On Sun, Apr 9, 2017 at 11:44 AM, Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

Clearly a level-playing field is critical to keeping centralization from being a "defining feature" of Bitcoin over the long term.   I've heard the term "level playing field" bandied about quite a bit.   And it seems to me that the risk of state actor control and botnet attacks is less than state-actor manipulation of specialized manufacturing of "SHA-256 forever" hardware.   Indeed, the reliance on a fairly simple hash seems less and less likely a "feature" and more of a baggage.


Whatever your hashing function the bottleneck for mining will be power. Equihash and Cuckoo are serious attempts at making custom hardware have no benefit over commodity hardware, but that's more about getting rid of custom hardware manufacturers than it is about mining decentralization, although arguably if successful it might let botnets back in, which would improve decentralization. While those have been surprisingly successful at resisting hardware so far, they might eventually fall as well, and if they do they'll have even worse properties of centralizing around a mining hardware manufacturer than sha256 does.

It would be much safer to go the other way, to a PoW function whose best hardware implementation is particularly straightforward and well understood. In that case it would be best to go with sha3. Sha3 also has the benefit of using the sponge construction, which makes it particularly resistant to asciboost-type attacks. It was picked out specifically because its design from a security standpoint was particularly confidence-inspiring, and in this case it actually makes a difference. Arguably you could also go with blake2b, whose 1024 bit block size completely obviates the asicboost concern entirely by cramming everything into a single block. That also might have an even simpler design in hardware than sha3, but a real expert would need to opine on that one.