gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 02:37:50 AM

Last edit: December 06, 2013, 02:53:50 AM by gmaxwell #1 According to reports scrypt ASICs may soon exist, finally completely eliminating this feature distinguishing Litecoin from Bitcoin at first LTC was supposed to be CPU only but that failed, then GPU only and thats failing.



I never thought much of the goal here, but at least it was a distinction if, IMO, a kinda dumb one. The thing I like least about alts is the lack of distinction and innovation they frequently suffer, and so being another asic mined coins but with different asics seems like such a waste to me.



If the LTC community wanted it could change POW and the practice of being willing to change it would probably be a stronger protection for general purpose hardware than the use of any particularity or set of particular schemes could ever be. Though since (it seems to me) so much of the LTC community is miners the change would have to be to another CPU+GPU friendly one so the existing miners wouldn't be left out.



There are a lot of options here including different POWs already deployed other ALTs or something novel. What got me musing on this subject was the question of: If I threw out an alt that used ECDSA signature validation as its POW would someone write ultra fast GPU code for ECDSA (which would be very useful in helping to scale node performance, even in Bitcoin)?



I suspect that if LTC doesn't change POW now that the introduction of fixed function hardware will mean that it never can. Perhaps its already too late, though I don't know: LTC has always advertised itself as being <s>GPU</s>ASIC proof, and a violation of that is an outright bug, which arguably should be fixed no different than if it were possible to mine more than 84 million litecoins.



Such a change could be made mostly seamlessly a new version released, and a deadline for upgrade, not too unlike the Bitcoin 0.8 hardfork or the nversion=2 blocks. Existing miners could even use coinbase votes (indicating their ability to support the switch in the blocks they mine) to trigger the change so that it could be done in a way which is assured to not exclude too much of the existing hashrate (though, presumably, using a coinbase vote would fail if there are secretly large asic farms already). Miners would need to upgrade software, but they'd just have to update sometime before the switchover, no tricky synchronization would be required.



I wonder what people think of this? Is this the sort of thing that could get near-unanimous consensus in the LTC community?

The forum was founded in 2009 by Satoshi and Sirius. It replaced a SourceForge forum. Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertisedsites are not endorsed bythe Bitcoin Forum. They may be unsafe,untrustworthy,or illegal in your jurisdiction. Advertise here.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 03:15:39 AM #3 One possibility is just a "minimum change". E.g. changing the number of salsa rounds by a few and tossing an xor between them at some spot or another. It would totally break any fixed function hardware, but would be a 2 LOC for any cpu/gpu miner. I think something like that would be an unfortunate loss of an opportunity, but it would also keep open the possibility of change in the future by avoiding fixed function hardware.

tacotime



Offline



Activity: 1484

Merit: 1004









LegendaryActivity: 1484Merit: 1004 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 03:27:36 AM #5 I'm surprised to see you posting this gmaxwell.



A lot of the earlier developing staff saw this coming in 2012 and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."



The longer time goes on, the more I see this as true. There will be other coins to fill the gap.



My response now is: no, there's no need to change the algorithm and ASICs should be embraced, when they finally do come out. Code: XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 03:36:54 AM #6 Quote from: tacotime on December 06, 2013, 03:27:36 AM A lot of the earlier developing staff saw this coming and their response was this: "ASICs are an important means to secure the network and represent that a chain is reaching maturity."

Indeed, I thought LTC's motivations were outright stupid here and what you were 'quoting' there could easily have been me. I still think resisting ASICs is a not very useful goal, but it is a clearly stated goal of the system, and it does serve to distinguish it from Bitcoin.



After working with a number of ASIC makers in Bitcoin space, I have to say that some of the luster has worn off a bit from my prior enthusiasm too, not enough to disagree with my prior position, but enough to say that was more complicated than I gave it credit for: ATI never raised their prices (usually after recovering NRE from sucker buyers who eat all the risk, even though the asics have no resale value) to the point where it was difficult to make a return on being a miner yourself, ATI never ran huge farms with substantial chunks of the network hashrate, etc. But this is an aside. I don't mean to doom and gloom ASICs: so long as specialized hardware is possible and it always is having the honest users using it is good... but LTC sold a Bill of Goods that excluded this stuff, and so ASICs showing up is arguably a bug.

Indeed, I thought LTC's motivations were outright stupid here and what you were 'quoting' there could easily have been me. I still think resisting ASICs is a not very useful goal, but it is a clearly stated goal of the system, and it does serve to distinguish it from Bitcoin.After working with a number of ASIC makers in Bitcoin space, I have to say that some of the luster has worn off a bit from my prior enthusiasm too, not enough to disagree with my prior position, but enough to say that was more complicated than I gave it credit for: ATI never raised their prices (usually after recovering NRE from sucker buyers who eat all the risk, even though the asics have no resale value) to the point where it was difficult to make a return on being a miner yourself, ATI never ran huge farms with substantial chunks of the network hashrate, etc. But this is an aside. I don't mean to doom and gloom ASICs: so long as specialized hardware is possible and it always is having the honest users using it is good... but LTC sold a Bill of Goods that excluded this stuff, and so ASICs showing up is arguably a bug.

tacotime



Offline



Activity: 1484

Merit: 1004









LegendaryActivity: 1484Merit: 1004 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 03:41:20 AM #7 We're not at a time when BTC mining has reached maturity, really. In 6 months the market will be flooded with devices and companies will find themselves in a fierce battle to lower prices and try to outsell their competitors. ASIC manufacturers right now have no idea of the industry that they're seeking to enter, but people who have been involved in the microchip business since the earlier advent of computers are seeing echoes of the past.



I think that repurposing hardware is good for the next big chain, or for finally giving the incentive to complete the primecoin GPU miner, or whatever. Code: XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns

iddo



Offline



Activity: 360

Merit: 250







Sr. MemberActivity: 360Merit: 250 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 04:22:44 AM #8



The creator of scrypt has said that the he thinks that scrypt params of Litecoin don't use enough memory (



gmaxwell: regarding whether it will be too late to change the PoW hash function, as you've said in the past, miners exist at the pleasure of the users (



I think that doing more scrypt benchmarks with the purpose of trying to see which scrypt params give the best tradeoffs is a good idea, coblee & warren what do you think?



gmaxwell, do you an educated guess regarding which scrypt params should offer the best tradeoff between making ASIC less cost-effective and fast enough validation/propagation of blocks by regular nodes? tacotime and myself did a few benchmarks with tweaked scrypt params: https://bitcointalk.org/index.php?topic=122256.msg1316383#msg1316383 The creator of scrypt has said that the he thinks that scrypt params of Litecoin don't use enough memory ( link ), probably before he fully considered the tradeoffs between cost-effectiveness of ASIC and verification/propagation of blocks by Litecoin (non-mining) nodes. He later said that for the Litecoin scrypt params may be good, estimating that still would 10x advantage over SHA256 in terms of the cost-effectiveness of ASIC vs genereal-purpose hardware like GPUs ( link ).gmaxwell: regarding whether it will be too late to change the PoW hash function, as you've said in the past, miners exist at the pleasure of the users ( link ). To take an extreme scenario, this should supposedly/hopefully mean that if say 90% of the mining power (i.e. ASIC miners) and 10% of the users decide to follow certain protocol rules while 10% of the mining power (i.e. non-ASIC miners) and 90% of the users decide to follow different protocol rules, then the fork with 90% of the users should win. But such scenarios are vague and no one can predict the future, Bitcoin could also have such conflicts with ASIC owners who e.g. wish to change the block size limit to gain higher fees, or other scenarios that we can try to come up with...I think that doing more scrypt benchmarks with the purpose of trying to see which scrypt params give the best tradeoffs is a good idea, coblee & warren what do you think?gmaxwell, do you an educated guess regarding which scrypt params should offer the best tradeoff between making ASIC less cost-effective and fast enough validation/propagation of blocks by regular nodes?

CoinHoarder



Offline



Activity: 1456

Merit: 1025



In Cryptocoins I Trust







LegendaryActivity: 1456Merit: 1025In Cryptocoins I Trust Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 04:45:05 AM #11 Quote from: Palmdetroit on December 06, 2013, 04:42:04 AM Quote from: CoinHoarder on December 06, 2013, 04:38:47 AM



For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.



Not to mention the electricity that will be saved is a good thing for planet Earth!



GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity.

My vote is on NO.For the most secure network possible, ASICs are needed. Nothing is ASIC proof, changing the PoW is just delaying the inevitable. ASICs will come to Litecoin if they are economically feasible, no matter what PoW is implemented.Not to mention the electricity that will be saved is a good thing for planet Earth!GPUs are incredibly inefficient compared to ASICs and waste a lot of electricity.

If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing.



now PoS could be a solution to the resources thing.

If ASIC uses 1% of the electricity as a gpu people will just use 100times as many... saves nothing.now PoS could be a solution to the resources thing.

You have a point. PoS is the only solution to energy savings thus far I agree. I will retract the statement about energy efficiency.



I think my first point though is very valid. You have a point. PoS is the only solution to energy savings thus far I agree. I will retract the statement about energy efficiency.I think my first point though is very valid.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 05:07:51 AM #12 Quote from: CoinHoarder on December 06, 2013, 04:38:47 AM Nothing is ASIC proof,

A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise. A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.

iddo



Offline



Activity: 360

Merit: 250







Sr. MemberActivity: 360Merit: 250 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 05:12:27 AM

Last edit: December 06, 2013, 05:24:41 AM by iddo #13 Quote from: gmaxwell on December 06, 2013, 05:07:51 AM Quote from: CoinHoarder on December 06, 2013, 04:38:47 AM Nothing is ASIC proof,

A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.

A point I've argued many times. But in hindsight I was somewhat wrong. No finite collection of fixed algorithms (Even a large set) can be ASIC proof (in fact, large sets probably just lead to ASIC monopolies due to higher NRE). But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness. There is just the question of the costs of periodic changes being worth the benefits, and what cadence is required to make investment unwise.

Hmm continuously select the params of the PoW hash function deterministically according to pseudorandom bits of future blocks? Interesting idea...



Edit: I think that maybe the idea is that if ASIC miners have a large fraction of the current hashpower, and they try to control the pseudorandom bits that will decide the next PoW params, then they will have a disadvantage in the competition against other miners because they'll have to re-solve blocks multiple times until they get params that they prefer? Hmm continuously select the params of the PoW hash function deterministically according to pseudorandom bits of future blocks? Interesting idea...Edit: I think that maybe the idea is that if ASIC miners have a large fraction of the current hashpower, and they try to control the pseudorandom bits that will decide the next PoW params, then they will have a disadvantage in the competition against other miners because they'll have to re-solve blocks multiple times until they get params that they prefer?

CoinHoarder



Offline



Activity: 1456

Merit: 1025



In Cryptocoins I Trust







LegendaryActivity: 1456Merit: 1025In Cryptocoins I Trust Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 05:31:29 AM

Last edit: December 06, 2013, 05:47:36 AM by CoinHoarder #14



As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using:



EDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so.



I admit gmaxwell, there very may well be a way to make a coin ASIC proof, but I'm not really sure how it could be done. Also.. any poll held on this is going to be pretty biased IMO because of the number of GPU miners that frequent this subforum. Of course most of them will vote Yes.As far as a PoW that will be more ASIC resistant. What about Momentum PoW.. what Protoshares is using: http://invictus-innovations.com/s/MomentumProofOfWork.pdf EDIT: After thinking about if for a bit, the Momentum PoW would not work as it would effectively cut out current GPU miners. Any change of the PoW must allow everyone that is already participating in mining Litecoin to continue to do so.I admit gmaxwell, there very may well be a way to make a coin ASIC proof, but I'm not really sure how it could be done.

mufa23



Offline



Activity: 1022

Merit: 1001





I'd fight Gandhi.







LegendaryActivity: 1022Merit: 1001I'd fight Gandhi. Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 06:06:10 AM #16 NO



Changing it will deter the price dramatically, and you will have a lot of people leaving Litecoin (including myself). Nobody wants to invest in something if the rules are just going to be changed later. Change is inevitable. Sure go ahead and modify the code. Someone somewhere will figure something out eventually and you will be doing the same thing all over again.



It's a slippery slope, and you're opening a whole new can of worms.



(and I am a GPU Litecoin Miner) Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker

rph



Offline



Activity: 176

Merit: 100







Full MemberActivity: 176Merit: 100 Re: [LTC] Changing the litecoin Proof of Work function to avoid ASIC mining? December 06, 2013, 06:18:50 AM #17 Quote from: gmaxwell on December 06, 2013, 05:07:51 AM But if you change the POW periodically in ways which aren't predicable months in advance, and in ways that can't just be generalized with anything more specialized than general purpose consumer hardware... then I do think you would actually have achieved a fairly high degree of asic-proof-ness.



In practice that just means the optimal mining technology will be the world's best FPGA, instead of the world's best fixed-function ASIC.

Unless you're capable of creating a substantially different POW function every couple days to defeat skilled, well-funded, and persistent FPGA designers (and C-to-RTL synthesis tools)...



Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it. You would destroy many hundreds of thousands of dollars invested in the "evil" ASIC(s) which, in the long run, will make all cryptocurrencies less secure by encouraging private, secret, centralized ASIC development. And then there's the whole slippery slope aspect - if we can change the POW, what else can we change? How about we increase the block reward 10X so I can haz moar coinz plzz, at the expense of savers?



A significant advantage of existing cryptocurrencies is that the key attributes were made fully public up front, held constant, and not politically revised by any party (so far). If you start making up the rules as you go along, you've just created a less centralized & possibly more democratic, but still politically manipulable, imitation of a Central Bank and fiat currency. Maybe there is demand for that, maybe not, but if you want that, you should at least have the decency to launch it as a new coin, rather than corrupting an existing one.



-rph In practice that just means the optimal mining technology will be the world's best FPGA, instead of the world's best fixed-function ASIC.Unless you're capable of creating a substantially different POW function every couple days to defeat skilled, well-funded, and persistent FPGA designers (and C-to-RTL synthesis tools)...Anyway, I believe it's morally wrong to change the POW 2+ years after launching a coin, if you did not at least mention that possibility when creating it. You would destroy many hundreds of thousands of dollars invested in the "evil" ASIC(s) which, in the long run, will make all cryptocurrencies less secure by encouraging private, secret, centralized ASIC development. And then there's the whole slippery slope aspect - if we can change the POW, what else can we change? How about we increase the block reward 10X so I can haz moar coinz plzz, at the expense of savers?A significant advantage of existing cryptocurrencies is that the key attributes were made fully public up front, held constant, and not politically revised by any party (so far). If you start making up the rules as you go along, you've just created a less centralized & possibly more democratic, but still politically manipulable, imitation of a Central Bank and fiat currency. Maybe there is demand for that, maybe not, but if you want that, you should at least have the decency to launch it as a new coin, rather than corrupting an existing one.-rph Ultra-Low-Cost DIY FPGA Miner: https://bitcointalk.org/index.php?topic=44891