Mega-pool Cockblocking Strategies

[ghost]

What could we do, if anything, to mitigate the dominance large pools?

Some idea floating around...

• Lock coinbase transactions for 100 years
• Miners sign block templates with private keys
• Hashing the whole blockchain
• get rid of tx_extra
• limit extra nonce size

[jwinterm]

And if we do any or all of these should we tone down randomx parameters to make verification easier on mobile or just switch to sha3?

[ghost]

I don't know how mining works, but all lgtm.

Making RandomX lighter in practice might be good enough for mobile. But it also makes switching away from it harder. I doubt anyone can change it ever.

So depending on what your vision is about the end game, it can be a pro or con.

[SChernykh]

Miners sign block templates with private keys

This is the only meaningful way to do this. But how exactly can it disable pools? If block template is signed before the nonce is searched (everything but the nonce is signed) then pool can just send signed templates to miners. If the template is signed after the solving nonce has been found, it can just be done at a pool side. So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work.

[00-matt]

limit extra nonce size

Couldn't a pool just mess with the timestamp or transaction ordering (if we don't enforce an ordering for txes) in that case?

[ghost]

I used to think profit switching pools were not too bad, but maybe I'm wrong.

Profit switching pools require someone to keep mining the blockchain when they don't, particularly when mining isn't profitable.

So solo miners and dedicated pools are actually feeding the profit of profit switching pools, at the expensive of their own losses. And if they stop mining at a loss, the chain is ded.

Guess I support making profit switching pools infeasible, at least for chain security.

[ghost]

There are no FPGA / ASIC profit switching pools right? So I guess SHA-3 is also an option?

[00-matt]

FPGA / ASIC / CPU / GPU has nothing to do with profit switching

[ghost]

Do you know any profit switching pools that are targeting FPGA / ASIC ?

[00-matt]

ViaBTC does for sha256d coins, and multipool.us for scrypt, sha256d and x11.

[ghost]

Thanks, well, that sucks.

[tevador]

So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work.

I like this idea. Miners would have to:

1. Select a nonce value.
2. Sign the block header using the secret spend key from the coinbase transaction.
3. Append the signature to the block header.
4. Calculate a RandomX hash of the long block header.
5. Check if the hash is below the target. If not, go back to step 1.

This would not significantly impact hashrates because an Ed25519 signature takes <10 <50 µs, while a RandomX hash takes 1000-2000 µs.

When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance, which might incentivize the development of specialized circuits for fast digital signatures.

[ghost]

@tevador:

When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance

Does this mean an ASIC will have to compute something more than just a hash, will that make ASIC design harder?

[ghost]

Is it possible to replace 3. 4. with:

Calculate a RandomX hash of the signature ?

[tevador]

Calculate a RandomX hash of the signature ?

Yes, since the signature includes a hash of the block header. This would decrease the amount of data to hash from 140 to 64 bytes and save 1 run of the Blake2b compression function.

[MoneroOcean]

[Thunderosa]

Just limit pools to 1 block each. Make them promise.

[jwinterm]

Does mining to a multisig address change the calculus in any of this?

Edit: Nevermind, that wouldn't work if miners need to sign every hash.

[tevador]

Multisig wouldn't work and additionally, the coinbase tx would have to either be limited to 1 output or require one signature per output key (this would require some variable-size structure in the block header).

[ghost]

migrated to https://git.wownero.com/wownero/meta