is to do so; i.e., when a coin gets more adopted and the price rises, ASICs will appear no matter what.
Below is a quote from Bitcoin StackExchange which makes a good point:
https://bitcoin.stackexchange.com/questions/62336/why-did-satoshi-design-bitcoin-to-be-mineable-only-on-specialized-hardware-if-t#comment71658_62339
For every supposedly ASIC resistant PoW (scrypt, CryptoNight etc), ASICs have been created at some point when the coin became sufficiently large. An often seen argument is "CryptoNight was good at resisting ASICs because it survived the first 3 years without ASICs being developed", which I disagree. CryptoNight ASICs weren't created for the first 3 years simply because the market was too small; it wasn't worthwhile to develop CryptoNight ASICs.
Currently RandomX is receiving a lot of attention as being (almost) truly ASIC resistant by making PoW even more complex, but from the past experience and from logical reasoning, I have no reason to believe so.
Importance of protocol stability:
As a coin gets more widely adopted (and the price goes up), there will be more participants in the network (users, exchanges, merchants, pools, etc), which makes it more difficult to do hard forks (i.e. to force everyone to upgrade their software). Monero's 6 month fork schedule is already becoming almost unworkable due to the sheer network size, and I think they'll be forced to change this policy rather soon.
Imagine a hypothetical future where one particular crypto coin becomes a globally adopted world currency. That coin cannot do hard forks every so often; maybe once every two years is already too much. Ideally, at some point, the protocol should become absolutely stable and require no more hard forks at all.
With this in mind, I immediately see ASIC resistance being incompatible with this future, because hard forks (PoW changes) are rather frequently needed due to ASICs getting created faster and faster as the coin grows. ASIC resistance cannot be a sane strategy for a winning cryptocurrency.
Importance of switching now:
Going from ASIC resistant to ASIC friendly is such a radical change, and a strong opposition is naturally expected from many of the community members who have been supporting ASIC resistance. A compromise solution suggested by @iamsmooth is to adopt CryptonightR which Monero will switch to in the next upcoming hard fork. I think the reasoning is that CN-R is expected to be somewhat better at resisting ASICs and not much more computationally expensive than the previous CN variants (unlike RandomX), so we can wait and see how successful this will be before going full ASIC friendly.
Initially I felt OK with it, but I became unsatisfied after a while of thinking for these reasons:
Arguments for ASIC resistance and their counterarguments:
SHA-3 is the perfect way for Aeon to differentiate itself from Monero.
This change is radical but not stupid. Many people in the Monero community would be curious how things will play out for SHA-3 Aeon. This will surely also attract a lot of attention from the wider crypto community because Aeon will be the first CryptoNote coin that deployed SHA-3. I believe this is a very good opportunity for marketing as well.
Please discuss.