Topic: Specialized hardware and the "nuclear option" for >50% attacks (Read 2212 times)

One does not simply develop a coin where the proof of work is a general purpose problem solver. It would be very useful if that could be done, but as far as I know no one has found such a proof of work algorithm. It would have to be expensive to compute, with difficulty adjustable over a large range of values, easy to verify and capable of being tied to the hash of a specific block in the chain.

Why don't we develop a coin where the proof of work is general purpose problem solver ?

Any option chosen will have specialized HW created if successful.

I recently heard Dan Kaminsky mention in his recent article: http://www.wired.com/opinion/2013/05/lets-cut-through-the-bitcoin-hype/ that a mining algorithm friendly to general purpose hardware is superior because it is more inclusive to "the masses", as it wouldn't require specialized hardware to participate, and thus mining would be that much more decentralized.

I doubt this is much of an advantage though, as most people would have to buy high end general purpose hardware specifically to mine anyway in order to remain competitive and profitable, and the barrier to entry for running specialized hardware (ASICs) will soon be just as low.

Furthermore, having a mining algorithm require specialized hardware appears to be a great strength.  E.g. suppose an attacker amasses >50% of total hashing power.  Then the network could (as a last resort) swap out the mining algorithm, and render all of his equipment useless for attacking the new system and for resale. With general purpose equipment, he could keep attacking the new mining algorithm, or resell his equipment to recoup some of his costs.

While the honest miners would lose all of their investment (this should be considered an inherent risk of being in the mining business), they still collectively lose less than the attacker.

Learn what an ASIC is please

Picking a hard algorithm like scrypt doesn't mean that there won't ever be an ASIC for it, it just means that developing that ASIC will be harder, which means that different people will be doing it.

In one of the several other threads discussing this exact same topic, I argued that it is best to use an algorithm that is simple enough for casual people to implement (as an ASIC) with a modest budget.

At least 4 groups now have implemented bitcoin mining as an ASIC, in (relatively) short times, with (relatively) little capital.  More are sure to follow.

If some algorithm can be done on a general purpose computer, then a special computer can be made which can do it better (by whatever measure of better).  The question really comes down to "How much effort (time and/or capital) does it take for how much of an improvement?"

Picking a hard algorithm like scrypt doesn't mean that there won't ever be an ASIC for it, it just means that developing that ASIC will be harder, which means that different people will be doing it.

We want ASIC development to be possible for kids in their garages, and it would be extremely foolish to lock them out of the game.  Even more foolish when you consider that we are incapable of barring more powerful entities from doing it anyway.

ASICs are faster than CPU's at SHA-256. They're not necessarily faster at scrypt. I'm actually doing a lot of work in this space, stay tuned.

So, you probably won't believe me if I tell you that the first bitcoin ASIC was developed like 2 years ago, by one guy.  Right?

Casual and ASIC don't go together. Not even if governments don't interfere, let alone if they do.

In one of the several other threads discussing this exact same topic, I argued that it is best to use an algorithm that is simple enough for casual people to implement (as an ASIC) with a modest budget.

I recently heard Dan Kaminsky mention in his recent article: http://www.wired.com/opinion/2013/05/lets-cut-through-the-bitcoin-hype/ that a mining algorithm friendly to general purpose hardware is superior because it is more inclusive to "the masses", as it wouldn't require specialized hardware to participate, and thus mining would be that much more decentralized.  I doubt this is much of an advantage though, as most people would have to buy high end general purpose hardware specifically to mine anyway in order to remain competitive and profitable, and the barrier to entry for running specialized hardware (ASICs) will soon be just as low.

Furthermore, having a mining algorithm require specialized hardware appears to be a great strength.  E.g. suppose an attacker amasses >50% of total hashing power.  Then the network could (as a last resort) swap out the mining algorithm, and render all of his equipment useless for attacking the new system and for resale. With general purpose equipment, he could keep attacking the new mining algorithm, or resell his equipment to recoup some of his costs.  While the honest miners would lose all of their investment (this should be considered an inherent risk of being in the mining business), they still collectively lose less than the attacker.  As long as there remains sufficient profit motive to mine - i.e. BTC remains valuable - then ASICs for the new algorithm should be quickly forthcoming to the market while CPUs/GPUs pick up the slack, and any attacker wishing to continue this attack will quickly go bankrupt as he's up against the capital stock of the whole world.

The damage the attacker does - e.g. the drop in BTC value - can be mitigated if such a response is understood by all to always be potentially necessary, and perfectly within the realm of manageability (it seems to me to be, unless I'm missing something).  "Fire drills" might even be done in advance, which would undoubtedly inspire confidence.

tldr; If the mining network relies on specialized rather than generalized hardware, then there is a "nuclear option" available to deal with and deter >50% attacks.

CPU Friendly = botnet friendly

Unfortunately there are downsides with each approach.

What I meant is that with a CPU-friendly algorithm, society as a whole has the means at its disposal to thwart a 51% attack. It doesn't mean that people would be mining for a profit. For similar reasons the Framers of the US Constitution didn't want standing armies and stipulated that the right to bear arms (i.e. militarily useful ones) should not be infringed.

No, in general people won't mine at a loss. You are forgetting about the power it costs to run HW.

What I meant is that with a CPU-friendly algorithm, society as a whole has the means at its disposal to thwart a 51% attack. It doesn't mean that people would be mining for a profit. For similar reasons the Framers of the US Constitution didn't want standing armies and stipulated that the right to bear arms (i.e. militarily useful ones) should not be infringed.

No, in general people won't mine at a loss. You are forgetting about the power it costs to run HW.