Proposal to consider an ASIC-friendly proof of work

[iamsmooth]

Currently Monero is pending a hard fork to modify the PoW in order to invalidate existing rumored and reported ASIC designs, and in addition to continue making such changes repeatedly to attempt to prevent ASIC development and deployment on the network. For various reasons, there are longer-term concerns with this strategy, particularly going forward, including:

1. Continued and repeated ad-hoc modifications to the PoW algorithm may accidentally (or even maliciously) introduce exploits.
2. ASIC developers may build in more flexibility to their designs to be able to accommodate small algorithm tweaks (indeed this may already be the case, we don't know).
3. Potential for favoritism/corruption if plans for tweaks are leaked or influenced far enough ahead of time that some favored ASIC developers may have enough lead time to produce ASICs, while others do not.
4. A belief that ASICs may be desirable as a means to facilitate industrial scale mining and growing the network beyond what might be called a hobby mining phase.
5. Potential for increased monopolization if the strategy is only partially effective (i.e. keeps all but one ASIC developer from succeeding)
6. Dependence of the network on continued frequent hard forking independent of the need for functional upgrades. This carries with it a greater degree of centralization necessary to design, implement and coordinate these forks, without any real plan to transition beyond it.

For these reasons I would propose that we consider (which does not necessarily mean implement) abandoning the ASIC-hostile approach and instead consider adopting an ASIC-friendly approach in a future hard fork.

By ASIC-friendly, I mean something that not only can reasonably be implemented in an ASIC, but which minimizes barriers to creating ASICs, minimizes their costs, facilitates the development of a wide range of compatible hardware at attractive price points, and minimizes opportunities for clever proprietary advantages. By doing so we may maximize the likelihood of a competitive ASIC market developing and minimize the degree of (temporarily or sustained) monopolization. This could possibly be achieved by using a simple, well-known, and well understood algorithm such as SHA3.

There are numerous other potential advantages and disadvantages of this approach relative to Monero's current PoW algorithm and strategy, which can be discussed in comments.

Postscript: My personal view has always been largely ASIC-hostile (primarily based on my analysis the history of the Bitcoin ASIC market when Monero launched in 2014, but reinforced by the continued evolution of the Bitcoin and other coin ASIC markets over the past four years), however I am open to the possibility that unintended consequences of attempting to maintain this approach may cause more harm than overall benefits, in which case it should be dropped.

[williams-r]

Points for ASIC-friendliness:

ASIC manufacturing will see more competition, halong mining is already competing with bitmain, and their defensive patent group is promising.

There are no ASIC botnets.

ASICs are worthless the day after they carry out a 51% attack.

Merged mining with bitcoin would means that monero does not have to compete in the same way for the same electricity and capital investment in mining equipment.

Points for ASIC-resistance:

CPUs and GPUs are more difficult to ban than ASICs

the silicon foundries which produce ASICs are quite centralized

Merged mining with bitcoin right now would increase centralization pressure on bitcoin mining from the increased cost of node operation.

[SRCoughlin]

I propose a process that can satisfy many of these concerns: using a sound game theoretic strategy for ASIC resistance. In my proposal, this would continue the current 6-month release strategy, but would also include the following:

1. The addition of a large number (N) of known non-ASIC-implemented POW algorithms, equal probability of implementation assigned to each (1/N).

2. Antagonistic testing of each algorithm to confirm its success and lack of exploitable weakness, and replacement of failed tested algorithms.

3. Rational cost analysis of implementation of each combination of above algorithms in ASIC/MPW fabrication. (Perhaps also including POC in FPGA to get realistic data.)

4. Use of a pure RNG to determine the particular algorithm implemented in the release.

This process would allow for openness in discussion of future direction and would allow for greater trust by the community in the stability of upcoming releases. (i.e. No more "last-minute" POW changes.) And its use of the random strategy will negate any serious investment in ASIC development as means of dominance.

This process would not address botnets, partially effective ASIC exploits (discovered post-release), or the need for "industrial scale mining".

Please let me know if you think this might be viable.

[jwinterm]

If you would like something that "...not only can reasonably be implemented in an ASIC, but which minimizes barriers to creating ASICs, minimizes their costs, facilitates the development of a wide range of compatible hardware at attractive price points, and minimizes opportunities for clever proprietary advantages." then why do you immediately disregard SHA256 and propose SHA3?

[iamsmooth]

@jwinterm I'm not an expert on this but I've seen various credible claims that SHA256 is not a particularly ASIC-friendly algorithm by design, due to both its internal complexity and susceptibility to various clever optimizations. This has allegedly contributed to the rather less than competitive Bitcoin ASIC market, since barriers to designing competitive SHA256 mining ASICs are higher than they otherwise need to be, and there are too many opportunities to gain an sustainable advantage with proprietary tricks. But who knows, this may be a bogus claim.

SHA3 may or may not be better, but in any case that was only intended as an example which is somewhat more modern by design than SHA256, avoiding some of its pitfalls (for example, length extension attacks, though that in particular may not matter much to PoW).

There may well be better choices, but the particular choice of algorithm that seems somewhat of a diversion from the core question of whether ASIC-friendliness is useful goal and then defining the selection criteria.

[iamsmooth]

@SRCoughlin While your idea is good in theory, I'm not sure about its feasibility in practice. It is hard enough (and may fail) to produce even one well-vetted and carefully-implemented alternative/modification without screwing it up (see #1 in the original issue), much less several.

[jwinterm]

There may well be better choices, but that seems somewhat of a diversion from the core question.

This is true, and I think ultimately it's futile to try and constantly fork away from ASICs. The original idea of cryptonight afaik was that it was somewhat equivalent between CPUs, GPUs, and theoretical ASICs, and I think trying to meet that original vision is probably more realistic than trying to constantly fork to prevent ASICs from mining on the network.

[iamsmooth]

@jwinterm

The original idea of cryptonight afaik was that it was somewhat equivalent between CPUs, GPUs, and theoretical ASICs, and I think trying to meet that original vision is probably more realistic than trying to constantly fork to prevent ASICs from mining on the network.

That's somewhat getting at the core of the intended topic of this issue: Is that still considered a useful goal, and if so, is it feasible in practice?

If it is useful and feasible, how should it be done?

[otheATgh]

the silicon foundries which produce ASICs are quite centralized

That's non sense and a non issue, those foundries are the EXACT SAME that fab out the chips for NVIDIA and AMD. NVIDIA and AMD don't seem to be able to scale their productions due to the same issues BTC ASIC factories have atm.

This discussion should have been had in detail way before merging in this untested and unreviewed PoW change.

Using SHA3 or our bastard child of keccak we currently use for the PoW has the advantage that we do not need to implement another unrpoven crypto library besides what we already have. On the other hand SKEIN seems to be a more sane and even easier to implement in HW as it was meant to be implemented in HW. Another alternative could be to use a slightly modified double sha256 like Bitcoin as the ASIC chipdesign there is already highly optimized.

I dont think merge mining with BTC makes any sense as i do not think that the same HW should be used for both coins, it gives BTC maximilaists easy access to attack our network.

The whole securing multiple billion dollar networks using a bunch of hobbyiest miners that can easily overtaken renting some AWS instance is a pipedream to me.

So far it seems mostly mined by botnets and shitty JS webminers that steal other peoples resources and can dump them at whatever price because they were essentially free anyway.

[cAP5L0CK]

First of all I strongly favor this conversation.

One of the notable outcomes of ASIC resistance besides botnets have been browser miners. One side effect of dropping the ASIC resistant stance would be to greatly diminish if not eliminate the use web miners both being used nefariously but also in the open like Salon.com etc.

[SRCoughlin]

The community has opposed the use of ASIC miners due to the nature of centralization that this entails. If ASIC supporters should wish their implementation, it stands to reason that this case be addressed. (Counterexamples of botnets, Salon, etc. are likely not going to convince the community.)

[Hueristic]

No matter what, we should fork away from these current ASIC's, rewarding them is not a good idea.

[metamirror]

Perhaps the Monero Project should fund the development of its own open source ASIC design. It could also manufacture ASICs and commit to selling all of its chips retail.

[SRCoughlin]

@metamirror Interesting. Consider: the community creates a number of new POW algorithms and, in tandem with development and testing, openly releases the VLSI designs for FPGA/ASIC (even MPW?) to go along with each (every?) algorithm. After the RNG, miners can either coordinate bulk purchases through the community, or use the VLSI to fab an independent run of chips and create a custom ASIC. The beauty is that in 6 months the next network release (hard fork) would choose another algorithm by RNG, negating the processing advantage of the existing ASICs and requiring new VLSI designs.

This would allow for full ASIC implementation to anyone's content, yet this would also be limited (by the random strategy) to be economically viable for only a small number of miners. Hence, it would be predictable and controllable, and, should any of the above criticism prove valid, could provide reason to delay the given POW algorithm change schedule to avoid issues.

This would be, in essence, a completely open source anti-ASIC strategy and unlike anything attempted before.

[iamsmooth]

@otheATgh Numerically I think renting a bunch of AWS instances is really not a viable attack. In terms of naive cost estimate, perhaps it is feasible, but while AWS may have a million or more high end CPUs or GPUs to use for this (or an even equivalent even-larger number of small ones), actually renting that many at one time is not trivial at all, and may be totally infeasible. It means you are competing with their other customers, some of whom are not particularly cost sensitive in the short term (the don't want their enterprise computing shut down so you can attack a network for an hour).

Setting aside Amazon KYC-ish requirements on large capacity demand (they want to see justification and also that you will not disrupt their service), let's look at some numbers. A high end AWS node generates something like $10000/year revenue if rented long term and $4-5k/year if rented on the spot market. AWS total revenue is something like $20 billion/year not all of which comes from instance fees (some from storage, bandwidth, value-add services, etc.). If it were all high-end node instance fees which of course it isn't, the entire company would only be 2 million nodes, and you would need need to pull something like half of it to pull off an attack which you won't be able to do.

This seems implausible. Even combining other providers it seems far from easy.

You are significantly underestimating the strength of the current 'hobbyist miner' network (though it isn't really that, there are definitely some large scale miners) and the difficulty of renting very large amounts of resources from cloud providers (particularly for short time which they will find disruptive and not allow) in practice.

Nevertheless, given potential price drops, emissions reduction over time, this may become an issue. Also, Ethereum GPU farms have far more than enough capacity, if they decided to be become Ethereum-maximalists doing the attacking instead of the Bitcoin maximalists you mentioned (or just underutilized after Ethereum PoS).

[iamsmooth]

@metamirror

Perhaps the Monero Project should fund the development of its own open source ASIC design. It could also manufacture ASICs and commit to selling all of its chips retail

I don't think the Monero project wants to be a point of centralization on the design and manufacture even if they are being sold. The issue isn't only who is building the miners, it is that someone is doing so and has a lot of control over the market (who gets miners, how many, when, and at what price).

Possibly an open source design could make sense, but I don't know enough about the realities of the ASIC design and manufacturing marketplace to know whether this is useful. More generally (not referring to miners here), I see a lot of people talking about 'open source hardware' and not that many actually doing it, particularly at the ASIC level.

[SRCoughlin]

@iamsmooth

More generally (not referring to miners here), I see a lot of people talking about 'open source hardware' and not that many actually doing it, particularly at the ASIC level.

While software experience is highly portable and abstract, hardware requires EE skills, which are much more time-consuming and particular. Very few EEs donate their time to open projects.

Possibly an open source design could make sense, but I don't know enough about the realities of the ASIC design and manufacturing marketplace to know whether this is useful.

I do, but donating time for EE work would only make sense as a means to an end. In other words, there has to be very specific reason why EE work is being done. The abstract ideal of decentralization may not be enough to justify this.

As an example of the EE work costs, I give you the (very high) fees associated with the optimal GPGPU code for Cryptonight POW algorithms.

In fact, I'm wondering now if including a (much lower) fee in the POW algorithm and VLSI code would allow for FFS bounties for their own development. This could be interesting, but might also create a conflict-of-interest with the EEs working on these very designs.

[iamsmooth]

(sorry closed by accident)

@SRCoughlin "Very few EEs donate their time to open projects"

Donating time and open source are two different things. A very significant portion of Monero development has been paid for.

The abstract ideal of decentralization may not be enough to justify this.

The entire purpose of a decentralized cryptocurrency project (indeed the entire purpose of cryptocurrencies at all) is decentralization. It isn't just an abstract ideal, it is at the very core of the mission statement.

My view is that ASICs only make sense if there is an expectation of a commoditized market developing in a reasonable period of time. That hasn't happened with Bitcoin at all, but maybe it still will.

Unless we have some alternative approach which does get there (and at a much smaller scale than Bitcoin might get there), then I would consider the answer to this issue to be in the negative.

[hyc]

@jwinterm

This is true, and I think ultimately it's futile to try and constantly fork away from ASICs. The original idea of cryptonight afaik was that it was somewhat equivalent between CPUs, GPUs, and theoretical ASICs, and I think trying to meet that original vision is probably more realistic than trying to constantly fork to prevent ASICs from mining on the network.

This makes the most sense to me. While the crypto community always admonishes "don't roll your own crypto" I think it's important to highlight that goals of a PoW hash function don't align with the goals of a typical cryptographic hash function. Most hash functions are designed for efficiency of implementation and execution. (Password hashes may be a notable exception to this goal.) We want something that is equally difficult for CPUs, GPUs, and ASICs. AFAICS this means we want something that is branch-heavy, where multiple branches are all equi-probable. That would defeat CPUs' branch predictors, and GPUs are already poor at branchy code. We also want something that is comprised entirely of serial data dependencies, to defeat any CPU instruction-level parallelism. And we want something that cannot be simply reduced to a compact set of lookup tables. I don't think it'd be hard to come up with such a design.

[iamsmooth]

@hyc The cryptographic soundness (at least some aspects of it) is extremely important otherwise the algorithm can be analyzed and shortcuts found which avoid the need to execute some or all of the (branch-heavy, etc.) code you initially assume is necessary to search the space of possible solutions.

That said, something that is both cryptographically sound and better tuned to the needs of PoW (in particular, ignoring efficiency of execution, good point there) is probably possible, but I'm not sure "not difficult". In a sense all previous attempts at ASIC-resistant, GPU-resistant, memory-hard, etc. PoW have been that, and most if not all have failed in some aspect or another. Cryptonight has held up better than most, in terms of maintaining a balance.

Also, I'd guess that intentionally defeating things like instruction-level parallelism in CPUs puts them at a big disadvantage to ASICs and possibly GPUs since those will employe parallelism in hardware (unless there is some method proposed to limit or prevent it, such as a very large non-optimizable scratchpad). To maintain parity, CPUs probably need to take advantage of their accessible parallelism too.

[iamsmooth]

Linking because it is worth reading. I don't necessarily endorse every aspect of it, but I endorse (strongly) at least being familiar with the document :)

https://download.wpsoftware.net/bitcoin/asic-faq.pdf

[ghost]

Has there ever been a hybrid PoW scheme that combines an ASIC-unfriendly function with an ASIC-friendly one?

I am thinking of a scheme whereby the first stage of the computation uses an ASIC resistant algorithm, with its output being passed as input to the second stage, which uses an ASIC friendly algorithm. Miners could earn block rewards for performing either (or both) stages.

Consider a bad scenario: a botnet controls a disproportionate amount of the hashrate and/or ASIC farmers do the same. The botnet could never compete with the ASICs on the second stage, but the ASICs would have difficulty competing with botnet on the first stage. Some separation of hashing power would exist, similar to a bicameral legislature.

All Google showed me was hybrid PoW/PoS schemes, so I haven't been able to find anything similar to the one I just described. If someone knows of one, please let me know.

[TheTrueForce]

Please pardon me lobbing up out of nowhere and leaving this here. @jsfierro That seems like a good idea, but: I can see dedicated miners being made to fit that as well. I have no idea if this is actually the case, but it might be feasible to build a custom computer combining a high-end CPU and/or GPU, combined with an ASIC module, and run by custom software. That might defeat the purpose of the two-part algorithm, as the general-purpose(GP) hardware would do its part of the hashing, and then shove that into the ASICs, and pick up the result. Those could be beastly. I can also see addon boards being made for regular PCs to accelerate mining, much like a GPU accelerates rendering. This could lead to the same situation as the hybrid miner, though.

Please keep in mind that I'm speaking from ignorance(or at best only small knowledge), so I could be barking up the wrong tree entirely. Or possibly just barking.

What if the two-part algo has some kind of requirement that the same hardware can't do both parts? That each unit of work needs to be performed by two seperate and different pieces of hardware? That would likely elimenate solo mining, and it would also almost require the existence of ASICs. Probably neither are good things. And probably the ASICs would be substantially faster than the GP hardware. That might be an obstacle. On top of that, enforcing the requirement could be a nightmare... I actually have no idea at all how that could be done, if it even can...

[hyc]

Having worked on compilers, optimizers, auto-vectorizers, and the lot, I'd say it's harder to write optimization-friendly code. But it's a heavily studied field by now; we can look at any guide to optimizing code for parallelism, and do the opposite. And what we use can of course start with a cryptographic hash (like Keccak/SHA3) on the front, to decorrelate the intermediate data from the input. After that it's just an issue of making sure nothing we do cancels itself out.

[Gingeropolous]

For me, the problem with an ASIC friendly PoW is that you can never beat the economies of scale that ASICs provide. So even when ASICs become commodified, and every phone has an ASIC because reasons, and lightbulbs and toasters because you have to hash for service, we may have achieved an egalitarian access to the hardware, but we may not have achieved egalitarian access to the nonce space.

When I first encountered Bitcoin, it was post-ASIC. I read about it, saw the mines, and concluded that Bitcoin had already become, and would continue becoming, just another space where the Rich get Richer and the everyperson is forced out. And because ASICs breed centralization, it seemed to me that Bitcoin had failed in its primary purpose - being decentralized.

At first, I didn't get into Monero because of "the privacy". I got into it because the egalitarian PoW aligned with how I understand decentralization.

Finally, I think ASICs give too much power to the miners. Yes, I've read the logic that "well the ASIC can only be used to mine that coin so therefore the miners will always support that coin and their intentions are good" but we shouldn't care what the miners support. The miners get rewarded for providing a service to a decentralized network, where the value is completely dependent on the extent of decentralization.

The network is not rewarded by the service of the miners.

[SRCoughlin]

@iamsmooth

Linking because it is worth reading. I don't necessarily endorse every aspect of it, but I endorse (strongly) at least being familiar with the document :)

I've completed reviewing this document. It is either incorrect or inapplicable in every claim. While it may have some important information about efficiency when it comes to SHA256 algorithms such as Bitcoin, there is nothing to be learned from it when it comes to Monero and its POW algorithms.

My critiques are as follows:

all ASIC resistance does is increase the startup capital required and therefore increase centralization of manufacturing

Incorrect. ASIC resistance costs labor primarily (designing VLSI, etc.), as ad-hoc production runs of chip fabrication are common now. Capital outlay for the run is not a concern.

it is impossible to create an algorithm which runs at the same speed on general-purpose and dedicated hardware

Inapplicable. It is possible to create algorithms which surpass the economic feasibility of ASIC design within the timeframe of change in POW. If it's not profitable, there is no incentive.

Schemes such as “the developers will just change the proof-of-work algorithm if ASIC’s appear” do not even make sense — in a decentralized currency the developers have no such power

Incorrect. This is happening right now.

Memory hardness has the effect of increasing ASIC board footprint, weakening the heat- dissipation decentralization provided by the thermodynamic limit.

Inapplicable. As above.

Also, memory hard proofs-of-work often require lots of memory on the part of the verifiers, which is bad for decentralization

Partially applicable, but only as for certain implementations. Say, Arduino or other small devices.

memory-hardness worsens the centralizing effects of ASIC’s while weakening the decentralizing effects

Inapplicable. As above.

An algorithm which is highly susceptible to TMTO has poorly defined memory hardness

Incorrect. Testing and optimization can reveal these issues. See Cuckoo Cycle as an example.

[iamsmooth]

@SRCoughlin Cost of labor to design is a capital outlay. Someone is paying for the labor long before revenue. That investment is a form of capital.

Yes the document takes the position that effective ASIC resistance is impossible. That may or may not be correct in practice, but the idea that ineffective ASIC-resistance may make matters worse seems valid to me.

@Gingeropolous "but we may not have achieved egalitarian access to the nonce space"

I don't see how this is ever possible, outside of some sort of KYC for mining (and not even sure how that would be done in a decentralized manner). Even if you can mine on a laptop, nothing prevents someone else from using two laptops and therefore having access to twice the nonce space, right?

[jtgrassie]

IMHO, the issue is that ASICs currently are very centralized. If there were ASIC products on the market with fair competition then there would be no reason to be ASIC resistant. Currently that's just not the case. The problem is, whilst there is this path of ASIC resistance, what incentive is there for anyone to develop ASICs for Monero mining; zero. It's a double edged sword (or rather chicken and the egg scenario). We either let the current players develop ASICs for Monero and accept it will be centralized to some degree for a period, or we resist, which deters possible ASIC development and competition in the market. I guess I feel a good end-state is multiple ASIC producers, as then ASICs become commoditized, and there's nothing bad about that (hardware the masses can use to mine at commodity prices with better margin, r.e. electricity cost & hardware cost / return).

Let's be honest, mining is already centralized to some degree. GPUs (AMD and Nvidea) and CPUs (really just Intel by the numbers). The price of these, which were once commodity hardware, have been growing due to demand.

Ultimately I feel mining has to be profitable for the masses. If ASICs make it more profitable for the everyman then great. If there is no profit in mining at all then what's the incentive; ideology alone?

Independent miners is more decentralization, which is the ultimate goal.

In summary, I think we are not yet at a place where there is sufficient ASIC competition, and thus decentralization. But to some degree, by being ASIC resistant, we contribute to the problem.

I'd welcome a world where there were more ASIC manufacturers that current GPU/CPU manufacturers! This may be the future!

[iamsmooth]

I'm not sure a competitive/commoditized market for ASICs will ever make sense.

CPUs and to a lesser (but still some) extent GPUs have the markets they do not because of the manufacturing (which is at least as centralized), but because they are general purpose products which lends itself to having many disperse and competing distribution channels. In most even mid-sized cities you can find multiple stores where you can go and and buy CPU and GPUs both as individual components and as part of a system. Plus of course on-line from both many resellers and manufacturers directly. There are thriving gray market channels (probably actual black market too, thinking about hijacked shipments, etc.), a robust and deep used market, etc.

None of this really exists for mining ASICs (just as it doesn't exist for other forms of ASICs) and may never exist, because it is far more specialized (er, "application specific"). It is natural to have a narrower and more structured distribution system which in turn naturally lends itself to a higher degree of centralized control and vertical integration where efficiency trumps reach. Though I guess it is possible to envision enough diversity among types of miners that there might be value in broader distribution (if so, then one likely needs to accept 'hobbyist miners' as an important part of the system).

Still this doesn't change the fact that unsuccessful ASIC-resistance (which some argue is inevitable) may still be worse than ASIC-friendliness.

[jtgrassie]

I'm not sure a competitive/commoditized market for ASICs will ever make sense.

It could if there were no ASIC resistance and there was profit to be made. Forget about the profit, there's even no incentive for an open source ASIC design when there is this hardline resistance.

I do get the point of your CPU/CPU general purpose but the prices have had a direct influence based on mining H rate. From production (demand) to gray-market sales (which are often even higher priced). Ultimately it doesn't matter whether CPU, GPU, FPGA or ASIC; whatever is most cost efficient to the person/organization - we risk centralization.

All I'm getting at is that currently, there are just not enough players in the ASIC space, so it risks centralization. If there were more, there would be a lower risk. But to get more, there has to be incentive.

Ideal state is that everyone that wants to be part of the ecosystem can run a node, mine and transact in the cheapest most decentralized way. ASICs could be a help sometime down the road.

[iamsmooth]

@jtgrassie There is very little risk of centralization at the level of access to equipment any time soon if ever for CPU mining, possibly not for GPU mining. The diverse and diffuse distribution channel and general purpose nature of the devices guarantees this.

There is a high risk of this with dedicated special-purpose ASIC miners. Indeed it is mostly just pure speculation that ASICs might, someday, become commoditized. If so, great, but we have no idea if that is actually true.

There will still be geographic, etc. centralization due to some aspects of energy cost, some degree of economies of scale, etc. but that's all additive.

[stoffu]

I wonder the possibility of ASICs becoming so advanced, so cheap and so commoditized that they become the default choice as heating devices. Everyone needs heating especially in the winter. The similar argument in andytoshi's writing sounds somewhat convincing to me.

[Gingeropolous]

@iamsmooth , indeed, perhaps egalitarian access to the nonce space was too strong a phrase. But in general I'm trying to communicate that a layperson with consumer hardware should have a chance. Even now, with a network that may or may not be flooded with ASICs, botnets, GPU farms, and webminers, a person mining with 300 h/s, which is on the higher end of a home PC, could get 0.396 XMR / year. Its not nothing.

I guess, ultimately, I think we should strive to keep mining feasible for your average person. In bitcoin, mining is not feasible with consumer hardware. With bitcoin, you would literally get nothing with a consumer grade home PC.

There are efforts to keep Cost of Node Operation down in order to make it feasible for your average person (sync optimizations, size reductions of proofs, etc). I don't think mining should be viewed any differently.

[stoffu]

@Gingeropolous

There are efforts to keep Cost of Node Operation down in order to make it feasible for your average person (sync optimizations, size reductions of proofs, etc). I don't think mining should be viewed any differently.

I agree, keeping CONOP low is vitally important. Then, what's your response to Andrew Poelstra's following argument?

4 Actual frequently asked questions.

2. Is ASIC resistance desirable?

No. ASIC resistance typically involves increasing algorithmic complexity to discourage ASIC developers. However, ASIC’s are still inevitable; all ASIC resistance does is increase the startup capital required and therefore increase centralization of manufacturing. Further, increasing the complexity of proof generation often means also increasing the complexity of proof validation, often disproportionately slow. This discourages (unpaid) nonmining validators, which also increases centralization.

[iamsmooth]

@stoffu "I wonder the possibility of ASICs becoming so advanced, so cheap and so commoditized that they become the default choice as heating devices. Everyone needs heating especially in the winter. The similar argument in andytoshi's writing sounds somewhat convincing to me."

Okay but this is somewhat extreme future stuff. 21.co tried that and it seems to not work out at all, yet. I don't know that it really has much bearing on whether ASIC-resistance is desirable in 2018. The underlying premise seems to be that you can't hard fork and whatever you do now you are stuck with forever, or at least until that somewhat extreme future arrives. Maybe a reasonable premise for Bitcoin...

increasing the complexity of proof generation often means also increasing the complexity of proof validation, often disproportionately slow. This discourages (unpaid) nonmining validators, which also increases centralization

I don't really buy this. One per block is not that significant. Validating the rest of the block is a lot more expensive, as long as the PoW validation stays within reason (there have been a few really stupid attempts with 10 second PoW validation time or something).

If anything, cheap PoW validation maybe encourages SPV clients (which don't validate the rest of the block), and that seems also centralization-increasing to me.

[stoffu]

@iamsmooth I agree with both of your points.

My another concern with ASIC mining even in the far future is that their manufacturing will most likely not be commoditized, and there will be a chance that all or most of the manufacturers are pressured by a powerful attacker to secretly implement things like a “kill switch”. This concern is totally irrelevant for CPU/GPU mining because anyone can compile mining software from source.

[jtgrassie]

@iamsmooth I think a significant risk right now is your first bullet:

1. Continued and repeated ad-hoc modifications to the PoW algorithm may accidentally (or even maliciously) introduce exploits.

I also recall a few comments from people on IRC with ASIC experience stating the most recent changes made will actually have little effect on any potential current ASICs. This points to the obvious need for specialist knowledge to help change the PoW each time it gets changed (both expert ASIC wise and security wise knowledge).

Being ASIC resistant thus far has certainly been a great benefit to the Monero ecosystem - how we can effectively maintain it is the issue IMO.

[egodigitus]

@iamsmooth @stoffu There is a company already experimenting with heating buildings through mining (https://www.cloudandheat.com/). And the centralization with ASIC manufacturers is similar to the IC manufacturer's market overall. It's a matured market (http://www.icinsights.com/news/bulletins/Samsung-TSMC-Remain-Tops-In-Available-Wafer-Fab-Capacity/).

[sammy007]

Glad to read @iamsmooth's cold head points here. ASIC resistance is a no go, leads to industrial espionage, corruption. Leads to self isolation and elimination just like every attempt to resist progress. At least status quo is needed for a while, until all pros and cons will be measured.

@williams-r

Merged mining with bitcoin right now would increase centralisation pressure on bitcoin mining from the increased cost of node operation.

With merged mining you are getting a satellite coin for free also.

Actually, only one coin on a single algo survives. Look at btrash and look at BTC, btrash difficulty is almost 10x lower, easy to attack in case it becomes a real threat for a major group of BTC maximalists.

If you think really long term, only the most efficient PoW survives, there will be a fight for energy.

[SRCoughlin]

@jtgrassie

This points to the obvious need for specialist knowledge to help change the PoW each time it gets changed (both expert ASIC wise and security wise knowledge).

This is the reason that I'm disheartened that people are commenting here on ASIC development when they clearly have never done it before. (The blankets statement about 'resistance is impossible', 'corruption', etc. are not what you hear from experienced chip designers. Even 'commoditization' has little meaning other than run size.)

There are not enough ASIC SMEs talking about this for any useful discussion to occur. If there were a formalized process, then we might learn something.

[lisergey]

Why not to seek PoS+PoW+Proof-of-Activity algorithms as a way to make egalitarian use of cryptocurrency? I dislike PoW for huge energy consumption. Lowering CONOP also means easing centralized scaling. Alone it wouldn't incentivize hobbyists either. PoS would attract long-term investors (pension funds etc) and e-shops, PoA would attract traders. Combined, IMO, would promote having a node on your own, with necessary limited mining. I would also seek for Proof-of-Uniqueness algo to withstand scaling.

[SRCoughlin]

@lisergey It's kinda hard to have a Proof of Stake or Activity when the coin is specifically designed to not track stake or activity.

[hyc]

Argon2 design is worth a read. They're only relying on memory-hardness, and otherwise simple computations. https://www.cryptolux.org/index.php/Argon2

[lisergey]

A miner would seek for most profitable rate/cost algo/hw combination. No interest in running a node if it is not mandatory. Then demand for more profit/cost-effective hw is stronger and wider. That are ASICs. Sooner or later the progress would solve the challenge to combine FPGA with enough L3 cache, then most changes in PoW algo would be acceptable to high-scale miners. Therefore I support @iamsmooth ASIC-friendly proposal.

@SRCoughlin, do you see a way to incentivize a hobbyist miner to run a node with current PoW?

[SRCoughlin]

@lisergey You, as many others in this thread, seem to be confusing that which is in the interest of Monero miners to be equivalent to that which is in the interest of the entire Monero community. This is simply not true. Your argument about the 'acceptability' of high-scale miners is irrelevant because of this.

As far as hobbyist miners running a node, the best incentive is to continue altering the POW to incentivize the continued success of hobbyist mining, some of whom would run a node as part of the process. The cost-efficiency of nodes are not applicable to people who do so fun.

[jtgrassie]

@lisergey

A miner would seek for most profitable rate/cost algo/hw combination. No interest in running a node if it is not mandatory.

You're confusing miner, node and user.

Sooner or later the progress would solve the challenge to combine FPGA with enough L3 cache, then most changes in PoW algo would be acceptable to high-scale miners.

An FPGA does not need to use L3 cache at all. They can already make use of RLDRAM3. See here for better informed dialog on FPGAs.

Therefore I support @iamsmooth ASIC-friendly proposal.

I think you are miss-reading @iamsmooth OP. I read this as a proposal to consider, not a proposal to actually support ASICs. Rather a discussion starter.

[Gingeropolous]

@stoffu , I think that argument is flawed. If there's a network that you can participate in that requires the computer you already own vs. a network that requires you to buy some multi-thousand dollar industrial machine, which has the lowest CONOP? I remember reading that post years ago and though it was wrong then as well. Its almost like its arguing for industrial scale mining.

You, as many others in this thread, seem to be confusing that which is in the interest of Monero miners to be equivalent to that which is in the interest of the entire Monero community.

excellent point @SRCoughlin .

What is in the best interest of a cryptocurrency whose entire value comes from the fact that its decentralized?

[fluffypony]

From my perspective, this move makes TOTAL sense if SHA3 ASICs are commoditised to the point of being common place. Consider: Monero mining already uses an "ASIC" in the form of it taking advantage of AES-NI extensions on CPUs to give them an unfair advantage. If SHA3 extensions existed, and most GPUs came with SHA3 ASICs baked in, then the Monero network would benefit by embracing those commoditised ASICs. It would lead to a PoW algorithm that is significantly faster to verify, which would lead to faster IBD and more efficient transaction and block propagation, whilst making it much harder to DDoS the network.

Between now and then I will do everything in my power to help the community prevent the proliferation of centralisation-inducing ASICs on the Monero network.

[malsony]

bitmain has released a new ASIC model, X3, https://shop.bitmain.com/productDetail.htm?pid=000201803132107063379CD35Gxy064F what shall we do against them? :sob:

[iamsmooth]

@fluffypony "From my perspective, this move makes TOTAL sense if SHA3 ASICs are commoditised to the point of being common place"

That's a big chicken and egg problem isn't it? If you are expecting some other coin to do the heavy lifting first then you run into this once the hardware is highly optimized and already deployed on another large network:

@otheATgh

as i do not think that the same HW should be used for both coins, it gives BTC maximilaists easy access to attack our network.

IMO the only way this can happen is for a major coin like Monero to adopt the algorithm seen as best suited to commoditization and then wait, perhaps through several generations of product and growth of the network until a desirable sufficiently-commoditized outcome is achieved. That can include a degree of lead time and inviting multiple manufacturers in to produce a product, perhaps jump-starting the process a bit.

I agree this is nothing like the current mining ASIC market.

Monero mining already uses an "ASIC" in the form of it taking advantage of AES-NI extensions on CPUs to give them an unfair advantage

And we've seen this is not nearly enough. The general purpose implementation, even with the embedded ASIC hardware inside CPUs seems to be about 30-50x less efficient. That's a big deal and what it says about viability here can't be ignored

prevent the proliferation of centralisation-inducing ASICs

Can't disagree with that. The idea here would be promoting ASICs that are not centralization inducing.

I don't think you can dismiss the downsides of this active anti-ASIC strategy. I'm offering an alternative that attempts to reach a more sustainable outcome while reducing centralization harms (or perhaps one could say substituting different, and hopefully less problematic, ones). Neither of these approaches may be fully successful though.

[Gingeropolous]

@iamsmooth

Neither of these approaches may be fully successful though.

Which may be a reason why something as seemingly bonkers as a multi-PoW system might work.

Block 1 - cryptonight-v1 (or some other ASIC-resistant PoW, lets call it CV1) block 2 - ASIC-friendly PoW repeat

or maybe do 2 and 1, or whatever.

or you could have 3. or 4 PoW that cycle. Code complexity - obviously But what does it accomplish?

By having two PoW, you prevent the control that an ASIC dominated network would have from ASIC mining centralization - because the general purpose hardware mining the ASIC-resistant PoW can also mine the ASIC PoW, just less efficiently. So ultimately, what is the most harm an Evil ASIC power can do, in general? Well, they can 1) stop block creation - just turn off miners with a kill switch 2) censor transactions and 3) perform a 51% attack. With a bifurcated PoW system, these threats from ASICs are eliminated. If the ASICs get turned off, the general miners can mine. If censorship begins, the transactions will still get included in the general purpose blocks. And can they really perform a 51% attack if they can never control more than 50% of the network hashrate, and they can't continuously keep adding onto their own chain?

Yes, the problem still exists of needing to have an ASIC-resistant PoW, and ultimately the ASIC side of the chain could become completely and undeniably centralized, so we could just be letting the wolf in the door.

As I've stated before, I am not in favor of ASICs until they are a commoditised, but as you mentioned, this is a chicken and egg problem. So perhaps with a bifurcated PoW (bicameral PoW?) , we can have the chicken and the egg coexist .... Schroedinger's chicken.