Topic: Resurrecting the Champ: PoW to become Bitmain/Buterin resistant - page 3. (Read 1099 times)

I find myself having to agree with you, well presented argument but "proof a-b-c-" is just a basis for "Trust" and this runs
against the manter here about "Trustless" network.

PoW is not so bad if it's useful work and not just 20,000 nodes clogging up the CPU and network but that's not whats happening with Bitcoin
but what is happening is CPU-Wars have been created and that only keep Intel rich and the miners competing against each other.

What might had been acceptable if we only had the 1000 miners we needed to maintain the network does
not work when you have 20,000 of more or them and lets save the none debate about the 51% attack

There are a lot of reasons why some people do not like proof-of-stake:
There's nothing extrinsic to the network at stake unlike in proof of work where electricity costs and computing power, are used to secure the network.
In POS systems, whatever you're staking is already present in the network, so you're not really adding anything of value. You can make a case for the value of bitcoin being the electricity costs used to mine a block.

It's not as battle tested as proof of work.

Rewards on staking are usually proportional to the amount of the currency a user holds so the rich get richer. I suppose a similar argument could be made for mining.

Also there's the "nothing at stake" problem where forgers can vote for multiple blockchain histories.
There's no definite mitigation to the problem so far, current attempts only rescale the problem, and others just use a POW + POS hybrid.

Interesting,

In the first part you say "PoS is out of context" because  "it is a naive and immature idea", but provide not support for this statement. Could you please explain why is it naive and immature, especially in the light that some of the multimillion dollars cryptocurrencies are running on it?

Secondly, you mention Posethereum and state as it is not Ethereum, then PoS won't work.

I often see there is no much love for PoS in some circles, genuinely interested why?

Assume I start with 128MB/thread.  How many threads are ASIC's running to achieve their impressive hashrate/$ ratio?  Unless they can maintain their performance with a PC-like low thread count, their costs will quickly spiral out of control.  Of course, if I guess to the low side on memory footprint and an ASIC emerges for my hypothetical cryptocoin, I can double my memory requirements with a parameter change and recompile, rendering existing hardware devices obsolete. 

Note that this is not a technical solution but an economic one.  Who would do the R&D, manufacture a production run of ASIC's, and ship them to customers when the target algo is designed from the outset to trivially increase its memory requirements with one parm change?  Also, who would buy it?

For bitcoin, as I see it and have mentioned above somehow, this option (tweaking PoW to resist against ASICs) is both an open possibility and an unavoidable  destiny in the middle term. For the latter my argument is based on Bitmain situation as an over-bloated center that happens to reside in China. Bitcoin community eventually will be united, no choice.

For Ethereum it is an inevitable almost urgent agenda. I'll do it and I don't care about a foundation and its crypto idol who have gone too far this time by breaking their contract and taking position against the majority of the users and miners. They will pay for their strategic mistake on this issue.

Back to your arguments about hashrate drop problem after the fork:
I know you are an expert by your own, but I have to make it clear that two different PoW algorithms are not comparable, all that matters is security and it is directly related to the costs of attacks like sybil or 50%+1 attack.

After the hypothetical fork, if it is supported by enough users (wallets) and a significant amount of mining power, Bitmain have no choice other than sticking with old chain and trying to manipulate the price of the upgraded bitcoin, desperately. This can be easily mitigated by a smart and well organized campaign, imo.

thumbs down

PoS is out of context, firstly because it is a naive and immature idea that is not and will not be approved under multi billion dollars incentivized attacks and secondly Ethereum is not a PoS based system and the (hypothetical) PoS based Ethereum, as I mentioned above, should be called Posethereum or something like that.

I doubt you have read my article at all, but thanks for sharing your idea anyway.

I've made thread about similar problem at Do you think Bitcoin need to change it's PoW algorithm?. But changing/tweak/modify PoW algorithm is difficult once ASIC is available for public, hashrate dominated by ASIC or the algorithm isn't designed to combat ASIC (such as SHA-256).

For Monero, tweak CryptoNight algorithm isn't difficult since mining with CPU/GPU still profitable (which means ASIC haven't take over the network/hashrate), tweak CryptoNight don't change hash speed of CPU/GPU and most importantly majority community agree with their Core team decision.

For Bitcoin, it's hard task because :
1. ASIC completely dominate Bitcoin mining.
2. Changing algorithm to ASIC resistance is difficult since the network hashrate would be very low which makes block generation very slow and make Bitcoin network vulnerable during transaction since that means attacking bitcoin network 51% attack will be far easier. Even when considering there are ways to "tweak" SHA-256 just to break ASIC
3. Getting community approval over tweak/change which require hard-fork is difficult, especially from ASIC miners.

I think tweak Ethash algorithm at this point is good idea since the ASIC isn't available for public yet, but without Ethereum Foundation or majority community approval, your idea won't happen (at least without chain-split).
But i think enforcing dedicated memory requirements won't do much since ASIC/FPGA manufacture simply can add more memory, unless your solution is similar with CryptoNight which force high-speed/low-latency for efficient mining such as L2/L3 cache which is expensive in big capacity. CMIIW.

Thanks for the thoughtful article.  I'm working in a similar area and thought I'd add my own perspective on how to deal with the  centralization-as-an-attack  cryptocurrency problem.

We seem to agree on the idea that the best defense against ASIC's (and other approaches that fill the same functional and economic niche) is an economic defense.   For example, my approach to POW is to leverage PC's in a way that is uneconomic to duplicate in a fixed-purpose device.  Since many people already own PC's their machines don't have to be counted as part of the cost of decentralized POW. 

On the other hand, someone building a dedicated mining farm would have to outlay *extra* money to compete with something that the decentralized community already has in abundance.   

This approach failed for bitcoin because the POW algo was too trivial; it required only a few instructions of the CPU and a tiny amount of memory.  A $1000 PC was making use of only a tiny fraction of its cost for mining.  This left a huge window for exploitation by ASIC's (and GPU's).

A better approach would have been to use more instructions and more complex instructions as well as far more memory in the POW algo, obviously.  Further, as as you point out above, the memory should be dynamically used rather than static to reduce the possibility of shortcuts.  Ideally, the algo would make use of as many capabilities of the (common) PC as possible.  Successfully implemented, this approach would not make ASIC and GPU mining 'impossible', merely impractical.

But, as you say, ASIC resistance, as defined economically, *is* ASIC proof. 

My algo is pretty basic in that it mostly makes use of lots of memory and memory bandwidth for each thread, but that alone addresses a significant subset of the 'ideal' requirements of my approach.  A GPU would be able to run a few threads, for example, but its performance should pale in comparison to a CPU.  It might be worth the electricity at the low usage level -- but the ROI would not be worth the capital outlay of building a GPU rig.

An ASIC (or ASAC) could still be made to be more efficient than a PC, but should not be drastically so.  As long as the pay-off period for a piece of special-purpose equipment is measured in multiple years, the risk would be too great for a prudent investment -- especially in the fast-moving space of cryptocurrencies.  And, more importantly, it would not provide the economic foundation for a few companies to quickly rise to dominate the space.

POS

Hi all,
In this series of articles, I'm going to share my technical analysis of Bitmain's latest attack on Ethash along with my own counterattack proposal. I have not started coding my algorithm tweak proposal yet but will do it in next few days.

It was bitcoin community's fault from the first place not to recognize ASIC as a crack and not to take a proper action against it by upgrading to an ASIC resistant PoW, imo. The endless scalability debate (faked/escalated by Bitmain?   ) was just a distraction for the community to seat and watch what was happening to the most unique, unprecedented feature of bitcoin, decentralization powered by PoW, being put in danger by an old fashioned way of crack: Application Specific Integrated Circuit, ASIC.

As a direct consequence of this passivitism, Jihan earned billions of dollars and became powerful enough to attack other coins  by investing more on ASIC design and production (besides taking malicious positions in bitcoin ecosystem) Scrypt, X11, Blake, ... cracked one after another in a short period of time. Each time an ASIC miner with crazy efficiency advantage over gpu mining was introduced by Bitmain after it has mined enough of each coin before the disclosure.

Now, the monster has become so reach and self confident to attack the second largest cryptocurrency and one of the most promising ones, Ethereum and its Ethash PoW, by introducing E3. It isn't an ASIC attack, as I'll argue through this topic, but deserves to be classified as an attack, possibly a new class of attack that can be accomplished only by such a resourceful monster and again its purpose is hardware monopolization.

Monero and its Sergio reacted almost instantly, they have already forked the chain and are very committed to their ASIC resistance strategy but Ethereum Foundation and Buterin on the contrary are showing no interest. They have not responded yet, instead, Buterin recently has coldly proposed to take advantage of this threat and boost Ethereum's migration to PoS, using his new toy, Casper.

PoW is not a toy to be replaced childishly, and I'm sure Ethereum Foundation will have a lot of trouble to manage for such a destructive hard fork,( personally I'll fully support any resistance against their agenda), so, I will deliberately eliminate Casper and PoS as a solution, firstly because I don't recognize a coin based on PoS as Ethereum( Posethereum? May be ) ) and secondly I think it is more about Ethash. Pos may save or destroy Ethereum but it has nothing to do with Ethash.

Actually it is more about PoW rather than Ethash, improving bitcoin's SHA256 PoW is not that unlikely to be supposed totally off the table forever (even after the  failed BTG experiment). I think Bitmain is increasingly getting stronger and more dangerous and will take more aggressive positions against the community and one solution for the crisis would be enhancing PoW to get rid of Bitmain. This is why I have labeled this topic as a resurrection attempt toward PoW rather than Ethash, the later is just an interesting case chosen to be studied more precisely.

The upcoming debate in bitcoin over this issue and its result won't be as radical as what Buterin and his mates feel free to do with Ethereum. Bitcoin is three times bigger (in terms of market cap) and unlike the way Buterin and Ethereum Foundation (inappropriately) treat their coin, it is not an experimental project, there will be no PoS or proof of anything migration debate ever in bitcoin but a PoW tweak to become more resistant to Bitmain attcks? Who knows?

So I see stakes here for bitcoin community to get involved in ASIC resistance debate actively, and it is not that surprising:
Cryptocurrencies have a lot of technology and experience to share and PoW issues are on the top of the list.

After all PoW has gone through, there is disappointment in the air and many give up proposals on the table. Some people argue that because 'ASIC resistant' is not equal to 'ASIC proof '(?) the failure of  Scrypt, Cryptonight, X11, ... algorithms (and supposedly Ethash now), are enough evidences for us to be convinced  that PoW is inherently vulnerable and will lead to hardware centralization. Some use this to suggest approaches other than PoW for securing blockchain ('proof of something' discourse and the trending PoS vaariant) while others recommend coping with the claimed flaw and pray for other ASIC manufacturers to come to the scene and compete, or claim that there is no centralization threat at all(honestly, aren't they payed by Bitmain?  ).

I'm strongly against this arguments and believe that ASIC resistance is the same as ASIC Proof (practically) and if some algorithms have failed their promise it does not imply anything other than they have to upgrade and fix their vulnerabilities.

Plus I think a more general hardware centralization threat should be addressed (including but not limited to ASIC), it is substantially because of my perception of the latest Bitmain E3 which I have come to the conclusion that it is not ASIC but yet a serious hardware centralization threat.

Bitmain's E3 seems to be a new type of attack on PoW based blockchains, It is not an Application Specific Integrated Circuit(ASIC) because it has not the required signature of ASICs being orders of magnitude enhancement in efficiency. From what Bitmain has officially announced, E3 is not more efficient than a 6x570 based gpu rig (it consumes 800 watts to produce 180 Mh/s Ethash mining power) definitely it is not what you expect from an ASIC.

But if Bitmain has not achieved more efficiency, how is it possible to categorize its E3 as an attack? The trivial answer is cost efficiency.

In a sophisticated marketing maneuver, Bitmain is selling its miner for a price far (more than 3 times) below what an ordinary gpu miner can manage to assemble a comparable mining rig. It pushes ordinary miners out of the market and is a hardware centralization threat and deserves to be classified as an attack. I'll show here that it is an special purpose machine built for taking advantage of a specific vulnerability of a modern PoW algorithm like Ethash. It is nothing less than an attack and for the convenience I'll call it Application Specific Architectured Computer, ASAC.

Bitmain, obviously, has not disclosed anything worth mentioning about E3 other than a picture (of an ugly mini case) plus 800 watts power consumption, 180 Mh/s Ethash power and 800$ price besides a 3 month pre-order requirement for the buyers, if it was not Bitmain, it would look  just like a scam, but it IS Bitmain and something is wrong here.

Just like any other technology, the most important secret that will be disclosed once it has been introduced, is always its feasibility. When you announce a product, you have already compromised the most important secret about it: its existence!

My assumption here is Bitmain has managed to reduce costs dramatically and the very few days  after the announcement, I have been busy finding how.

Obviously, I had to review Ethash again, this time, under the lights of E3 disclosure and being 100% convinced that there exists a vulnerability and Bitmain has taken advantage of it to manage for the attack.

I have found a possible answer and a proper solution both not very hard to guess: I think it is a shared memory attack (not the old Dagger vulnerability thou) and mitigation is possible by enforcing dedicated memory requirements, which I'll share in next few days,  but before proceeding anymore, I would like to hear from other forum members about this issue.