Author

Topic: Anti-pool algorithm PoW (Read 409 times)

legendary
Activity: 3472
Merit: 10611
July 25, 2019, 11:10:16 PM
#10
Quote
the use of fairly simple mining algorithms
i am still not convinced whether more complicated algorithms solve anything about centralization of mining power. the rich elite can still accumulate large number of any equipment needed to mine and still control a large portion of the hashrate. whether it is CPUs, GPUs, or ASICs.

Quote
Hence, the lack of protection from creating large mining pools leads to, essentially, centralizing mining and to the possibility of censoring transactions by a small circle of people.
that doesn't centralize "mining", even with pools the mining is still decentralized but having big pools gives more power to these pools which they can use to influence the network.

in any case your subject reminds of "BetterHash", in case you aren't aware of it here is the link: https://github.com/TheBlueMatt/bips/blob/betterhash/bip-XXXX.mediawiki
mda
member
Activity: 144
Merit: 13
July 25, 2019, 03:53:21 PM
#9
Solo mining doesn't exactly help with on-chain scaling. Wouldn't it be easier to detect censored transactions and boycott offending pool?
legendary
Activity: 2674
Merit: 2334
July 25, 2019, 11:58:55 AM
#8
As I said before, version 1.0 of the anti-pool algorithm PoW described above has a substantial disadvantage. Miners can perform the first and the second cycles once and after that they can skip these cycles and find the block which meets the requirements, iterrating over the sign_nonce digit of the ECDSA scheme based on the secp256k1 elliptic curve, using special equipment. Thus, some miners may obtain multiple superiority over miners who do not have ASIC. Therefore, I propose the following solution which avoids this disadvantage.



Anti-pool algorithm PoW - Version 2.0

The main problem with the implementation of version 1.0 is the inability to sign a hash (digit) equally and single-vary without loss of security and safety, because the sign_nonce digit of the ECDSA secp256k1 scheme must be a random number unknown to a third party. Otherwise it is very easy to calculate the R digit and then the private key K from the S digit. That is why the primary task for solving the described problem is to discover such asymmetric cryptography which allows to sign a hash (digit) securely enough and gives the same and equal result.

To implement version 2.0 of the anti-pool algorithm PoW, I propose to use RSA (Rivest-Shamir-Adleman) asymmetric cryptography which is widely adopted, for example, in the well-known PGP (Pretty Good Privacy) application. In this cryptography, to enhance security, a digit (hash), which is the plain message M, is usually encapsualted into another (larger) digit using a Probabilistic Signature Scheme (PSS) before signing. In this scheme the so-called "salt" that is a random digit (in fact, sign_nonce) is used by default, but this parameter may be omitted. Thus, the PSS scheme without the "salt" gives an equal result if the same hash (digit) is being signed. Of course, a signature without a "salt" is less secure but not significantly.



An example implementation of the algorithm

To test version 2.0 of the anti-pool algorithm PoW, you can use the well-known OpenSSL application. At present time, RSA cryptography typically uses a public exponent E, equal to 65537, and a public key N having a length of 2048 bits (256 bytes).


To generate an RSA key pair:

1) Create a private key consisting of two primes P and Q, each of which has a length of 1024 bits (128 bytes):

Code:
openssl genrsa -out private_key.pem 2048

2) Calculate the public key N that has a length of 2048 bits (256 bytes). In fact, this is a multiplication of two primes P and Q.

Code:
openssl rsa -in private_key.pem -outform PEM -pubout -out public_key.pem


To sign the header hash using the RSA-PSS scheme:

1) Calculate the block header hash through an ASIC-resistant algorithm and save the result which has a length of 256 bits (32 bytes) into a text file, for example, "block_header_hash.txt".

2) Sign the block header hash and save the RSA signature into the file "block_header_hash.txt.sig":

Code:
openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:0
-sign private_key.pem -out block_header_hash.txt.sig block_header_hash.txt

It should be noted that the rsa_pss_saltlen parameter is equal to zero, therefore the result of executing this command is always the same and single-vary if the input data of the file "block_header_hash.txt" are not changed.


In version 2.0, the block header structure contains 7 fields:
  • 1) block_version (4 byte)
  • 2) previous_block_header_hash (32 bytes)
  • 3) block_timestamp (8 bytes)
  • 4) transaction_count (4 bytes)
  • 5) merkle_root (32 bytes)
  • 6) required_leading_zero_bit_count_in_rsa_sign (1 byte)
  • 7) block_nonce (8 bytes)

The signature block_header_hash_rsa_sign_without_salt (256 bytes) is written further. The total size of the block header size with the RSA signature is 89 + 256 = 345 bytes.


To implement version 2.0 of the anti-pool algorithm PoW, transactions must simultaneously support addresses based on ECDSA and RSA cryptographies. Suppose Bitcoin as an example. In this case the new OP_CHECKSIGN_RSA should be introduced. This function verifies the last two values from the stack (signature S and public key N) using the PSS scheme (with "salt") and checks the validity of the transaction input script.

Code:
openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
-sign private_key.pem -out transaction.txt.sig transaction.txt

In this command the rsa_pss_saltlen parameter, which is -1, indicates that the length of "salt" is equal to the length of the SHA256 hash (that is, 32 bytes), so security and safety will be at high levels.


It is important that a valid COINBASE transaction should contain one output and send a reward for mining and all transactions fees included in the block to the address which is the RSA public key. Other miners will verify the signature of the block header hash using this key. The input script of the COINBASE transaction may be used, for example, for votings, annoucements and other marks.

The output script "scriptPubKey" of the COINBASE transaction must be in the PAY-TO-RSA-PUBKEY format:

Code:
OP_DUP OP_EQUALVERIFY OP_CHECKSIG_RSA

Accordingly, the signature S and the public key N must be defined in the input script of the futher transaction in order to spend this output in the future:

Code:



Conclusion

The presented version 2.0 of the anti-pool algorithm PoW avoids the substantial disadvantage of version 1.0 and also adds some features. The RSA-PSS scheme without "salt" will not allow miners to iterate over the sign_nonce digit instead of the iterating over the block_nonce digit as was possible in version 1.0 of the anti-pool algorithm PoW, so they will be forced to calculate the block header hash through an ASIC-resistant algorithm many times. In addition, administrators of botnets and websites are unlikely to install hidden JS-scripts, because the RSA private key (which is the P and Q digits) is required at each mining iteration.

The described algorithm can provide resistance to ASIC, decrease the centralization of mining and, as a result, reduce the possibility of transaction censorship by a small circle of people.
member
Activity: 148
Merit: 45
https://bitaps.com/
December 21, 2018, 11:55:18 PM
#7
I think we can put coinbase transaction signature to coinbase transaction sigScript. In this case we can upgrade Bitcoin through softfork and implement anti pool protection.
legendary
Activity: 2674
Merit: 2334
December 19, 2018, 06:52:26 PM
#6
Quote
sign_nonce = mod(block_header_hash, N)
R = X of mulPoint(sign_nonce, G)
S = mod(invert(sign_nonce, N) * (block_header_hash + (K * R)), N)
Quote
In such scheme the miners will consolidate their computional powers but only within the boundaries of the server room or a small group of trusted participants, otherwise coins from the COINBASE transaction address can be immediately stolen by an untrusted miner.

I'm wondering if things went like this? "Problem ECDSA signing isn't derandomized so I know...! I'll invent some novel crypto. Nothing could go wrong."

I'm guessing your central idea isn't to have used completely insecure crypto, thus permitting first third party in their lightcone to steal the funds?

Thanks for your answer. I was in doubt whether the private key (K) can be calculated if the digit sing_nonce used in a signature RS is published. As far as I understand, sing_nonce must be a random 256-bit digit and may not be shared with third party. Therefore I edited my first post.

In this case the miners will be calculating the block header hash once and then iterating over the signature RS that meets the requirements using the asymmetric cipher ECDSA secp256k1. I am confident that signing a hash is not an ASIC-resistant operation.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
December 19, 2018, 04:31:19 PM
#5
OP,
Pooling Pressure is a known flaw for bitcoin and PoW coins based on winner-takes-all approach. I've thoroughly analyzed pooling inevitability because of mining variance problem which is a direct result of the said approach which implies a Bernoulli distribution of chances because of its binary nature (you-win-all/you-win-nothing).

Briefly speaking when you have a 1/1,000,000 chance of hitting a block,  you have a very high risk of hitting no blocks in years and it is the case for a small miner utilizing 3 Antminer S9s at the time of this writing. This is why small and medium sized mining farms NEED to join pools, otherwise they wouldn't be able to afford their costs.

Obviously, pools are the most ugly truth about bitcoin and should be addressed but your approach is not a solution to this problem because it is rather destructive as it causes pools to shut down their operations (given that they wouldn't find a workaround for it)  while the pressure is still there! As a result, it pushes out miners with less than like 0.01 total hashpower out of the game and makes bitcoin mining a highly centralized industry because with shares less than that level they will start becoming a gambler rather than a business man or woman.

A real fix for pooling pressure should change bitcoin winner-takes-all approach  and it is what I've proposed in POCW here.

full member
Activity: 135
Merit: 178
..
December 19, 2018, 04:21:25 AM
#4
2) The block header is being hashed by an ASIC-resistant or CPU-ONLY mining algorithm.

so it was all about disabling ASIC devices in a PoW..

Hence, the lack of protection from creating large mining pools leads to, essentially, centralizing mining and to the posibility of censoring transactions by a small circle of people.

and disabling ASICs dosen't necessarily prevent pools from acting centralized.. and signing messages also can't stop this. one pool still can gather processing power in other ways and become the majority. hope I didn't miss something important in your proposal.

UPDATE:

solo miners still could join a pool and each of them check a defined range of values for mining. look at p2pool.
staff
Activity: 4284
Merit: 8808
December 19, 2018, 12:21:47 AM
#3
Quote
sign_nonce = mod(block_header_hash, N)
R = X of mulPoint(sign_nonce, G)
S = mod(invert(sign_nonce, N) * (block_header_hash + (K * R)), N)
Quote
In such scheme the miners will consolidate their computional powers but only within the boundaries of the server room or a small group of trusted participants, otherwise coins from the COINBASE transaction address can be immediately stolen by an untrusted miner.

I'm wondering if things went like this? "Problem ECDSA signing isn't derandomized so I know...! I'll invent some novel crypto. Nothing could go wrong."

I'm guessing your central idea isn't to have used completely insecure crypto, thus permitting first third party in their lightcone to steal the funds?

If so you might want to revise your proposal, perhaps minimizing the number of novel cryptographic structures you attempt to construct.

Aside, the response to no pool mining, isn't "I guess I won't pool mine", it's "I guess well fund bob to build us a big centrally controlled mining farm to mine for us and share the income".
legendary
Activity: 2674
Merit: 2334
December 18, 2018, 08:53:16 PM
#2
Reserved.
legendary
Activity: 2674
Merit: 2334
December 18, 2018, 08:52:55 PM
#1
Introduction

According to Bitcoin whitepaper, Blockchain technology was originally developed by Satoshi Nakamoto as a decentralized solution based on the Proof-of-Work algorithm. Users of the system can make safe payments in an untrusted environment without the possibility of censoring transactions by third parties.

However, the use of fairly simple mining algorithms in this technology often leads to manufacturing a special equipment. As a result, some miners obtain a multiple superiority over miners who do not have ASIC. In addition, in such a situation the miners consolidate their computational powers into mining pools. The administrators of these pools send tasks using the STRATUM protocol and gain a reward for the block added to the blockchain.

Hence, the lack of protection from creating large mining pools leads to, essentially, centralizing mining and to the possibility of censoring transactions by a small circle of people.



Anti-pool algorithm PoW - Version 1.0

To solve such problems, it is proposed to use the following anti-pool algorithm PoW which can also increase ASIC-resistance of mining. The basic idea is that each iteration of mining is being signed with the private key of the COINBASE transaction. It is needed to take into consideration that this transaction should have only one P2PK or P2PKH output.

The structure of the block header contains 7 fields:
  • 1) block_version (4 bytes)
  • 2) previous_block_header_hash (32 bytes)
  • 3) block_timestamp (8 bytes)
  • 4) transaction_count (4 bytes)
  • 5) merkle_root (32 bytes)
  • 6) block_difficulty (8 bytes)
  • 7) block_nonce (8 bytes)

The signature block_header_hash_sign (64 bytes) is written further.

The COINBASE transaction and other transactions follow further in the block.


The mining cycle consists of 4 stages:

1) The digit block_nonce (8 bytes) is being changed in the block header.

2) The block header is being hashed by preferably an ASIC-resistant or CPU-ONLY algorithm.

Actually, the difficulty of hashing does not matter, because the first and second stages is likely to be perfomed once and the mining cycle will consist of only the third and fourth stages.

3) The resulting hash of the block header (32 bytes) is being signed with the private key (K) of the COINBASE transaction using the asymmetric cipher ECDSA secp256k1.
The block header hash taken by modulo N is being used as a digit sign_nonce (32 bytes).

Quote
sign_nonce = mod(block_header_hash, N)
sign_nonce = mod(random256bit(), N)
Code:
R = X of mulPoint(sign_nonce, G)
S = mod(invert(sign_nonce, N) * (block_header_hash + (K * R)), N)

4) The signature of the block header hash RS (64 bytes) is being checked with counting, for example, the number of the last zero bits (LSB of the digit S). If this number is less than the targeted difficulty, the digit block_nonce (8 bytes) is being changed again and the mining cycle is being repeated.


If a mining cycle is successful, the miner changes the signature RS block_header_hash_sign (64 bytes) in the block and broadcasts this mined block to the network as soon as possible.



Conclusion

In such scheme the miners will consolidate their computational powers but only within the boundaries of a server room or a small group of trusted participants, otherwise coins from the COINBASE transaction address can be immediately stolen by an untrusted miner.

Since the matching of the digit sign_nonce (32 bytes) and the block header hash taken by modulo N can be verified without using the private key of the COINBASE transaction, miners will not be able to iterate over the signature RS that meets the requirements using the asymmetric cipher ECDSA secp256k1 instead of hashing the block header, using an ASIC-resistant algorithm.
If miners send hashes to the mining pool over the network, this will be huge traffic leading to a radical decrease of mining efficiency. However, miners will be able to change the digit sign_nonce (32 bytes) and iterate over the signature RS that meets the requirements using the asymmetric cipher ECDSA secp256k1 instead of hashing the block header, using an ASIC-resistant algorithm.

The described anti-pool algorithm PoW enables to significantly reduce the centralization of mining. The absence of large mining pools decreases the ability of third parties to censor transactions and also raises the chances of receiving a mining reward by ordinary users of the system who have a full node.

This post has been edited on July 25, 2019.
Jump to: