* [bitcoin-dev] Properties of an ideal PoW algorithm & implementation [not found] ` <CAAt2M1-kpQyK2bQyHM=vy2oor75m30frHLGk_phPs10gLsH14A@mail.gmail.com> @ 2017-04-18 10:34 ` Natanael 2017-04-18 19:14 ` praxeology_guy ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: Natanael @ 2017-04-18 10:34 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4777 bytes --] To expand on this below; Den 18 apr. 2017 00:34 skrev "Natanael" <natanael.l@gmail.com>: IMHO the best option if we change PoW is an algorithm that's moderately processing heavy (we still need reasonably fast verification) and which resists partial state reuse (not fast or fully "linear" in processing like SHA256) just for the sake of invalidating asicboost style attacks, and it should also have an existing reference implementation for hardware that's provably close in performance to the theoretical ideal implementation of the algorithm (in other words, one where we know there's no hidden optimizations). [...] The competition would mostly be about packing similar gate designs closely and energy efficiency. (Now that I think about it, the proof MAY have to consider energy use too, as a larger and slower but more efficient chip still is competitive in mining...) What matters for miners in terms of cost is primarily (correctly computed) hashes per joule (watt-seconds). The most direct proxy for this in terms of algorithm execution is the number of transistor (gate) activations per computed hash (PoW unit). To prove that an implementation is near optimal, you would show there's a minimum number of necessary transistor activations per computed hash, and that your implementation is within a reasonable range of that number. We also need to show that for a practical implementation you can't reuse much internal state (easiest way is "whitening" the block header, pre-hashing or having a slow hash with an initial whitening step of its own). This is to kill any ASICBOOST type optimization. Performance should be constant, not linear relative to input size. The PoW step should always be the most expensive part of creating a complete block candidate! Otherwise it loses part of its meaning. It should however still also be reasonably easy to verify. Given that there's already PoW ASIC optimizations since years back that use deliberately lossy hash computations just because those circuits can run faster (X% of hashes are computed wrong, but you get Y% more computed hashes in return which exceeds the error rate), any proof of an implementation being near optimal (for mining) must also consider the possibility of implementations of a design that deliberately allows errors just to reduce the total count of transistor activations per N amount of computed hashes. Yes, that means the reference implementation is allowed to be lossy. So for a reasonably large N (number of computed hashes, to take batch processing into consideration), the proof would show that there's a specific ratio for a minimum number of average gate activations per correctly computed hash, a smallest ratio = X number of gate activations / (N * success rate) across all possible implementations of the algorithm. And you'd show your implementation is close to that ratio. It would also have to consider a reasonable range of time-memory tradeoffs including the potential of precomputation. Hopefully we could implement an algorithm that effectively makes such precomputation meaningless by making the potential gain insignificant for any reasonable ASIC chip size and amount of precomputation resources. A summary of important mining PoW algorithm properties; * Constant verification speed, reasonably fast even on slow hardware * As explained above, still slow / expensive enough to dominate the costs of block candidate creation * Difficulty must be easy to adjust (no problem for simple hash-style algorithms like today) * Cryptographic strength, something like preimage resistance (the algorithm can't allow forcing a particular output, the chance must not be better than random within any achievable computational bounds) * As explained above, no hidden shortcuts. Everybody has equal knowledge. * Predictable and close to constant PoW computation performance, and not linear in performance relative to input size the way SHA256 is (lossy implementations will always make it not-quite-constant) * As explained above, no significant reusable state or other reusable work (killing ASICBOOST) * As explained above, no meaningful precomputation possible. No unfair headstarts. * Should only rely on just transistors for implementation, shouldn't rely on memory or other components due to unknowable future engineering results and changes in cost * Reasonably compact implementation, measured in memory use, CPU load and similar metrics * Reasonably small inputs and outputs (in line with regular hashes) * All mining PoW should be "embarrassingly parallel" (highly parallellizable) with minimal or no gain from batch computation, performance scaling should be linear with increased chip size & cycle speed. What else is there? Did I miss anything important? [-- Attachment #2: Type: text/html, Size: 6450 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Properties of an ideal PoW algorithm & implementation 2017-04-18 10:34 ` [bitcoin-dev] Properties of an ideal PoW algorithm & implementation Natanael @ 2017-04-18 19:14 ` praxeology_guy 2017-04-19 11:08 ` Tim Ruffing 2017-04-19 17:43 ` Bram Cohen 2 siblings, 0 replies; 4+ messages in thread From: praxeology_guy @ 2017-04-18 19:14 UTC (permalink / raw) To: Natanael; +Cc: Bitcoin Dev, Erik Aronesty [-- Attachment #1: Type: text/plain, Size: 2561 bytes --] Natanael, === Metal Layers === One factor in chip cost other than transistor count is the number of layers required to route all the interconnects in the desired die area constraint. The need for fewer layers can result in less patent-able costs of layering technology. Fewer layers are quicker and easier to manufacture. I'm not an expert in the field, and I can't vouch for the validity of the entirety of the paper, but this paper discusses various factors that impact chip cost design. http://www.cse.psu.edu/~juz138/files/3d-cost-tcad10.pdf === Early nonce mixing, Variable Length Input with Near Constant Work === To minimize asicboost like optimizations... the entirety of the input should be mixed with the nonce data ASAP. For example with Bitcoin as it is now, the 80 byte block header doesn't fully fit in one 64 byte SHA256 input block. This results in a 2nd SHA256 block input that only has 4 bytes of nonce and the rest constant that are mixed much later than the rest of the input... which allows for unexpected optimizations. Solution: A hash algorithm that could have more linear computation time vs input size would be a 2 stage algorithm: 1. 1st stage Merkle tree hash to pre-lossy-mix-compress the variable length input stream to the size of the 2nd stage state vector. Each bit of input should have about equal influence on each of the output bits. (Minimize information loss, maximize mixed-ness). 2. Multi-round mixing of the 2nd stage, where this stage is significantly more work than the 1st stage. This is somewhat done already in Bitcoin by the PoW doing SHA256 twice in serial. The first time is pretty much the merkle tree hash (a node with two children), and then the second time is the mult-round mixing. If the Bitcoin PoW did SHA256 three or four times or more, then asicboost like optimizations would have less of an effect. In actual hardware, assuming a particular input length for the design can result in a significantly more optimized design than creating hardware that can handle a variable length input. So your design goal of "not linear in performance relative to input size" to me seems to be a hard one to attain... in practical, to support very large input sizes in a constant work fashion requires a trade off between memory/parallelization and die space. I think it would be better to make an assumption about the block header size, such as that it is exactly 80 bytes, or, at least something reasonable like the hardware should be able to support a block header size <= 128 bytes. Cheers, Praxeology Guy [-- Attachment #2: Type: text/html, Size: 3023 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Properties of an ideal PoW algorithm & implementation 2017-04-18 10:34 ` [bitcoin-dev] Properties of an ideal PoW algorithm & implementation Natanael 2017-04-18 19:14 ` praxeology_guy @ 2017-04-19 11:08 ` Tim Ruffing 2017-04-19 17:43 ` Bram Cohen 2 siblings, 0 replies; 4+ messages in thread From: Tim Ruffing @ 2017-04-19 11:08 UTC (permalink / raw) To: bitcoin-dev On Tue, 2017-04-18 at 12:34 +0200, Natanael via bitcoin-dev wrote: > To prove that an implementation is near optimal, you would show > there's a minimum number of necessary transistor activations per > computed hash, and that your implementation is within a reasonable > range of that number. I'm not an expert on lower bounds of algorithms but I think proving such properties is basically out of reach for mankind currently. > > We also need to show that for a practical implementation you can't > reuse much internal state (easiest way is "whitening" the block > header, pre-hashing or having a slow hash with an initial whitening > step of its own). This is to kill any ASICBOOST type optimization. > Performance should be constant, not linear relative to input size. Yes, a reasonable thing in practice seems to use a slower hash function (or just iterating the hash function many times), see also this thread: https://twitter.com/Ethan_Heilman/status/850015029189644288 . PoW verification will still be fast enough. That's not the bottleneck of block verification anyway. Also, I don't agree that a PoW function should not rely on memory. Memory-hard functions are the best we have currently. Tim ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] Properties of an ideal PoW algorithm & implementation 2017-04-18 10:34 ` [bitcoin-dev] Properties of an ideal PoW algorithm & implementation Natanael 2017-04-18 19:14 ` praxeology_guy 2017-04-19 11:08 ` Tim Ruffing @ 2017-04-19 17:43 ` Bram Cohen 2 siblings, 0 replies; 4+ messages in thread From: Bram Cohen @ 2017-04-19 17:43 UTC (permalink / raw) To: Natanael; +Cc: Bitcoin Dev, Erik Aronesty [-- Attachment #1: Type: text/plain, Size: 1124 bytes --] Repeatedly hashing to make it so that lossy implementations just fail sounds like a great idea. Also relying on a single crypto primitive which is as simple as possible is also a great idea, and specifically using blake2b is conservative because not only is it simple but its block size is larger than the amount of data being hashed so asicboost-style attacks don't apply at all and the logic of multiple blocks doesn't have to be built. Memory hard functions are a valiant effort and are holding up better than expected but the problem is that when they fail they fail catastrophically, immediately going from running on completely commodity hardware to only running on hardware from the one vendor who's pulled off the feat of making it work. My guess is it's only a matter of time until that happens. So the best PoW function we know of today, assuming that you're trying to make mining hardware as commodity as possible, is to repeatedly hash using blake2b ten or maybe a hundred times. Mind you, I still think hard forking the PoW function is a very bad idea, but if you were to do it, that would be the way to go. [-- Attachment #2: Type: text/html, Size: 1391 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-19 17:43 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CAAt2M19QK9cZShOf16UmRz6me9+h_FvjaSCcq_T6aaabX_qpKg@mail.gmail.com> [not found] ` <CAAt2M1_Eo9F+mH851GQLhCR+nAsBNrfYJeYkuHmW=Jz335Z0ZA@mail.gmail.com> [not found] ` <CAAt2M19VuJ9iEZCvdC3OtpJkMVM8kAB2NRSFqmt2zNREOYAMaA@mail.gmail.com> [not found] ` <CAAt2M19bmxR0hUp0rsnNZ8MoUayz82sNnOOXVzg0WXFwma4xzQ@mail.gmail.com> [not found] ` <CAAt2M199BKp_k=cia_1APaAZwZ+EV8z=9ebWKHp3+VY68G1jYw@mail.gmail.com> [not found] ` <CAAt2M18O3hEcGU7md7Ojsx5716QCYfP0GG9UyNudGCjRszPrFA@mail.gmail.com> [not found] ` <CAAt2M1-18yfw+J2S+CDkRO6DT_Rj3FRQQcBhpiuujSYnnC-w7w@mail.gmail.com> [not found] ` <CAAt2M19bgyyXsjOXEzSK2h6jTCRZDn9nw+B51yPOYhD4qUjDcw@mail.gmail.com> [not found] ` <CAAt2M1_Yikty=W_GvRMSNdkC7xVmFyECP1cM-HBJ0vOs9jiiGg@mail.gmail.com> [not found] ` <CAAt2M18Mdp2xJzt-ovbqF2_VSKK4-6RMtSySqso2PDcse5TuMQ@mail.gmail.com> [not found] ` <CAAt2M188dzogU4hxardZPNyFeW0=Nu6-h5VRHaiOZ9vyoaktcw@mail.gmail.com> [not found] ` <CAAt2M182UqUDt4jg7yY33uycaHJHWw+jfY6Qu0kEf=FsyUzMYQ@mail.gmail.com> [not found] ` <CAAt2M18+Moq-+twzqpuZiJM7+q_-wuu=rskvp+srKH2PEH5Ziw@mail.gmail.com> [not found] ` <CAAt2M1-Vr+k5kwqbJqbo-UgSXA7v0YesN6WrtFMjdaniMAmJ+A@mail.gmail.com> [not found] ` <CAAt2M1_2ADtYjSbE-0RDZ8DSvfx+O82AkeNeBXo0bzy-KTfD_w@mail.gmail.com> [not found] ` <CAAt2M19WRsM3XGhL_ghnkywAuuvcosx0aMCjYxpvWdnAqV_0Yw@mail.gmail.com> [not found] ` <CAAt2M1-aqTmj2FQcYRrv5oe0Ly3j8ywQYE-DhCrvF7jp2ghs2w@mail.gmail.com> [not found] ` <CAAt2M1_KJqcKWcckvYG3Yy0mMqHUfPfD5vfkxtZWcJ_KexkCzA@mail.gmail.com> [not found] ` <CAAt2M18-RCFqxqDptsjrHAWcExQibfgxJH+duh_zN1_-1XHTEw@mail.gmail.com> [not found] ` <CAAt2M1-0i=6wcL2+On5G=v-nMpw6pO9fa3FoxF30JO8vtZL8hA@mail.gmail.com> [not found] ` <CAAt2M19nyUy4U7cURD7TVbvEzN=v+Roq=W4qrjYQ4=1jP_ojdQ@mail.gmail.com> [not found] ` <CAAt2M1907HBkXcMMTUybSUT1uSibJ9dTKSiRmrqsSzm_qM58gg@mail.gmail.com> [not found] ` <CAAt2M19ezOG1=Bpps54Sk=n+KhvgAVNaMa-=vfr6FNSMFhKyHg@mail.gmail.com> [not found] ` <CAAt2M1_KiJfhjo8Qk4cLQXZ+4=8nZeeHS0gVrNDV75kcfkJaFQ@mail.gmail.com> [not found] ` <CAAt2M1-WSjfxxX60DBgkkhaRZUTy4cn=zgHZUThiU1p2VdxGnQ@mail.gmail.com> [not found] ` <CAAt2M18-9WVs7OgeEREMSFQXMg6p865U2mczivU3jZF7SKmD=g@mail.gmail.com> [not found] ` <CAAt2M1_siUEfXsWB5Hj3V5tcm6xboVjjYNZhS4Pn4YBw6YQv7A@mail.gmail.com> [not found] ` <CAAt2M1_AdwAoc981zs0ObwBuefQwyi6XqWF8VXLe+ojz0802eA@mail.gmail.com> [not found] ` <CAAt2M1_A6m=s6hwURNF7WUbQKvshEOROPySuDwvjSMisdwLbXA@mail.gmail.com> [not found] ` <CAAt2M1_d2ycOW3TPF0_nRyzK_v-kzko3Zw8KCzMhCp2KNOg0DA@mail.gmail.com> [not found] ` <CAAt2M18MeqTXLd1KpyzRoKb9C2fzj1rr4E89kvkGU_Yjda0goQ@mail.gmail.com> [not found] ` <CAAt2M1_pDJrSghsd5eSA3p_6FZkix1HdcjKeUrGDN8Hkwrcm2w@mail.gmail.com> [not found] ` <CAAt2M1_2buzQgcybVv8qQLRgcnD0uzj43cOyS53HJdzicJ6_PA@mail.gmail.com> [not found] ` <CAAt2M1-t8w1Tw2sgG2RPmpqcCuwdc3piB_6pj2cj-CnXqFwDsw@mail.gmail.com> [not found] ` <CAAt2M1_O2GHpYTMqf6Sr0se+6XMKaKeVXFfqGYkPD537sqFfAw@mail.gmail.com> [not found] ` <CAAt2M18P_=Nd+Q7=0CKGfpf47+0MDWNgPV3+BRVthGFz8ref-Q@mail.gmail.com> [not found] ` <CAAt2M19igqAzme9_G+0sKDaaDPsFOUcp9m15XmnNXTYjtSVYjA@mail.gmail.com> [not found] ` <CAAt2M1-FLeQAAKWcM-xEpsDD0P=yJLhMYwzQ72xzFLqovo9SsQ@mail.gmail.com> [not found] ` <CAAt2M18Pe6GJUxoiZSO-kiexj+mv+nAP4vvFiWvaafEBRCy08w@mail.gmail.com> [not found] ` <CAAt2M1822oiWBO+QxiUUO+3qnLxSFYz4Uh-77=omo-N6RCsc1g@mail.gmail.com> [not found] ` <CAAt2M1_rzKX27=naLKdyWh8Cfb3iCY+TUCmi8etJKUmNpGpW=g@mail.gmail.com> [not found] ` <CAAt2M1_UZobHAjbEYV0=fPOSJzM+sm_GnLmvtqdFCQqyU0EmrA@mail.gmail.com> [not found] ` <CAAt2M1896xctLXp0ae+eGK9jsAM2w4XTk1XVpzZm0CbGLAt7Lw@mail.gmail.com> [not found] ` <CAAt2M1-5Lw497BHn=n2+maTnAdGzzosLacN7+hvcj2EQ9wyWyA@mail.gmail.com> [not found] ` <CAAt2M18qXJNwWoVDrAOfxaqkSyqwQeEWmHCNRpkbigjE__T44w@mail.gmail.com> [not found] ` <CAAt2M1_5tqKwLuGBTY9GjhEK-Mn-9Pr=_hoGD0=p85oFuzTLzw@mail.gmail.com> [not found] ` <CAAt2M1-MArg6HUT5D-VnQVAS+1nmPGKp-LTOPnzSueWxKz8imQ@mail.gmail.com> [not found] ` <CAAt2M18F+RhOuVSrimpmBp8h7BqBhU6wYJYR+b0Rx_dHAdyXGw@mail.gmail.com> [not found] ` <CAAt2M1_D8STg96jqscU1Z=uTntwFvSZ5MTuJLmNJ05jLZ9p8rg@mail.gmail.com> [not found] ` <CAAt2M1_+BKObb27LR87JjbpTnZbg0AGCA8uh7Ks03bf459x7jg@mail.gmail.com> [not found] ` <CAAt2M18VCjufEU3H4ENRuMcAfTbj5A73S8t2zXsvL8y2UyZhew@mail.gmail.com> [not found] ` <CAAt2M19NScrLv3ax_=PCPW4-L466js=H29ogVCOgAVbk6Xma_g@mail.gmail.com> [not found] ` <CAAt2M1_n-p20OK_ibzx5qrh_BVtat3=rs5vL+6TF5rAPi1iExg@mail.gmail.com> [not found] ` <CAAt2M1-bk9B7B45AKYOKyB7s_LF8ckBw51OdyTqG2JguRxR-9Q@mail.gmail.com> [not found] ` <CAAt2M1_hwHE-tm2OppnnogQruB8bhyR6Cc+bNVP5ZrTNv92-Rg@mail.gmail.com> [not found] ` <CAAt2M1-YVEAGBy9cQ1q0siOPpC5C8wh-mdz=m8W33boN1dc5CQ@mail.gmail.com> [not found] ` <CAAt2M197Mj5sWGY1gewoKHYwsOiSf=38c5DVv7CH+gfJ1Khe-w@mail.gmail.com> [not found] ` <CAAt2M1_RdOOq11uzNLShvVNaDYMRw_3S1JhbKfy_cv_3F7z-cA@mail.gmail.com> [not found] ` <CAAt2M1-wv1tWKpo+sEMAuKD79vVX6JhtOFOgbxPtOD6LckdW8g@mail.gmail.com> [not found] ` <CAAt2M194fKBctfgQmXv2a8OSrYEa_X=cpzQT45OvnpH+B_BA2A@mail.gmail.com> [not found] ` <CAAt2M1-Y7+dQc7aLvES-y0rz9YXOsdp-Ou+CERs-EmpRp3N=Ng@mail.gmail.com> [not found] ` <CAAt2M18HF2-+dpSF=bR8rw3jR1-i-_FdK9DnvHHEwMq_b7rs6w@mail.gmail.com> [not found] ` <CAAt2M19x0vcHG2-Vs9aq-OjgxKg1pHSw8oS=gxAQv8VaugSgGA@mail.gmail.com> [not found] ` <CAAt2M19w81CiLQStMaH+5LXukvYmxvZqWdR5R6Cf37bJS2Ci0A@mail.gmail.com> [not found] ` <CAAt2M1-PWBdBqc4w0kbTvzaSq7O+39Hj1v1uZD0uM1-AvgLk1w@mail.gmail.com> [not found] ` <CAAt2M1_-KM3y-wOnAc-3bFJzJVz3GooSG0h_rixofd61R3h6gA@mail.gmail.com> [not found] ` <CAAt2M1_YdK6n4B_tsJsCeKRNnG_p+e4mH=D_Jz1FkeYL1y54TA@mail.gmail.com> [not found] ` <CAAt2M187-81ED8ZLf6F7m324RLBwB6u62=iPMbr9FD9qnu1XJw@mail.gmail.com> [not found] ` <CAAt2M1_C_3wv9g7auCSg_ECZ=gbxAPumcfZZZO=o5Ly4VV+GvA@mail.gmail.com> [not found] ` <CAAt2M1-a66K=uqOkGiHuuzU1qEPan6RHoRfwC+YVFeU94JBxNw@mail.gmail.com> [not found] ` <CAAt2M1-RXYxVuNBDdKrnyWow6PCNDeGawv0gQx+jn4f-3xuumg@mail.gmail.com> [not found] ` <CAAt2M1-kpQyK2bQyHM=vy2oor75m30frHLGk_phPs10gLsH14A@mail.gmail.com> 2017-04-18 10:34 ` [bitcoin-dev] Properties of an ideal PoW algorithm & implementation Natanael 2017-04-18 19:14 ` praxeology_guy 2017-04-19 11:08 ` Tim Ruffing 2017-04-19 17:43 ` Bram Cohen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox