ASICs and Governance

Thought I’d spin off a more durable discussion here from Gitter, as it’s a topic that many should be interested in. It’s also a good first governance-related topic. Warning: it’s a long read.

The news that influence this discussion is the release by Bitmain of Ethash (Ethereum), Cryptonight (Monero) and Equihash (Zcash) miners. The fact they’re announced around the same time may not be coincidental. It could be a marketing strategy, or it could be that bitmain has become a lot better at producing ASICs for less classic algos.

Moving on to Cucko Cycle, it’s unclear how much more (or less) ASIC-resistant the algo is. If the ultimate bottleneck is really memory latency and/or bandwidth, ASICs would only provide minimal advantages (because you hit DRAM speed limits, which is the same everywhere). But we haven’t reached a level of optimization of the mining software that would corroborate this claim yet. So the best we could hope for regarding Cuckoo Cycle ASIC resistance is that ASICs would provide less of a speedup compared to other algos, and would possible be more expensive. Especially if we move up cycle size from Cuckoo30 to 31 and 32 in the future.

Also, while the strengths of PoW and how ASICs are the best outcome in an ideal market are good to discuss, that’s already been done. I’m much more interested in discussing the impact in the current market and its realities.

I would propose assessing a given proof-of-work mining ecosystem using only these 2 criteria:

1. Does it provide enough security to the chain against a 51% attack?
2. Is it decentralized enough to provide a good level of censorship resistance?

ASICs in theory improve on the first criteria, coming close to optimal efficiency and are neutral on the second. So for that reason and the fact that they’re technically better, I’d generally prefer ASICs to mine.

But practically, the current ASIC market is disastrous for decentralization and censorship resistance and shows no sign of evolving in the right direction. Bitmain’s business practices have made them very successful, they’ve repeatedly shown they could outcompete other manufacturers and even kill new entrants, and that over multiple years. They’ve also shown they were not afraid to enter into dubious agreements with their clients. Proof of work security is very sensitive to cartels (that’s a technical statement btw, not a moral one). So I’m not optimistic the market will “work it out”, at least in the short and medium terms.

Cryptocurrency communities have reacted in different ways:

• Monero has pledged to keep ASIC resistance and hard fork when needed (helps that they hard fork every 6 months regardless).
• Zcash seems to be taking a wait-and-see approach for now.
• Ethereum is moving toward proof of stake regardless, and the ASIC efficiency gain seems lesser on Ethash, so they seem to be fine.
• Honey badger don’t care.

So what should we do? I’ll write down a couple additional thoughts before jumping to my own take:

• Maintaining ASIC resistance in the long term is futile. No matter what, ASICs can be built and will have at least some additional efficiency gains, even if minimal. As the overall market size increases, building new ASICs gets more affordable.
• Being overtly ready to hard fork every time, in the long term, is a bad strategy. You’re signing up either for people developing ASICs secretely to avoid the next fork, or getting forced to hard fork in random ways very regularly “just in case”.
• GPU mining isn’t necessarily doomed. Many people have purchased GPUs for other reasons (like Call of Duty), so as long as the efficiency is still reasonable, they can compete with professional miners because their equipment is a sunk cost.
• “Young coins” like us are much more sensitive to these pressures because both the mining ecosystem and the market are still small. So we need to start with as high a bar as possible in terms of censorship resistance. Not to mention that Grin is privacy centric, so censorship resistance is very important to us.

I think we’re trying to protect ourselves for the short to mid term. There’s only so much we can do anyway and we have to hope the market will, eventually, work this out. So here are 2 strategies that I could see myself supporting (until someone comes up with better):

1. Wait and see until we’re fully ready for mainnet and do not promise anything either way. This is the most comfortable for us developers, but the least for our community. So I wouldn’t want to keep that approach past mainnet.
2. Maintain ASIC resistance for the first 2 years. This duration makes sense because we have already planned hard forks and should give enough time for at least our market to mature. We could do this by increasing graph size and possibly tweaking cycle lengths if necessary.

What are your thoughts?

Is it just me or is this a very sudden change to what you guys were saying just a few months ago? Did my arguments have an effect or did this come from elsewhere?

I would suggest two things:

1. a featherforking “attack” in favor of non-censorship should be included in the base software, if your worried about censorship resistance it should be from that sort of angle first; I think a simple rule should be “blocks should contain most complex transactions(50+ inputs and outputs) I have seen”. So if the pure atomic transactions are being seen by 3 letter agency the market can automatically fight back.

2. The mining reward needs to be part of discussions on the asic-races; with a reminder that 25btc era had straight up criminal practices. I believe that is in part to the large amount of money available on the table. The 1000x speed ups at the time weren’t helping but the reward is one of the factors. Available speed up X reward = shithead incentive?

I do consider GPU mining ultimately doomed. When mining a PoW that’s bottlenecked by memory, a GPU will still use a large fraction of its power in its computing cores (Streaming Multiprocessors on NVIDIA) juggling threads, decoding instructions, and what not. An ASIC hooked up to the same memory chips will avoid nearly all this power and just use power for moving memory around. This gives it a large improvement in efficiency, which should make GPUs unprofitable.

There is one possibility where GPUs could remain somewhat competitive, and that is one I’m actually hoping for: in theory a GPU could include an accelerator for a specific PoW that would re-use the GPUs memory resources but put all remaining, unneeded, GPU circuitry in some sort of sleep mode. But this hinges on several other requirements as well. E.g. if lean mining turns out to be the preferred ASIC approach, then the GPU may need to have access to a generous amount of external SRAM.

Increasing graph size whenever possible is good to reduce the risk of single chip (and memory bottleneck avoiding) ASICs becoming economically feasible. We should be willing to do that even after 2 years. At least such changes could be considered integral to the design and not
particularly controversial.

Changing cycle length should have no effect on ASICs as (barring any algorithmic breakthroughs) they should be focussing on edge trimming, and the cycle finding can be done in a post-processing phase that’s offloaded to a CPU, just as it is in the current GPU solvers.

How about influencing asic development in the direction of open hardware?

Thank you for taking the time to write this, Igno. What precisely is the potential censorship you are referring to?

Regarding mining in general, I am under the impression that hardware costs are much more homogeneous globally (and maybe also affected by economics of scale to a lesser degree) than electricity costs, and that decentralization (and adoption, FWIW) would hence increase with the ratio of hardware cost to electricity cost. Comparing the Antminer for SHA-256 with the one for Equihash, the ratio for the latter is much higher. I am far from an expert; perhaps this is temporary and all algorithms will more or less reach the same ratio after enough optimization, but if that is not the case it seems rather clear to me that we should strive towards using algorithms that require higher hardware cost. Maybe this is simply equivalent to the fairly common sentiment of “The efficiency of ASICs should be as close as theoretically possible to that of GPUs”—again, I don’t know.

The big threat of censorship is nation states deciding that crypto needs to follow their laws,

Rough layout of how such a attack would work

1. heavy regulation of extanages, kyc shit is 100% mandatory on all entrances and services like localbitcoins dies from impossible to comply with regulation, and its all anonymous services are black markets and illegal enough that its rare to use

2. a big muli-coin and kyc database is created, following all the coins, even thru mixing and shapeshift like services; with a high enough success rate most people can’t break out of their watchful eye

3. they begin mining more popular coins and release software that will only accept whitelisted coins that have names attached to them, making it mandatory to use such software at least locally at first, likely worldwide later. U.n. or at least america, eu and china coming to together

4. coins that actively suppress this start to be attacked, mainstream exchanges start to remove them to avoid legalese nonsense

5. the pretence of letting “evil economic terrorist coins” go on gone and they start trying to break it all by any means necessary including hash rate attacks ran at a lost

Its only at step 5 where I believe any concerns about privacy start to show up with this tech but such a future is a possibility, I don’t think the state will let its control of money go easily

In general the situation around ASIC resistance reminds me “machines will steal our jobs”, see Luddites [1]. It’s well described in the chapter 7 of Economics in One Lesson [2]:

THE CURSE OF MACHINERY
AMONG THE MOST viable of all economic delusions is the belief that machines on net balance create unemployment. Destroyed a thousand times, it has risen a thousand times out of its own ashes as hardy and vigorous as ever.
…
Arkwright invented his cotton-spinning machinery in 1760. … Yet in 1787—twenty-seven years after the invention appeared—a parliamentary inquiry showed that the number of persons actually engaged in the spinning and weaving of cotton had risen from 7,900 to 320,000, an increase of 4,400 percent.
…
By 1961 there was no sign that the fallacy had died. Not only union leaders but government officials talked solemnly of “automation” as a major cause of unemployment.

Hazlitt was writing about unemployment, but I think it’s equally applicable to any fears. I’m sure that wide adoption of asics will improve security of networks, decentralisation and censorship resistance. So I’m with Igno when he describes his long-term position.

I’m not sure that “young coins” need to protect themselves for the short to mid term. Exactly because “both the mining ecosystem and the market are still small”. ASIC design and production costs a lot, it is justified only for big markets (this my naive understanding of economy of scale and mining industry, could be completely wrong).

I agree that “the current ASIC market is disastrous” but we don’t help by demonizing it, adoption will drive free market forces and as result we will get reasonable prices and amazon’s same day delivery.

[1] Luddite - Wikipedia
[2] Henry Hazlitt, Economics in One Lesson - Wikipedia

Anything that is profitable to mine will attract professional miners (aka, the Bitmains of the world) to develop specialized ASICs. It’s inevitable. However, if there’s a way to prevent a 8X ASIC improvement vs GPU - for example reduce it to 2X - then there’s still a possibility for the common man/woman to mine using GPUs. To Igno’s point, for the 2.2B gamers in the world, GPU hardware is a sunk cost. As long as it’s more profitable to run a mining algorithm on a GPU than the cost of electricity, it’s still reasonable to achieve mining decentralization… as long as ASICs can be kept to a marginal, rather than runaway improvement over GPUs. I believe that’s a good goal to strive for.

8X

2X

That’s not even close to the scale of improvement asics offer.

https://en.bitcoin.it/wiki/Mining_hardware_comparison

https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison

My vote is against hard forks to prevent ASICS.

Make the algorithm difficult to delay the building of them (12-24months) but eventually, well spread ASICS (as the entire industry matures) secure the network better IMO.

Thought I’d clarify what I meant a bit and reply to a few questions/issues.

@chri2 I’d be glad to push for open hardware. Practically this is difficult, but we could place bounties in that direction once we have the means to do that.

@MerlinsBeard I mean censhorship in the wider possible sense. A country forbidding Grin outright, but also regulatory pressure (like Japan forcing exchanges to drop Monero and Zcash), mining cartels trying to kill forks they don’t approve of, online mobs trying to silence opinions they dislike, nodes that are too expensive to be run from Africa, etc. Censorship resistance is the most important attribute of a blockchain that differentiates it from ebay. A lot of what you’ve learnt to like about cryptocurrencies is a consequence of their censorship resistance.

@monkyyy my 2X and 8X referred to the numbers for ethash and equihash, Cuckoo Cycle is closer to those than to SHA256.

Otherwise thanks to everyone in this thread for explaining your position.

If we’d like to do that (I would support it - though I can only add little) there could be a campaign to collect some money for a first bounty.

Well, we’d have to define the goal first.

@tromp wrote in another thread that he’d thought along that line already, too.

My opinion would be the earliear we’d start the higher the chance that valid approaches will be licensed ‘open source’ before they can be used by the big players (and maybe even protected).

Fwiw I agree with both the theoretical rationale and the practical assessment, they make a lot of sense to me.

What is gained by doing the opposite, i.e. agreeing on an approach ahead of mainnet and committing to it? As far as I can see, while the community might benefit a bit from certainty, those who would stand to benefit the most would be miners. The bigger the operation, the more to benefit, as they get more time to test and prepare ahead of time. Though I’m not a miner, I would expect smaller mom & pop mining operations to be able to adapt and/or understand why dev team would want to remain non-commitant and mysterious about some of the decisions until mainnet launch. From my point of view, it seems best for the community to not promise anything and seek to do what’s possible to give as even as possible playing field for Mainnet Day 1. After that, it will be survival of the fittest no matter what, I suppose.

What is to be gained by announcing this intention ahead of time? Doesn’t this just give any ASIC mfg teams heads up to think about more hardfork-resistant designs? To phrase my question differently, what is lost by taking a public stance of “We’ll deal with issues as they arise, our priorities are censorship resistance and minimising 51% attack risk. All options are on the table, including nuclear.”

The bigger the operation, the more to benefit, as they get more time to test and prepare ahead of time. Though I’m not a miner, I would expect smaller mom & pop mining operations to be able to adapt and/or understand

From my understanding, it’s the opposite. Professional mining operations need to be very reactive and can make a lot of money doing so. So all their processes are a lot more optimized, from supply chain to faster chip designs or better software management.

From my understanding, it’s the opposite. Professional mining operations need to be very reactive and can make a lot of money doing so. So all their processes are a lot more optimized, from supply chain to faster chip designs or better software management.

So basically by locking down and announcing an approach well ahead of mainnet allows for more decentralization on day one as it evens the playing field and allows those with lesser resources to prepare better? And the edge pro miners have is lessened? If that’s case, that seems like a strong argument in favour of that approach.

I know I am a bit late to the party but I think it’s important to discuss some of the assumptions in this argument and offer up alternatives.

First off I want to discuss this:

Also, while the strengths of PoW and how ASICs are the best outcome in an ideal market are good to discuss, that’s already been done.

No offense to the writer, but this paper embodies some of the most widely held and least well thought out views I tend to see around ASICs. The fact that the centralization of mining is an economic phenomenon and not a physical one seems all too often lost in the debate and the Crypto community as a whole. Using physics to argue the matter claiming that ASICs provide an incentive to decentralize the production due to heat dissipation etc is incredibly out of touch with the issue at hand and can not go unquestioned.

The physics are entirely disconnected from the threat of a 51% attack, such an attack would not be coming from 51% of the mining power being located physically in the same location, rather it would come from 51% of the mining power being controlled by the same economic actor. Such an actor could have mining power located all over the cosmos for all it matters and I am sure would not centralize their operations as this would increase their risks tremendously.

So let us go on to discuss the

current market and its realities.

I would propose assessing a given proof-of-work mining ecosystem using only these 2 criteria:

1. Does it provide enough security to the chain against a 51% attack?
2. Is it decentralized enough to provide a good level of censorship resistance?

This is a decent criteria, though I think that we should add:

3. Does it provide the lowest possible barrier to entry for new entrants into the ecosystem

As I think that the distributive power of mining is one of it’s biggest benefits, allowing anyone in any country to participate in the network and thus incentivizing them to participate and improve it.

ASICs in theory improve on the first criteria, coming close to optimal efficiency and are neutral on the second. So for that reason and the fact that they’re technically better, I’d generally prefer ASICs to mine.

But both of these claims are fundamentally flawed.

1. ASICs provide an economic incentive for those who are threatened by the network to produce them
2. ASICs reduce the economic cost of conducting a 51% attack on the network vs ASIC

By being application specific ASICs provide an economic incentive only to those who have an economic stake in the application. Thus economic actors who are threatened by the application would have an incentive to develop ASICs at even below market returns. This means that ASICs don’t provide either security from a 51% attack nor censorship resistance, as who any entity threatened by the network has an incentive to attack it and even to cooperate with other such threatened actors to do so. In addition, using ASICs to attack a network has a much lower economic cost than using general purpose equipment as the opportunity costs associated with the hardware are vastly lower than they would be for general purpose hardware.

ASIC resistance provides the following improvements:

1. Reduces the economic cost of securing the network for non-hostile actors
2. Increases the economic cost of attacking the network for hostile actors
3. Reduces the barriers to entry and decentralizes the participants in the network

Since general purpose hardware has many uses, it allows actors who are not solely interested in the application to dedicate a portion of their hardware time towards securing the network at little to no cost. In addition, it means that any hostile actor producing more efficient hardware has a much higher opportunity cost as their use of such hardware to attack the network must compete with many other applications. And finally it being able to use general purpose hardware vastly reduces barriers to entry into the network as even a hostile government can not centralize general purpose hardware without a huge economic cost.

Reduces the economic cost of securing the network for non-hostile actors

Economic costs approach whatever reward is on the table; with or without asics

Increases the economic cost of attacking the network for hostile actors

I strongly disagree; we do not live in a single coin system or with unknown attackers.

The asics being better for specific coins means the state has to buy hardware for every asic coin, while a gpu botnet can swap hashrate attack targets randomly to keep such systems unstable for far cheaper. A diversity of strong asic’s coins would be ideal in such a case.

Not all attacks will be profitable, negative sum games are perfectly acceptable for that one enemy.

Reduces the economic cost of securing the network for non-hostile actors

Economic costs approach whatever reward is on the table; with or without asics

Not quite true. The economic costs can vary significantly due to barriers to entry.

The asics being better for specific coins means the state has to buy hardware for every asic coin, while a gpu botnet can swap hashrate attack targets randomly to keep such systems unstable for far cheaper. A diversity of strong asic’s coins would be ideal in such a case.

This is a very good point, however there are a number of problems.
First off, all this means is that it is hard for large hostile actors to attack multiple ASIC coins but it’s still easier for them to attack a single ASIC coin than it is for them to attack a single general compute coin.

Secondly, since ASICs are application specific, a government or similar entity could restrict access to any and potentially every ASIC, associated with any coin they were threatened by, with minimal economic consequences to their people. The same can not be said about general compute.

Not all attacks will be profitable, negative sum games are perfectly acceptable for that one enemy.

I don’t quite understand what you mean here, could you expand on this?

a government or similar entity could restrict access to any and potentially every ASIC

I strongly disagree. The drug war failed to stop consumable resources; capital that generates clean dark money with a resource that’s everywhere in modern society; no.

I don’t quite understand what you mean here, could you expand on this?

The state is capable of total war with an insane populous that will worship them for endangering their lives; ww2 was less than a century ago. The standard arguments for security thru assuming rational actors don’t necessarily hold up. It needs to be safe from irrational actors as well.

Asic’s are a proof of work from a self-selected specific demographic, such self-selection includes long term planning which I believe excludes the force-of-nature-like state that I believe is necessary for total war.

Hurricanes win vs houses more then they do humans. Stealing all the computers in an area I believe is easier for a state then actually stealing specific computers by a demographic of heavy invested individuals who would actually try to avoid it.

Thought I would give my opinion here for the record.

Few months ago, I would have say that we should maintain “ASIC resistance” by changing the Cuckoo Cycle parameters regularly. However, after reading the medium blog post from Sia, it looks like the game is really different from what I thought.
My takes are the following:

• We should already assume that ASICs are currently being researched and maybe manufactured.
• Since the choice for cuckoo30 is known since several months, we could expect secret ASICs mining on Day 1. Which makes me wonder if we should announce a parameter change before mainnet launch.
• By announcing our strategy regarding fork ahead of time, we give mining manufacturer potential R&D insights. It might help the big manufacturers who will be able to adapt and/or design custom ASICs capable of surviving hard forks every six months.
• As @igno.peverell said, maintaining ASIC resistance in the long term is futile.
• However, we can try to slow the development of ASICs by making them not so efficient. By saying that we will fork every 6 months to change the cuckoo cycle parameters, manufacturers will be force to make ASIC that can handle such changes which might be potentially less efficient compared to GPUs.

An open hardware design might be the best long term solution.