The idea to switch to Ethereum's EquiHash might be justifiable as a short-term measure and also because apparently proof-of-work is not actually securing the Steem blockchain against 51% attacks any way.
But in general, I now that think “ASIC-resistant” proof-of-work (e.g. Monero and tromp's Cuckoo) is ill-advised because it is less secure (see the two instances of
Abstract: This paper posits that prior consensus ordering systems are winner-take-all
power vacuums† without a stable decentralized equilibrium. Satoshi’s proof-of-work (aka “PoW”)
¹ and Bitshares’ Delegated Proof-of-Stake (aka “DPoS”)
² are examined in some detail as plausible examples of this theory.
[redacted]
---
†
Power vacuum in the context of this paper means the system has no viable mechanism to maintain an equilibrium of decentralized control and limit the snowballing effect of a vicious cycle feedback loop where influence (centralized control) in the system due to concentrated wealth and economies-of-scale, increases the concentration of the wealth and economies-of-scale in the system. The value of the resource to be captured far exceeds the unrecoverable portion of the (risk + opportunity + whatever) cost to capture it, the net value (analogous to a “selling price” minus cost) doesn't decrease with a decrease in demand from those who can compete to obtain it, and only the one with the most resources can capture it.[redacted]
4. Benign vs. Malignant Power-law DistributionThe centralized control in the system may be deleterious or innocuous.
The taxonomy of malignancy includes control that:
- breaks Nash equilibrium
- comprises a power vacuum
- degrades the desired system attributes: efficient, reliable, secure, permissionless, meritocratic, collaborative, impartial, and a level-playing-field
Nash equilibrium means that every participant’s best strategy is completely determined by transparent information, i.e. that there is no better strategy any participant could employ with access to the secret strategies of other participants. This doesn’t mean that other participants can’t have secret strategies, only that secrecy doesn’t render any participant’s choice of strategy sub-optimal.
Nash equilibrium doesn't necessarily imply a stable economic equilibrium or the desired attributes, because even where every participant is adhering to their optimum strategy, it doesn't necessarily indicate that the system is not subject to deleterious effects which are unstable, such as asymmetries in profit which snowball in a power vacuum that eventually causes the Byzantine fault tolerance thresholds to be exceeded resulting in the degradation of desirable attributes.
4.1 Selfish Mining ExampleIn PoW for example, whether or not coordinated miners with more than
¹/₃ of the systemic hashrate are selfish
²³ and/or stubborn
³⁴ mining by propagating their new blocks delayed or more slowly to other miners for a relatively more profitable mining strategy, doesn’t dictate or change for the other miners their optimum mining strategy. Due to variance, miners already have an incentive to mine on the largest pool
¹⁸ if it doesn't negatively impact market confidence, and even to selfish and/or stubborn mine if adequate hashrate is pooled. As explained below, hashrate attacks on PoW aren’t incentivized if they can’t be kept secret. Selfish mining may be indistinguishable from randomness.
However, the selfish and/or stubborn mining does alter for system participants their optimum calculation of the number of confirmations for a specific probability of a double-spend if the attacker ever has an incentive to double-spend. Even double-spend attacks employing only a
minority (less than 50%) of the hashrate do slightly impact optimal confirmation probabilities even without the selfish mining strategy considered
¹⁶. These attacks are part of the more general flaw that PoW doesn’t have a Nash equilibrium on finality of consensus because of a myriad of possible secret hashrate threats
¹⁷, as discussed in the
Byzantine Agreement vs. Proof-of-Work Consensus section.
However, excepting the genre of surprise attacks which don't destroy the value of the perpetrator’s resource investment¹⁷, attacks such as double-spends employing (even minority) hashrate which stoke fear and degrade confidence aren’t plausible as Satoshi argued:
¹If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
The exponential or power-law mining distribution indicates a tiny percentage of the miners control a majority of the systemic hashrate. There isn’t likely enough liquidity from shorting the market to recoup the market value of their hardware (guaranteed to be non-zero because their mining equipment is necessarily generating more income than costs); nor is degrading the value of the system congruent with maximizing mining profit. Rented mining hashrate attacks are mathematically viable, but implausible for mining dominated by specialized,
non-repurposabale* hardware such as SHA-256 ASICs, because the controllers of the majority of the systemic hashrate are disincentivized from renting to those who would attack.
³⁵ Whereas for (D)PoS, the stakeholders of exponential or power-law concentration of stake distribution don’t necessarily have any significant asset at risk which has greater liquid value than the liquidity that can be extracted from shorting the market while attacking. However, it is plausible that a scenario might exist for a (D)PoS system where large stakeholders are publicly known to have significant revenue generating business that depend on the confidence in the (D)PoS system, yet these business interests might make them vulnerable to blackmail, such as when Warren Buffet needed various government regulators to approve the licenses for Berkshire Hathaway’s Geico insurance company.
Thus, even though the selfish and/or stubborn mining strategy has a Nash equilibrium both w.r.t. miners and the computation of double-spend probabilities, the selfish and/or stubborn mining strategy is theoretically a power vacuum that returns disproportionately more profit to the perpetrator than his hashrate would otherwise generate; thus if profit is reinvested in mining (and all other factors not in net countervailing) then eventually concentrating coordination of more than 50% of hashrate, enabling 51% attacks. So this is an example where Nash equilibrium in mining w.r.t. to a particular attack, doesn't prevent a deleterious power vacuum due that attack.
However, an attacker can orphan every block mined by the minority when his hashrate exceeds 50%. This also enables the attacker to optionally censor transactions and monopolize (dictate) the minimum level of transaction fees. That the minority shouldn’t mine at all isn’t a Nash equilibrium if the community can’t prove that such an attack is underway, such as if the attacker has many IP addresses with justifiably slow propagation. Yet if the majority of the network is mining on large pools, then it is seems likely the attack would be detectable except that the majority controls the pools without anyone knowing (a Sybil attack). This is elaborated in the sub-section
Invisible Majority Hashrate Attacks.
Per the logic of the aforementioned quote of Satoshi, the rational attacker maximizing his opportunity cost for mining rewards (and other value from attacks) would balance the harm done (higher confirmation delay variance,
³⁶ censoring, and higher fees) with the market’s acceptance (even
appreciation) of the security “benefit” of a benevolent dictator who never allows double-spends, i.e. the majority might even sign their blocks which are never orphaned. Given that public confidence determines the value of currency,
³⁷ the attacker must balance the effects on public confidence. Public confidence can be manipulated.
⁴---
*
Thus to the extent that any proof-of-work puzzle can be “ASIC-resistant” on repurposable hardware, then it is less secure against hashrate attacks.[redacted]
References| ¹ | Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. The Cryptography and Cryptography Policy Mailing List at metzdowd.com, Nov 1, 2008. ↩ |
| ² | Daniel Larimer, Delegated Proof-of-Stake (DPOS). Bitsharetalk.org, Apr 3, 2014. Also Bitcointalk. Current synopsis at Bitshares.org. ↩ |
| [redacted] |
| ⁴ | Paul Sztorc. Nothing is Cheaper than Proof of Work. Truthcoin.info blog, §Money and Politics, Aug 4, 2015. |
| [redacted] |
| ¹⁶ | Meni Rosenfeld. Analysis of Hashrate-Based Double Spending. Dec 11, 2012. ↩ |
| ¹⁷ | Serguei Popov. The tangle. §4.3 Resistance to quantum computations, p. 24, Apr 3, 2016. ↩ |
| ¹⁸ | Meni Rosenfeld. Analysis of Bitcoin Pooled Mining Reward Systems. Dec 21, 2011. ↩ |
| [redacted] |
| ²³ | Ittay Eyal, Emin Gün Sirer. Majority is not Enough: Bitcoin Mining is Vulnerable. Nov 1, 2013. ↩ |
| [redacted] |
| ³⁴ | Kartik Nayak, Srijan Kumar, Andrew Miller, Elaine Shi. Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack. IEEE Euro SP 2016, Jan 5, 2016. ↩ |
| ³⁵ | Shelby Moore III. Rented hashrate attacks are implausible. Bitcointalk.org, “DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)” thread, post #868, Nov 12, 2016. ↩ |
| ³⁶ | Kenneth Cole via Paul Sztorc. Long Live Proof-of-Work, Long Live Mining. Truthcoin.info blog, Kenneth Cole’s comment, Aug 4, 2015. ↩ |
| ³⁷ | Shelby Moore III. Value of currency has historically been public confidence in it as a reliable unit-of-exchange. Bitcointalk.org, “Precious metals are not useful in a collapse scenario!” thread, post #62, Nov 2, 2016. |
[redacted]
(I am purposefully not stating something 
)