Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 1610. (Read 4670972 times)

Yes you are right, I had looked a a server layout.

But the point being that even if it is 10%, then you can't include more than 10 copies on the same size die using the same process. Using a cheaper/inferior process, you will be including far fewer than 10 copies.

I make no claim about more qualitative design improvements, cryptographic flaws (though in some cases these might translate to CPU/GPU mining improvements as well as ASIC), etc.. I was simply addressing the "thousands of copies" comment. That approach is not feasible.

Much better. Thanks for the clarification.

I looked at an image of the Haswell die and appears to be less than 20%. The APU (GPU) is taking up more space on the consumer models. On the server models there is no GPU and the cache is probably a higher percentage of the die.


I believe that is wrong. I suspect an ASIC can be designed that vastly outperform (at least on a power efficiency basis) and one of the reasons is the algorithm is so complex, thus it probably has many ways to be optimized with specific circuitry instead of generalized circuitry. My point is isolating a simpler ("enveloped") instruction such as aesinc would be a superior strategy (and embrace USB pluggable ASICs and get them spread out to the consumer).

Also I had noted (find my post in my thread a couple of months ago) that the way the AES is incorrectly employed as a random oracle (as the index to lookup in the memory table), the algorithm is very likely subject to some reduced solution space. This is perhaps Claymore's advantage (I could probably figure it out if I was inclined to spend sufficient time on it).

There is no cryptographic analysis of the hash. It might have impossible images, collisions, etc..

We didn't create it, we inherited it from the CryptoNote reference code. All optimisations we've made to it are public and in master on github.

Claymore has a Win64 AMD *only* miner, locking out all the serious miners who typically use Linux. He has the option to disable the fee:


Over and above that, the most optimised cpuminer-multi is available on Github, and for those mining on Nvidia cards, ccminer-cryptonight is also available on Github. The last one is particularly relevant, as a large portion of GPU miners began moving away from AMD when the GTX 750 ti was released (massive power savings over AMD cards).

Claymores miner has a no fee option and there is also a fee free verison for Nvidia cards as far as I know. It is also limited to windows.

Claymore is not getting "5% of the universe".

Plus if you beleive the botnet line then they arent going to be using Claymores miner.
Plus all the people who are mining on their own hardware (CPU's) are again not paying that 5% fee. Really dont see how you would come to the conclusion that Claymores miner is the equivalent of a 5% premine.

Yeah (I read that before) and Claymore is earning (up to) 5% of all the coins apparently with some proprietary insight. Hmmm. As a programmer, makes you wonder doesn't it.

So Rpietila said he would never invest in a coin with a premine (not even 1% for the core developers?), yet Claymore is taking 5% of the universe?

This should be a how-to-guide take 5% of the universe by releasing some public CryptoNite specification anonymously and pretending to be doing it for noble reasons. Of course this doesn't necessarily implicate the Monero developers, since (if) they didn't create CryptoNite. And this is of course speculation.

(I didn't attempt to learn if Claymore is anonymous?)



Since the 290X is about 2.5x the power TPD as the i7, appears they are roughly at power efficiency parity with perhaps a slight advantage to the CPU, which is roughly equivalent to the observed result for MemoryCoin 2.0's proof-of-work.

However that is a significant disadvantage to all those who run a 32-bit operating system, which is apparently still greater than 50% of all computers:

http://community.spiceworks.com/topic/426628-windows-32-bit-vs-64-bit-market-share

http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers

The L3 cache by itself is almost half of the chip. There is also a 64 bit multiply, which is I'm told is non-trivial. Once you combine that with your observation about Intel having a (likely persistent) process advantage (and also the inherent average unit cost advantage of a widely-used general purpose device), there just isn't much if anything left for an ASIC-maker to to work with.

So no I don't think the point is really valid. You won't be able to get thousands of times anything with a straightforward ASIC design here. There may be back doors though, we don't know. The point about lack of a clear writeup and peer review is valid.


This is obviously going to be true, but the scope of the task here is very different. Thousands of copies will not work.

We have the same issue with the CryptoNight PoW algorithm. To quote the initial CryptoNote whitepaper review we've released:

smooth, his point is still valid in the sense that if L3 cache is implementable on an ASIC then there might be many transistors in the CPU which are not being utilized and in which case the ASIC might in theory be able to pack more hashrate on the same die or decreased cost of hardware for the equivalent hashrate. And it is possible that specific memory use pattern of Monero's proof-of-work hash could be optimized on an ASIC as compared to the use of the generalized L3 cache on the CPU. This would need much more investigation, but realize that caching is a very wide topic, e.g. consider the variable of set-associativity. Be very careful making blanket statements, because the devil is in the details.

Yet my point was that if Intel lithography[1] is at 22nm when the ASICs are at 28 or 40nm (due I assume to Intel's higher economies-of-scale and consequent long-term investment schedule), then in terms of more hashes per watt, Intel might have a potential advantage should they attempt to maximize some instruction, e.g. the aesenc instruction. Such a well enveloped instruction may have much fewer modes of optimization as compared to usage patterns of L3 cache.

Electricity consumption may be the more significant factor, especially if you consider the points I made that if home miners mine at a loss, then ASIC farms would mine at a loss too if the home mining setup is equivalent in power efficiency.

And you've still got all the latent power issues on a CPU with so many things that aren't being utilized but which are still powered on. Intel has been working very much on improving the finer grained power down of unused modules as they realize power consumption is extremely important.

The CPU has an inherent disadvantage in that it is designed to be a general purpose computing device so it can't be as specialized at any one computation as an ASIC can be.

There is much more that has to be investigated and I can find nearly nothing on Monero's proof-of-work hash. No benchmarking. No detailed whitepaper. Nothing but the source code.

[1] Lithography on silicon isn't consistently that small. That progress halted somewhere in the realm of 30nm or so. Other tricks (even 3D transistors) have been employed to give the apparency of what 22nm geometry would provide. Intel has had delays moving to "14nm".

Ah, that's interesting, I wasn't aware. Thanks for explaining!

It isn't documented (other than the source) how the wallet chooses which outputs to use. If you can be sure that it the smaller ones, that would work. But you would still have to be careful not to run out of small outputs, at which point the wallet would happily just go ahead and grab your big 5000 output with no warning at all. A separate wallet would make this safer. But again I expect more streamlined solutions in the future.

Could one also prevent this by making smaller transfers to your wallet - 100, 200 XMR each time in order to build up a large supply of outputs?

Thousands of AES units won't do anything for you. This is not a Bitcoin-style PoW using AES (as a hash function) instead of SHA. Most of the Intel chip is being used for mining. In fact one might surmise (in part of course) that the algorithm was designed by looking at the layout of an Intel CPU and working backwards from there.

You're right in that the AES-NI unit on Intel CPUs will be faster than on any ASIC, but you'll never have thousands of such units on a CPU as you could have on dedicated ASICs.

There can still be some type of privacy issues. For example, let's say you have that 5000 output yourself, and you send 100 XMR to someone. That person will be able to see that you broke up a 5000 output into 100 and 4000+900 (change), so the recipient will know that you have/had 5000.  

In the future I would expect that wallets will optionally do some kind of auto-splitting to avoid this (breaking up the 5000 into smaller pieces -- which will be unlinkable by anyone including the recipient -- before sending the 100). The technology will continue to improve.

For now, if you are interested in extreme privacy you may want multiple wallets (say one for long term storage in larger amounts, one for routine transactions, etc.)

Correct. The numerous unspent ouptuts are "destroyed" and you end up with only one bigger.

No reason for privacy I think, but the obvious usage of several wallets is to have several layers of security. Smartphone, laptop, cold strorage... with increasing amounts on them.

Am I correct to assume that if you are sent 500 XMR that is comprised of many inputs, that once you receive it it is now one input and you will have no problem sending it anywhere?


Obviously there is no need as there is with btc to have multiple wallets in order to not reveal your stash, but are there reasons to have multiple wallets for Monero?  I would feel funny having a large amount in any one place but don't know if that feeling is based on reality.

Because people send xmr to polo by small amounts, so the polo wallet may need a large number of inputs to build the big amount withdrawal. I don't know if there's a limit with monero, for bitcoin I think it is 200 inputs.

Didn't poloniex enabled the transaction auto-split fix by now?

Yeah makes sense.
I was just curious if there was an issue sending tx with large amounts of XMR as that's what Poloniex mods had said a while back, and to send less than 1000 xmr at a time. If they were incorrect, I'm happy

The number of inputs used in a tx depends on the unspent outputs available to you (ie. what's been received and is in your utxoset). A lot of this came from pools sending dust to miners, but that doesn't mean that it couldn't occur if you charged 25 XMR for something, and 200 people bought, and then you wanted to move the 5k XMR somewhere. It would require 200 inputs.

Bitcoin can have similarly large transactions, and that's just fine: https://blockchain.info/tx/574d77eb277974ca1000b154023940c3e366d5bf4dd06b7fe3b0d92eea54e0c7