Topic: defending ahead the p2p nature of bitcoin - blending hashcash & scrypt - page 3. (Read 13950 times)

(Here's a ppcoin like idea I wrote before reading about ppcoin.  I havent quite managed to decipher the ppcoin wiki page finding it hard to find isolate a concise definition of its mechanism and intended low level effects.  Maybe someone who has internalized ppcoin could skim this idea below and tell me if is the same as ppcoin (but simpler?) or not.)

There might be other ways to tilt the field towards p2p control also without changing the mining function.

One could give coins accompanied by first 4 year (50 coin block private keys) from the block chain some definitional hashcash mining boost.  This boost only has value for protocol voting, but NOT coin reward and could be an interesting drag on corporate control.  Would give Satoshi some anonymous power if he is still around and mining.  There'd have to be some coin reward to encourage the GPU miners with old private keys to play and keep the p2p aspect going, other than altruism, but it could be a different payout.  The generation 1 private keys boost level would frustrate subsequent control centraliztion.  Also the boost private keys are the first miner original keys only, the boost cant be transferred bitcoin purchase to the new address private key.

Adam

Agreed, good synopsis of the problem.


Thats a rather good point, I like it.  That might even win the argument if we see ASICs of good quality and efficiency flood the market in the next few years, partly as a result of the simplicity of SHA/hashcash.


It would do something about the people we want to exclude, that was my point/intention anyway: there are limits to custom hardware optimization where it becomes just too expensive and you're better off buying or making a faster CPU.  Intel is a target you're chasing at the speed of Moore's law.  Particularly if the algorithm is changing every 6 months in interesting and novel ways.  Imagine someone come to you with a mountain of money and says build me this custom CPU in 3 months (so there's three months left to start mining).  Maybe you cant do it in time to repay the investment.  Maybe you cant do it in the timeframe with any amount of money.  Even all of it - there are complexity and science limits for hw gurus and chip fab people etc.

But maybe thats too simplistic a view of the hw response to the challenge, eg maybe they optimize in the direction of reconfigurable flexibility - eg ultra flexible, ultra fast, 22nm FPGAs with more pre-optimized lumpy parts (FP units, cache arrays, integer units, etc).  But then there is an argument that that might however be a rather nice general purpose re-programmable CPU so maybe everyone and his dog will be able to buy cards and racks with them on par with miners.  And if it becomes reusable enough, it becomes a product with general availability, and that becomes a win for dynamic epoch redefinition of mining function.

If the target is too flexible, particularly dynamic over too short an interval, the hw guy either loses to intel, or he builds an intel competitor flexible hw reconfigurable CPU that everyone (supercomputer vendors, scientific computing, dyanmic function miners) will want to take off his hands.  Either way it a win for the dynamically changing mining function approach.

It takes a lot to compete with Intel.  Even AMD cant seem to do it these days - though AMD make real nice GPGPUs.


But your main point simple hashing algorithm ..[as it] keeps the barrier to entry lowish for new ASIC producers stands maybe is more robust than the harder to quantify difficulty of super-optimizing hw for an inventively changing mining function - harder to project what could be done, and anyway if the sheer simplicity of the hashcash mining function is enough to ensure p2p availability of hw, its is a more elegant, simpler solution.  Simplicity I like.

You know there maybe more than hw availability also to consider.  Many GPU miners are mining because they have a GPU.  If some of them had to pay for the miner they may drop off.  But bitcoin could probably live without that if it had to (sad though it would be to have them lose their fun without buying an ASIC.)

Adam

maybe this is a noob question: why don't we use the computing power of the bitcoin network for something useful (let researches use the computation power) in combination with the current algorithm?

I did - quite significant typo/braino there    I also dont know who Satoshi is and the first I heard of bitcoin was a 2008 email from him as I mentioned.  (Or one of the crypto lists I cant remember which came first or which I saw first).


Not clear.  Maybe failed to achieve enough momentum on the network effect.

Its use is clearly small, but it maybe like SMIME, it may have many more clients deployed who would act on it if anyone would bother sending them some hashcash (mainly server located hashcash capable spamassassin) relative to the small the number of stamps.

There was also a nay-sayer article about the economics of it all claiming it would be insufficient to deter spammers.  "Proof of Work proves not to work" (I put it on http://hashcash.org/papers/ also.)

Also you may or may not know microsoft did their own hashcash fork (chosing it over their own R&D labs memory bound functions (first version of the concept scrypt is based on).  They deployed it I think into exchange, outlook maybe hotmail.  I didnt follow it too closely.  They released on an open spec, and one could even implement the changes into the open source hashcash.  Was on my to do list for a while, still languishing.  But who can work on spams when there are bitcoins for enciphering minds to think about

Kind of lame that I didnt put that microsoft hashcash fork link on the hashcash site that I can see now.

btw it also occurred to me recently that you could recycle low bitcount bitcoin failed hash attempts for hashcash, just stuff the email in a bitcoin ignored field.  Sure the format is binary and different, and big but maybe it could be tweaked somehow to include hash( bitcoin stuff ) to be ignored by hashcash email other than as a randomization or ignored field, in a way that still makes sense to bitcoin.  Combined anti-spam with bitcoin as a freebie   Or something the ASIC miners could do as a sideline is spam like crazy   Ok for the GPU users though.

However I do worry about the privacy implications of that.  If you mined a 25 blocker and have to disclose a recipient thats not ideal.  You could probably fix that eg though a separate field that is encrypted, before hashing, and the encryption key sent with the hashcash for the recipient to verify, but kept private from the bitcoin network.  Maybe they'd even have an indirect satoshi level value for email postage uses.  Though they are not transferable as hashcash is fully decentralized and scalable.  ie the miner has to be the mail sender generally, because the stamp includes the email recipient in the hash.  (Though the encrypt the recipient address before hash trick, would allow moderately privately outsourcing the work.  I say moderately because the miner can still correlate the stamp issued to the email if it got logged.  Dont forget these things were also meant to cope with anonymous remailers.  even for regular email it just not smart to scatter around electronic breadcrumbs in the name of outsourcing a few seconds of CPU without some cryptographic unlinkable blinding, which seems doable but I didnt explore)

Adam

Well I dont think thats as dangerous a problem as corporate control by a long way.  A pool cant misbehave much.  If it does the users will realize and pull out and it'll go under.


Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.


ppcoin seems interesting.  I think I reinvented it or something similar, had another post in draft form, though ppcoin seems complicated at least the way its explained on the wiki  (not sure I fully understood it from quick skim of wiki).  Will post my similar idea next.

Adam

Go the satoshi-quo -- I am not displeased -- you're using my mining function (with pretty much no wikipedia attribution anywhere btw other than Satoshi's paper *), and I am also attached to it, and frankly I did guess that would be the likely, and with some justification, community response.  And indeed as I said in another post I appreciate the Satoshi-quo quite strongly for concept stability that may affect investors confidence.  And I'm game to see how that turns out.  It'll be an interesting ride.

It remains to be seen whether ASICs become available to the user-level participants in enough volume to mean that the network remains > 50% controlled by users.  The economics dynamic is too hard to tell.  I do very much hope it works out that way to strongly enough to keep the network well in excess of 50% p2p controlled.

What the community can do is try to bootstrap garage, kickstart, small co mining manufacturing enterprises to help retain the p2p power balance.  Unfortunately I dont have the direct skills to help with that much because I am not a hardware hacker.

If the corporate controlled entities amassed enough of a majority of network hash power (eg > 90%) for a year or so period they may feel confident enough to fork the protocol.  Dont forget they may be forced to, as advised by conservative corp lawyers, even if it may likely destroy the p2p aspects of the bitcoin network, and indirectly perhaps their own profit.  (Which they may or may not see coming).  If that happens I would be worried for the longevity of bitcoins distinguishing features (other than virtual hashcash gold based paypal like concept with the usual seizure, blocking, payment roll back etc issues).

And I suppose there is an implicit backup plan if bitcoin devolves into non-p2p, corporate controlled, stripped of most useful p2p era functions, but still working in a paypal like way (balance seizures, account blocks, transaction rollbacks included) system, then a replacement more agile mining process or other innovation crypto-currency may rise up from the ashes or be adapted by the p2p community as a continuation of the p2p bitcoin ethos.


Well actually that would be of general utility as a (faster at all costs) next gen CPU, and so it would more tend to have universal availability - the market for CPUs is much larger than miners - and scientific computing would love to use it.  Its also an inherently useful innovation force (in a bread pudding protocol like way) whereas ASIC hashcash miners are laser focused and of little non-bitcoin use.

There is an estimate that there is (massive) computing physical limit - that does involve very high temperatures.  I forgot the number of groups of 000s on the operations per second the physicist's paper i read had estimated, but it would make a unbelievably ferocious miner indeed if humanity could ever get that close to the physics computing limit.  (That physical limit model assumes no quantum computing).


But I've said my piece, and maybe it'll inspire people to poke at various alternatives (though please no gratuitous no-innovation bitcoin forks!).  Got the bitcoin equivalent of my 1990s "CAs are going to be abused by governments to issue rogue certs" warning in.

And I'm just warming up on the crypto suggestions...

Adam

(*) I added the hashcash ref on bitcoin wiki, or it also didnt reference as I recall, and I had a go at adding something on wikipedia but the editors/moderators didnt seem inclined and I didnt have the energy to argue with them.

In 2011 in Germany less than 25% power¹ from renewable energy sources was actually used due to the volatility of sources (something we are used to:). This number might improve much when the big network of clean energy will be build in EU. But still there will be lot time when unused power will be basically for free. And mining, unlike other activities, can be perfectly adjusted for those periods. Worldwise there will always be places where there is excess of power, so the hashrate will be somewhat stable.

I don't think electricity is the best source of heat. Especially from asics, which must operate at quite low temperatures to be efficient. And with the development of new technologies, the logic elements are smaller and smaller, which will require lower temperatures to operate properly (otherwise quantum tunneling will cause errors). So actually availability of cooling material will be important (imagine a farm on Antarctica).

¹http://www.erneuerbare-energien.de/fileadmin/ee-import/files/pdfs/allgemein/application/pdf/ee_zeitreihe.pdf

There are 2 separate issues.  Distributed verification of the block chain can be slow.  A 1 hour delay before an error is detected is not that big a deal, only the latest transactions are affected.

However, if miners know that any illegal transaction in the block chain will be reversed within an hour, then they will make sure their blocks are ok.

Producing new blocks in a distributed way is harder.  You have to produce and verify the block within a very short period of time.

Personally, I think adoption / social issues may turn out to be worse than technical ones (though the latter have not been surmounted yet, either).

Your typical pool, and your typical for-profit miners don't give a single rat's ass about decentralization or whatever. They're in it for the money, which isn't necessarily a bad thing, but could easily lead to a kind of "tragedy of the commons" scenario.


I'm not really the To Go Guy in this regards, but it seems to me that for various "distributed work generation" systems to work, pool's clients must be kept aware about all the transactions that need to go into the block OR ELSE.


While probably true in general sense and almost certainly true in the "efficiency" ("performance/J") sense, I am not convinced that the difference between ASIC and CPU can not be made to be rather unimpressive by clever algo design. There's clearly not enough work in this are, however.

Also, if you, at the very least, can drive ASIC development and manufacture costs high enough (which isn't impossible), you can render any ASIC operation economically unsound.

P.S.:

If we're talking an economically irrational opponent with virtually unlimited funds, then ASIC resistance, theoretical or otherwise, becomes irrelevant.

Such an opponent would buy up whatever equipment he needs to dominate your chain, be it CPU rigs, ASICs, or goddamn Blue Gene.

I'm going to take the pro-SHA/pro-ASIC stance.

Having a single simple hashing algorithm is better than having a difficult one, or having a pool of them chosen randomly.  The reason is that it keeps the barrier to entry lowish for new ASIC producers.

You simply cannot make an algorithm that is, in general, resistant to ASICs.  If a general purpose CPU can do it, then a purpose-built CPU can do it faster.  The best you can do is make it expensive for someone to develop an effective ASIC.  Also, time is money, so if you use a random pool of algorithms, then the only people that will have ASICs are those that can afford to develop them quickly.

Building an ASIC for SHA-256 is pretty simple.  At least 3 different groups have already done it, on shoestring budgets and somewhat quickly.  Increase that to maybe dozens if you include the not-suitable-for-bitcoin streaming hasher chips that are commercially available.  If (heh) they abuse their position as first movers, the barrier to their competition is very, very low, on the order of tens of thousands of dollars and several months to get started.

Making ASIC development more difficult will keep out the people that we want to include, and do nothing whatsoever to exclude the people that some would like excluded.

I don't think they are necessarily insurmountable, but yeah, missing data is hard to handle.

If a transaction 20k blocks before the end of chain goes missing, does that invalidate the chain?

Howdy Adam!

I'm going to quote myself, this is from an email I wrote yesterday to somebody else concerned about chip/mining centralization:

In the very long run, mining will be dominated by your cost of electricity and your ability to put the excess heat generated to good use.

I don't think it will matter what algorithm is used or even if the algorithm was changed every six months; if a general-purpose CPU was the only thing you could use for mining, you might see general-purpose CPUs designed to operate at thousands of degrees celsius being designed so that aluminum smelting plants can also mine bitcoins with all that electricity they use turning bauxite into aluminum.

In the short run... I think there is zero chance that "we" will decide to change the hashing algorithm.

Well, distributing the verification "back" would be nice, but it seems to me (from your post and elsewhere) that there are practical issues with that (and little to no impetus for pools AND for-profit miners* to adopt such a technology).

In the end, though, all is better than it could be - we could have had just 3 pools, and we have more. We have ASIC first-mover who is very much into decentralizing mining. I'd say all turns out fairly luckily for BTC.


_______
* as a friend once said about such folks, "mah vidja-cart is shitten teh dollerz". No offense intended to for-profit miners

I think distributed verification is key with a "falseblock" message that be broadcast which proves a block is invalid.  The main difficulty is that it you can't prove data is missing from a distributed hash table.

If someone proves a key is valid then they could broadcast a missing value warning.  It isn't clear how to prevent it being spammed though.

Very nice to see you here (although perhaps you meant 2008-2009 wrt emails from Satoshi) - just as an offside (being someone who has implemented hashcash into a webmail app as a tip of the hat to the invention itself rather than anything I expect people to use) can you shed light on why it (hashcash) never actually took off wrt fighting spam (was it due to the emergence of smart phones that would have forced the difficulty to be too easy or the success of baysian equation algos or perhaps some other reasons)?

Well, I don't disagree with the argument that major ASIC-mining players, in all likelihood, will be organizations, not individuals ( I do not necessarily agree that the mining organization and the ASIC manufacturer will be the same person, as such an argument would require one to make prediction regarding future state of a highly unstable market) .

However

a) I think that, even if some "hypothetical situation magic" were to make bitcoin strictly GPU-minable, matters would eventually evolve towards organizations and "mining moguls" hogging majority of raw hash power

b) all organizations and individuals doing mining would  flock into pools irrespective of whether we're talking corp-owned ASIC farms or GPU farms or little Joe's garage mining device.

As long as pools are in the picture, the argument regarding "mining decentralization" will remain rather hollow and pedantic, IMHO.

If it wasnt clear that wild 1997-era hashcash design alternative idea was I meant this design competition would be on ongoing and a candidate picked via fair crypto lottery at each 6month epoch.  ASIC miners have to get fast off the mark or they wont recoup their investment.

A risk you run is its a bit like obfuscated malware C contest but in crypto - if someone manages to slip a backdoored design past the crypto reviewers (which could include the cryptographic community) maybe the designer of a picked design gets a small bitcoin bounty, and more importantly the breaker of a design after the submission cut off gets a bounty also to bring in the best cryptoanalytic minds from the community.

You dont really want any human intervention allowed after the lottery or its arguably destabilizing.

btw a way to think clearly about the economics of $100m+ ASIC investments - say it becomes possible to build economic machines to do alchemy (convert lead or other worthless stuff into gold).  It is actually possible presently and has been demonstrated in particle accelerators and what-not but the cost is phenomenal and they yield low.  Anyway say its possible to build one for $100m, with a yield 1000x what can be done for a $1m investment, and practical but almost zero yield machines are possible to build in your garage or buy - chance do you think you have buying one of those digital alchemy boards?  I didnt think so.

btw2 I like the argument put forward by a presenter in a Matonis + some economist guy discussion that come some unspecified pre-singularity events eg like self-replicated nano-bot gold miners, or genetically engineered algae to filter sea water for gold and dump it in locateable clumps.  Again thats going to be  government research lab or monsanto event not a garage event, and you can bet they will try to hoard the mechanism if the barrier to entry is high and not easily garage reproducible.  And anyway if they're not careful either way the bottom is going to fall out of the physical gold market   At that point its all bits an bitcoin is better than physical gold.  Singularity timeline projections: this century.  Some pre-singluarity events clearly earlier this century than later.

Adam

[/quote]

Well, if you don't mind, I will provide a few comments without specific quotes:

1) I do not think that companies producing good ASICs would be incentivized to mine themselves on a reliable basis.
There is a large number of operational costs (and risks) that are specific to the miner but not to the party producing the specialized equipment, so depending on legal, economic, and geographical circumstances it may - and often does - make business sense to produce the boards without actually using them.

This is true for a wide array of specialized equipment manufacture - and I don't think there are enough reasons to believe it won't be true for bitcoin.

2) Empirical evidence suggests that current (GPU and a bit FPGA) mining of Bitcoin is not decentralized.

While there are indeed a cute "gold rush" and "side-business" aspects to "amateur" GPU mining, nowadays a number of circumstances have forced the supermajority of individual miners into "pools" (as correctly noted above), a few of which are accountable for the absolute majority of hashrate in both BTC and LTC nets.

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

P.P.S.:
As far as alt-coins go, I would prefer ppcoin and namecoin over litecoin.

Of course, I have my disagreements with ppcoin design, and namecoin is pretty much dead in the water, but at least those two are trying to significantly innovate, as opposed to doing some very meager PoW-algo jockeying and calling it a day.

Well my (A-level economics grade;) economics argument is market price is set by supply and demand, the supply and competition is limited and the barrier to entry large, so its a sellers market and so the sellers will either not-sell and mine, or sell at a small margin below utility value so the buyer takes the market risk and the seller takes most of the projected profit.  Ie they'll charge a massive margin, which yes invites competition, but unlike a normal market there is a floor to how much they'll be undercut - the mining value.  The next manufacturer will do the same thing, as they also leverage their barrier overcoming investment, so I dont think the market can fix this.

Maybe bitcoin price volatility helps somewhat while it lasts - big hardware manufacturers maybe dont want penny-stock odds - thats more VC profile - established owners of fabrication plants, chip design houses etc have a business to run, and want to reduce their projected sales volatility.  However I could see bitcoin price volatility reducing as the market matures and derivatives contracts availability appears - and that would elevate the above problem.

So I am (and was from the beginning) concerned there was a risk hashcash could end up stacked in favor of big players because they can pay for the development and contracts etc and mine their own equipment.  And with hardware - hardware hackers can get somewhere, but no where near AMD gpus and Intel cpus - the analog of that level of manufacture and design.  And the AMD & Intels investment level is huge.  I think it comes down to what the price/performance/power graph looks like between generic hardware (GPU), close to current moores' hw limit big funding hardware (VC or existing big co), small biz hardware (butterfly), and hackerspace level hardware hackers can do.  If there is a big discontinuity between hackerspace or kickstarter, the p2p nature of bitcoin may erode in a few years

Maybe bitcoin ought to community use some of that $1bil market cap to do something mega-kickstart.  Maybe there is even a self-interest in that.  If bitcoin loses its p2p nature I expect the currency value to drop.

If I was a hardware guy with like ex-intel chip designer experience - I would go for this right now.  But I know close to zip about ASIC & CPU/GPU design at layout compiler etc level.  A detailed and airtight kickstarter contract could bootstrap availability of close enough to moore's law edge to defend the p2p nature for scalable investments and profitability down to $100 level.  But on the receiving end with those kickstarter projects they look like make-money-fast schemes for the operators of unknown technical skills and execution ability.  Like butterfly but much worse.  You need hardware design credibility, execution ability history, openness and a contract that on independent legal review guarantees community access without the kickstarted employees walking off with 99% of the profit or miners.

(I figured this out the hashcash big player hw design issue in 1997 and had some other candidate cost function ideas re anti-spam - note bitcoin has pushed hashcash harder than spam might have because there is more money and motive involved so the answer may change - for hashcash anti-spam / anti-DoS for anonymous remailers and other anti-DoS applications I took the risk because my estimate was the extreme simplicity, ultra fast and simple and human readable mechanism and 100% distributed and 100% scalability prototcol was just too cool to pass up and the spamming profitability business model has ultra slim margins so even with near universal scale deployment it would be safe from mega investments .  Its not many things that can accurately claim to be 100% distributed and 100% scalable.  Not a coincidence I  was at the time a distributed systems PhD student and crypto fan - distributed systems field studies scalability limits and distributed algorithms.)

Maybe thats what Satoshi's moving on plan is - protect the p2p nature with a hw manufacturing stealth project funded with discretely siphoned post anonymity bug genesis bitcoin hoard.

If there was a way to bootstrap and keep p2p levels of market availability and profitability, you can see the advantages of keeping to the hashcash gold-standard.  It stood 16 years test of time so far cryptographically, and thats worth something, quite a lot of bitcoin's viability is based on that stability.  It also keeps the satoshi-quo, which I like.


I agree.  Without being a concrete design, and very much wild-discussion material - maybe a fair cryptographic p2p lottery elected function each epoch chosen at random from a massive function family. 

But its hard to design  a function family where all functions have enough variability to reduce the GPU/ASIC gap, and with hashcash-like properties (fast verification, compact storage, no shortcut).

Btw it would also be desirable to have something generic enough that as the hardware that gets built would if configurable enough (if the function family heads towards general program) it has dual uses.  Ie it IS a next gen GPGPU and that in itself could help accessibility as there is lots of market demand for such things from the scientific community.


Or a 6month design competition with review for security (no hidden trap-doors), fast verification, and then a replacement chosen via fair lottery.  I figure 6months ought to break the ASIC or higher end design cycle for a new function up a bit.


Ps I presume everyone heard of Jakobsson & Juels "Bread Pudding" protocol
http://www.rsa.com/rsalabs/node.asp?id=2049

Trying to get the miners to do useful work.

However absent an efficiently publicly auditable proof-of-work that is fairly tied to the computations of a homomorphic encryption scheme, their proposal as far as I can see not possible to scale with decentralized trust.  (Email me if you understood the import of that last sentence   And I dont like non-decentralized things.

Juels was also the same author that reinvented something hashcash-like but online (Client Puzzles).  (Offline is better as its more private, and publicly auditable, client puzzles are not).  Juels was not aware of hashcash at the time.  I have a link to that one and others on:

http://hashcash.org/papers/

Adam

I wish this were true, but the feedback I've seen constantly is that many people are insulted and angered by the small amounts they get from a single small mining setup, even some who were told what to expect going into it... even when the amounts they get will actually become non-trivial when accumulated over weeks of 24/7 mining.

There are people who find it fun, but it's certainly not everyone.

Humans are a funny breed. They seem to be demotivated by the fact that someone else is making 100x more even when that person has >100x more operating costs!

I'm now not aware of anyone making devices without selling them. (The one party I was aware of was convinced to change their practices— consider, if they don't sell devices their consolidations may threaten the decentralized security assumptions of Bitcoin— even if this doesn't immediacy debase the coins they produce the community may change the PoW and make their hardware worthless, there are some subtle reasons why changing the PoW is more viable than you might guess).

Small devices should be available soon in a number of forms.  The fact that the first major wave of deployments will be large devices also gives some advantage to smaller participants in the long run, since they won't be saddled with big investments in 110nm infrastructure. (Not to mention, that 110nm infrastructure will probably eventually resold to people who can use the waste heat for low prices)

It's my personal hope that the somewhat reduced access to the relevant equipment will be offset from decreased competition by people who are stealing resources to mine and as a result be at least a wash in terms of equality of access.

I am continually very concerned by this, but I don't think the deployment of ASIC is by far the biggest threat to the distributed nature of Bitcoin.  I think the far bigger threats are that almost all mining is done through a few centralized "pools" and that fewer and fewer users run actual network nodes that independently validate the rules of the system— instead using hosted wallets and various kinds of thin clients.   If your highly casual GPU miners are just blindly selling their computing power to a pool, it doesn't contribute much to the distributed nature of the system. (It does make the economy more distributed, but they can do that by buying coins).


The sales from one hardware vendor alone (avalon) are right now somewhat over 1500 68GH/s units as I understand it, this is enough hash to replace the entire hashrate we had from GPUs and FPGAs in January five times over. The belief is that BFL has sold many more than this.

I would expect this to lower costs for an attacker to reorganize the chain to conflict transactions by giving him choice of hardware.

This would make _validation_ expensive too. A shame, as the tiny scrypt size in LTC doesn't really achieve memory hardness... and I'd bet that dedicated hardware would get a _larger_ speedup then we get for sha256 because of this.  An interesting question is: how do you create a function which is strongly memory-hard to search but not (/less) memory-hard to validate?

There are other interesting ideas in the space of memory-hardness.  For example, you could define a POW function which is an operation over the spendable transaction index which then proves that miners have high capacity for validating transactions— perhaps better aligning the operating motivates... and eliminating the miners that just blindly sell computing power without having any interest or capacity to participate in the actual validation.   (Using data in a globally known merkle tree is potentially one way to make a asymmetrically memory-hard function)

Hah. You and a lot of other people, actually. I spent time talking about cryptocurrency things with Hal due to his RPOW system before Bitcoin existed, and "used" bitcoin early on (well, as much as you can use it when almost no one else does!) but didn't bother keeping my wallet. But whatever, Bitcoin is interesting and important regardless of what value people assign the coins and how much you "could have had" but don't.