* [bitcoin-dev] Proposal: Low Energy Bitcoin PoW @ 2021-05-17 19:32 Bogdan Penkovsky 2021-05-17 21:13 ` Keagan McClelland 0 siblings, 1 reply; 15+ messages in thread From: Bogdan Penkovsky @ 2021-05-17 19:32 UTC (permalink / raw) To: bitcoin-dev; +Cc: Michael Dubrovsky Hi Bitcoin Devs, We would like to share with you a draft proposal for a durable, low energy Bitcoin proof of work. ---- <pre> BIP: ? Title: Durable, Low Energy Bitcoin PoW Author: Michael Dubrovsky <mike+bip[at]powx.org>, Bogdan Penkovsky <bogdan+bip[at]powx.org> Discussions-To: <mike+bip[at]powx.org> Comments-Summary: No comments yet. Comments-URI: https://github.com/PoWx-Org/obtc/wiki/BIP Status: Draft Type: Standards Track Created: 2021-05-13 License: BSD-2-Clause OPL </pre> == Simple Summary == Bitcoin's energy consumption is growing with its value (see Figure below). Although scaling PoW is necessary to maintain the security of the network, reliance on massive energy consumption has scaling drawbacks and leads to mining centralization. A major consequence of the central role of local electricity cost in mining is that today, most existing and potential participants in the Bitcoin network cannot profitably mine Bitcoin even if they have the capital to invest in mining hardware. From a practical perspective, Bitcoin adoption by companies like Tesla (which recently rescinded its acceptance of Bitcoin as payment) has been hampered by its massive energy consumption and perceived environmental impact. [[https://github.com/PoWx-Org/obtc/raw/main/img/btc_energy-small.png]] Figure. Bitcoin price and estimated Bitcoin energy consumption. Data sources: [https://cbeci.org Cambridge Bitcoin Electricity Consumption Index], [https://www.coindesk.com CoinDesk]. We propose a novel proof-of-work paradigm for Bitcoin--Optical proof-of-work. It is designed to decouple Bitcoin mining from energy and make it feasible outside of regions with low electricity costs. ''Optical proof-of-work'' (oPoW) is a modification of Hashcash that is most efficiently computed using a new class of photonic processors. Without compromising the cryptographic or game-theoretical security of Hashcash, oPoW shifts the operating expenses of mining (OPEX), to capital expenses (CAPEX)--i.e. electricity to hardware. oPoW makes it possible for billions of new miners to enter the market simply by investing in a low-energy photonic miner. Shifting to a high-CAPEX PoW has the added benefit of making the hashrate resilient to Bitcoin's price fluctuations - once low-OPEX hardware is operating there is no reason to shut it down even if the value of mining rewards diminishes. oPoW is backward compatible with GPUs, FPGAs, and ASICs meaning that a transitional period of optical and traditional hardware mining in parallel on the network is feasible More information is available here: [https://www.powx.org/opow]. == Abstract == As Bitcoin gained utility and value over the preceding decade, the network incentivized the purchase of billions of dollars in mining equipment and electricity. With the growth of competition, home mining became unprofitable. Even the most sophisticated special-purpose hardware (ASIC miners) doesn’t cover its energy costs unless the miner also has direct access to very cheap electricity. This heavy reliance on energy makes it difficult for new miners to enter the market and leads to hashrate instability as miners shut off their machines when the price of Bitcoin falls. Additionally as the network stores ever more value, the percentage of world energy consumption that is associated with Bitcoin continues to grow, creating the potential for scaling failure and a general backlash. To ensure that Bitcoin can continue scaling and reach its full potential as a world currency and store of value, we propose a low-energy proof-of-work paradigm for Bitcoin. ''Optical proof of work (oPoW)'' is designed to decouple Bitcoin’s security from massive energy use and make bitcoin mining feasible outside of regions with low electricity costs. ''Optical proof-of-work'' is a modification of Hashcash that is most efficiently computed using a new class of photonic processors that has emerged as a leading solution for ultra-low energy computing over the last 5 years. oPoW shifts the operating expenses of mining (OPEX), to capital expenses (CAPEX)–i.e. electricity to hardware, without compromising the cryptographic or game-theoretical security of Hashcash. We provide an example implementation of oPoW, briefly discuss its cryptographic construction as well as the working principle of photonic processors. Additionally, we outline the potential benefits of oPoW to the bitcoin network, including geographic decentralization and democratization of mining as well as hashrate resilience to price fluctuations. == Copyright == This BIP is dual-licensed under the Open Publication License and BSD 2-clause license. == Motivation == As Bitcoin has grown over the past decade from a small network run by hobbyists to a global currency, the underlying Proof of Work protocol has not been updated. Initially pitched as a global decentralized network (“one CPU-one vote”), Bitcoin transactions today are secured by a small group of corporate entities. In practice, it is only feasible for [http://archive.is/YeDwh entities that can secure access to abundant, inexpensive energy]. The economics of mining limit profitability to places like Iceland, Texas, or Western China. Besides the negative environmental externalities, which may be significant, mining today is performed primarily with the consent (and in many cases, partnership) of large public utilities and the governments that control them. Although this may not be a problem in the short term, in the long term it stands to erode the censorship resistance and security of Bitcoin and other public blockchains through potential regulation or [https://arxiv.org/pdf/1605.07524.pdf partitioning attacks]. Recent events, such as the [https://twitter.com/MustafaYilham/status/1384278267067203590 ~25% hashrate crash due to coal-powered grid failure in china] and Tesla’s rescinding of its acceptance of Bitcoin as a form of payment, show that there are practical real-world downsides to Proof of Works’s massive reliance on energy. [[https://github.com/PoWx-Org/obtc/raw/main/img/emusk_tweet.png]] Whether on not the Bitcoin community accepts this common criticism as entirely valid, it has real-world effects which will only get worse over time. Eliminating the exponentially growing energy use currently built into Bitcoin without eliminating the security of PoW would be ideal and should not be a partisan issue. New consensus mechanisms have been proposed as a means of securing cryptocurrencies whilst reducing energy cost, such as various forms of Proof of Stake and Proof of Space-Time. While many of these alternative mechanisms offer compelling guarantees, they generally require new security assumptions, which have not been stress-tested by live deployments at any adequate scale. Consequently, we still have relatively little empirical understanding of their safety. Completely changing the Bitcoin paradigm is likely to introduce new unforeseen problems. We believe that the major issues discussed above can be resolved by improving rather than eliminating Bitcoin’s fundamental security layer—Proof of Work. Instead of devising a new consensus architecture to fix these issues, it is sufficient to shift the economics of PoW. The financial cost imposed on miners need not be primarily composed of electricity. The situation can be significantly improved by reducing the operating expense (OPEX)—energy—as a major mining component. Then, by shifting the cost towards capital expense (CAPEX)—mining hardware—the dynamics of the mining ecosystem becomes much less dependent on electricity prices, and much less electricity is consumed as a whole. Moreover, a reduction in energy consumption automatically leads to geographically distributed mining, as mining becomes profitable even in regions with expensive electricity. Additionally, lower energy consumption will eliminate heating issues experienced by today’s mining operations, which will further decrease operating cost as well as noise associated with fans and cooling systems. All of this means that individuals and smaller entities would be able to enter the mining ecosystem simply for the cost of a miner, without first gaining access to cheap energy or a dedicated, temperature-controlled data center. To a degree, memory-hard PoW schemes like [https://github.com/tromp/cuckoo Cuckoo Cycle], which increase the use of SRAM in lieu of pure computation, push the CAPEX/OPEX ratio in the right direction by occupying ASIC chip area with memory. To maximize the CAPEX to OPEX ratio of the Optical Proof of Work algorithm, we developed [https://assets.pubpub.org/xi9h9rps/01581688887859.pdf ''HeavyHash''] [1]. HeavyHash is a cryptographic construction that takes the place of SHA256 in Hashcash. Our algorithm is compatible with ultra-energy-efficient photonic co-processors that have been developed for machine learning hardware accelerators. HeavyHash uses a proven digital hash (SHA3) packaged with a large amount of MAC (Multiply-and-Accumulate) computation into a Proof of Work puzzle. Although HeavyHash can be computed on any standard digital hardware, it becomes hardware efficient only when a small digital core is combined with a low-power photonic co-processor for performing MAC operations. oPoW mining machines will have a small digital core flip-chipped onto a large, low-power photonic chip. This core will be bottlenecked by the throughput of the digital to analog and analog to digital converters. A prototype of such analogue optical matrix multiplier can be seen in the figure below. [[https://github.com/PoWx-Org/obtc/raw/main/img/optical_chip.png]] Figure. TOP: Photonic Circuit Diagram, A. Laser input (1550nm, common telecom wavelength) B. Metal pads for controlling modulators to transduce electrical data to optical C. Metal pads for tuning mesh of directional couplers D. Optical signal exits here containing the results of the computation and is output to fibers via a grating coupler the terminus of each waveguide. E. Alignment circuit for aligning fiber coupling stage. Bottom: a photograph of a bare oPoW miner prototype chip before wire and fiber bonding. On the right side of the die are test structures (F). The ''HeavyHash'' derives its name from the fact that it is bloated or weighted with additional computation. This means that a cost comparable oPoW miner will have a much lower nominal hashrate compared to a Bitcoin ASIC (HeavyHashes/second vs. SHA256 Hashes/second in equivalent ASIC). We provide the cryptographic security argument of the HeavyHash function in Section 3 in [https://assets.pubpub.org/xi9h9rps/01581688887859.pdf Towards Optical Proof of Work] [1]. In the article, we also provide a game-theoretic security argument for CAPEX-heavy PoW. For additional information, we recommend reading [https://uncommoncore.co/wp-content/uploads/2019/10/A-model-for-Bitcoins-security-and-the-declining-block-subsidy-v1.02.pdf this article]. While traditional digital hardware relies on electrical currents, optical computing uses light as the basis for some of or all of its operations. Building on the development and commercialization of silicon photonic chips for telecom and datacom applications, modern photonic co-processors are silicon chips made using well-established and highly scalable silicon CMOS processes. However, unlike cutting edge electronics which require ever-smaller features (e.g. 5 nm), fabricated by exponentially more complex and expensive machinery, silicon photonics uses old fabrication nodes (90 nm). Due to the large de Broglie wavelength of photons, as compared to electrons, there is no benefit to using the small feature sizes. The result is that access to silicon photonic wafer fabrication is readily available, in contrast to the notoriously difficult process of accessing advanced nodes. Moreover, the overall cost of entry is lower as lithography masks for silicon photonics processes are an order of magnitude cheaper ($500k vs. $5M). Examples of companies developing optical processors for AI, which will be compatible with oPoW include [https://lightmatter.co/ Lightmatter], [https://www.lightelligence.ai/ Lightelligence], [https://luminous.co/ Luminous], [https://www.intel.com/content/www/us/en/architecture-and-technology/silicon-photonics/silicon-photonics-overview.html Intel], and other more recent entrants. == Specification == === HeavyHash === The HeavyHash is performed in three stages: # Keccak hash # Matrix-vector multiplication # Keccak of the result xorred with the hashed input Note that the most efficiently matrix-vector multiplication is performed on a photonic miner. However, this linear algebra operation can be performed on any conventional computing hardware (CPU, GPU, etc.), therefore making the HeavyHash compatible with any digital device. The algorithm’s pseudo-code: <pre>// M is a Matrix 64 x 64 of Unsigned 4 values // 256-bitVector x1 <- keccak(input) // Reshape the obtained bitvector // into a 64-vector of unsigned 4-bit values x2 <- reshape(x1, 64) // Perform a matrix-vector multiplication. // The result is 64-vector of 14-bit unsigned. x3 <- vector_matrix_mult(x2, M) // Truncate all values to 4 most significant bits. // This is due to the specifics of analog // computing by the photonic accelerator. // Obtain a 64-vector of 4-bit unsigned. x4 <- truncate_to_msb(x3, 4) // Interpret as a 256-bitvector x5 <- flatten(x4) // 256-bitVector result <- keccak(xor(x5, x1))</pre> Which in C can be implemented as: <pre> static void heavyhash(const uint16_t matrix[64][64], void* pdata, size_t pdata_len, void* output) { uint8_t hash_first[32] __attribute__((aligned(32))); uint8_t hash_second[32] __attribute__((aligned(32))); uint8_t hash_xored[32] __attribute__((aligned(32))); uint16_t vector[64] __attribute__((aligned(64))); uint16_t product[64] __attribute__((aligned(64))); sha3_256((uint8_t*) hash_first, 32, (const uint8_t*)pdata, pdata_len); for (int i = 0; i < 32; ++i) { vector[2*i] = (hash_first[i] >> 4); vector[2*i+1] = hash_first[i] & 0xF; } for (int i = 0; i < 64; ++i) { uint16_t sum = 0; for (int j = 0; j < 64; ++j) { sum += matrix[i][j] * vector[j]; } product[i] = (sum >> 10); } for (int i = 0; i < 32; ++i) { hash_second[i] = (product[2*i] << 4) | (product[2*i+1]); } for (int i = 0; i < 32; ++i) { hash_xored[i] = hash_first[i] ^ hash_second[i]; } sha3_256((uint8_t*)output, 32, (const uint8_t*)hash_xored, 32); } </pre> === Random matrix generation === The random matrix M (which is a HeavyHash parameter) is obtained in a deterministic way and is changed every block. Matrix M coefficients are generated using a pseudo-random number generation algorithm (xoshiro) from the previous block header. If the matrix is not full rank, it is repeatedly generated again. An example code to obtain the matrix M: <pre> void generate_matrix(uint16_t matrix[64][64], struct xoshiro_state *state) { do { for (int i = 0; i < 64; ++i) { for (int j = 0; j < 64; j += 16) { uint64_t value = xoshiro_gen(state); for (int shift = 0; shift < 16; ++shift) { matrix[i][j + shift] = (value >> (4*shift)) & 0xF; } } } } while (!is_full_rank(matrix)); } static inline uint64_t xoshiro_gen(struct xoshiro_state *state) { const uint64_t result = rotl64(state->s[0] + state->s[3], 23) + state->s[0]; const uint64_t t = state->s[1] << 17; state->s[2] ^= state->s[0]; state->s[3] ^= state->s[1]; state->s[1] ^= state->s[2]; state->s[0] ^= state->s[3]; state->s[2] ^= t; state->s[3] = rotl64(state->s[3], 45); return result; } </pre> == Discussion == === Geographic Distribution of Mining Relative to CAPEX-OPEX Ratio of Mining Costs === Below is a simple model showing several scenarios for the geographic distribution of mining activity relative to the CAPEX/OPEX ratio of the cost of operating a single piece of mining hardware. As the ratio of energy consumption to hardware cost decreases, geographic variations in energy cost cease to be a determining factor in miner distribution. Underlying assumptions: 1. Electricity price y is fixed in time but varies geographically. 2. Every miner has access to the same hardware. 3. Each miner’s budget is limited by both the cost of mining equipment as well as the local cost of the electricity they consume budget = a(p+ey), where a is the number of mining machines, p is the machine price, e is the total energy consumption over machine lifetime, and y is electricity price. Note that in locations where mining is not profitable, hashrate is zero. [[https://github.com/PoWx-Org/obtc/raw/main/img/sim1.png]] [[https://github.com/PoWx-Org/obtc/raw/main/img/sim2.png]] [[https://github.com/PoWx-Org/obtc/raw/main/img/sim3.png]] An interactive version of this diagram can be found [https://www.powx.org/opow here]. === Why does CAPEX to OPEX shift lead to lower energy consumption? === A common misconception about oPoW is that it makes mining “cheaper” by enabling energy-efficient hardware. There is no impact on the dollar cost of mining a block, rather the mix of energy vs. hardware investment changes from about 50/50 to 10/90 or better. We discuss this at length and rigorously in our paper[1]. === Working Principles of Photonic Processors === Photonics accelerators are made by fabricating waveguides in silicon using standard lithography processes. Silicon is transparent to infrared light and can act as a tiny on-chip fiber optical cable. Silicon photonics found its first use during the 2000s in transceivers for sending and receiving optical signals via fiber and has advanced tremendously over the last decade. By encoding a vector into optical intensities passing through a series of parallel waveguides, interfering these signals in a mesh of tunable interferometers (acting as matrix coefficients), and then detecting the output using on-chip Germanium photodetectors, a matrix-vector multiplication is achieved. A generalized discussion of matrix multiplication setups using photonics/interference can be found in [https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.73.58 Reck et al.] and [https://arxiv.org/abs/1506.06220 Russell et al.] A detailed discussion of several integrated photonic architectures for matrix multiplication and corresponding tuning algorithms can be found in [https://arxiv.org/pdf/1909.06179.pdf Pai et al.] Below is a conceptual representation of a 3D-packaged oPoW mining chip. Note that the majority of the real estate and cost comes from the photonic die and the laser, with only a small digital SHA3 die needed (as opposed to a conventional miner of the same cost, which would have many copies of this die running in parallel). [[https://github.com/PoWx-Org/obtc/raw/main/img/optminer.png]] === Block Reward Considerations === Although it is out of the scope of this proposal, the authors strongly recommend the consideration of a change in the block reward schedule currently implemented in Bitcoin. There is no clear way to incentivize miners with transaction fees only, as has been successfully shown in [https://www.cs.princeton.edu/~smattw/CKWN-CCS16.pdf On the Instability of Bitcoin Without the Block Reward] and other publications, therefore looking a decade or two ahead it will be important to implement a fixed block reward or to slow the decay of the block reward to maintain the security of the network. Given that oPoW miners have low operating costs, once a large number of machines are running the reward level sufficient to keep them in operation and providing robust security can potentially be significantly smaller than in the case of the current SHA256 ASICs securing Bitcoin. === Implementation on the Bitcoin Network === A hard fork is not necessarily required for the Bitcoin network to test and eventually implement oPoW. It’s possible to add oPoW as a dual PoW to Bitcoin as a soft fork. Tuning the parameters to ensure that, for example, 99.9% of the security budget would be earned by miners via the SHA256 Hashcash PoW and 0.1% via oPoW would create sufficient incentive for oPoW to be stress-tested and to incentivize the manufacture of dedicated oPoW miners. If this test is successful, the parameters can be tuned continuously over time, e.g. oPoW share doubling at every halving, such that oPoW accounts for some target percentage (up to 100% in a complete SHA256 phase-out). == Endnotes == With significant progress in optical and analog matrix-vector-multiplication chipsets over the last year, we hope to demonstrate commercial low-energy mining on our network in the next 6 months. The current generation of optical matrix processors under development is expected to have 10x better energy consumption per MAC operation than digital implementations, and we expect this to improve by another order of magnitude in future generations. PoWx will also be publishing the designs of the current optical miner prototypes in the near term under an open-source hardware license. == Acknowledgments == We thank all the members of the Bitcoin community who have already given us feedback over the last several years as well as others in the optical computing community and beyond that have given their input. [1] M. Dubrovsky et al. Towards Optical Proof of Work, CES conference (2020) https://assets.pubpub.org/xi9h9rps/01581688887859.pdf [2] https://sciencex.com/news/2020-05-powering-bitcoin-silicon-photonics-power.html [3] KISS random number generator http://www.cse.yorku.ca/~oz/marsaglia-rng.html ---- We have taken into account the moderator's comments we received previously. Bogdan and Mike, PoWx ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-17 19:32 [bitcoin-dev] Proposal: Low Energy Bitcoin PoW Bogdan Penkovsky @ 2021-05-17 21:13 ` Keagan McClelland 2021-05-18 6:46 ` ZmnSCPxj 0 siblings, 1 reply; 15+ messages in thread From: Keagan McClelland @ 2021-05-17 21:13 UTC (permalink / raw) To: Bogdan Penkovsky, Bitcoin Protocol Discussion; +Cc: Michael Dubrovsky [-- Attachment #1: Type: text/plain, Size: 26384 bytes --] A few things jump out at me as I read this proposal First, deriving the hardness from capex as opposed to opex switches the privilege from those who have cheap electricity to those who have access to chip manufacturers/foundries. While this is similarly the case for Bitcoin ASICS today, the longevity of the PoW algorithm has led to a better distribution of knowledge and capital goods required to create ASICS. The creation of a new PoW of any kind, hurts this dimension of decentralization as we would have to start over from scratch on the best way to build, distribute, and operate these new pieces of hardware at scale. While I have not combed over the PoW proposed here in fine detail, the more complicated the algorithm is, the more it privileges those with specific knowledge about it and the manufacturing process. The competitive nature of Bitcoin mining is such that miners will be willing to spend up to their expected mining reward in their operating costs to continue to mine. Let's suppose that this new PoW was adopted, miners will continue to buy these chips in ever increasing quantities, turning the aforementioned CAPEX into a de facto OPEX. This has a few consequences. First it just pushes the energy consumption upstream to the chip manufacturing process, rather than eliminating it. And it may trade some marginal amount of the energy consumption for the set of resources it takes to educate and create chip manufacturers. The only way to avoid that cost being funneled back into more energy consumption is to make the barrier to understanding of the manufacturing process sufficiently difficult so as to limit the proliferation of these chips. Again, this privileges the chip manufacturers as well as those with close access to the chip manufacturers. As far as I can tell, the only thing this proposal actually does is create a very lucrative business model for those who sell this variety of chips. Any other effects of it are transient, and in all likelihood the transient effects create serious centralization pressure. At the end of the day, the energy consumption is foundational to the system. The only way to do away with authorities, is to require competition. This competition will employ ever more resources until it is unprofitable to do so. At the base of all resources of society is energy. You get high energy expenditure, or a privileged class of bitcoin administrators: pick one. I suspect you'll find the vast majority of Bitcoin users to be in the camp of the energy expenditure, since if we pick the latter, we might as well just pack it in and give up on the Bitcoin experiment. Keagan On Mon, May 17, 2021 at 2:33 PM Bogdan Penkovsky via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi Bitcoin Devs, > > We would like to share with you a draft proposal for a durable, low > energy Bitcoin proof of work. > > ---- > > <pre> > BIP: ? > Title: Durable, Low Energy Bitcoin PoW > Author: Michael Dubrovsky <mike+bip[at]powx.org>, Bogdan Penkovsky > <bogdan+bip[at]powx.org> > Discussions-To: <mike+bip[at]powx.org> > Comments-Summary: No comments yet. > Comments-URI: https://github.com/PoWx-Org/obtc/wiki/BIP > Status: Draft > Type: Standards Track > Created: 2021-05-13 > License: BSD-2-Clause > OPL > </pre> > > > == Simple Summary == > > Bitcoin's energy consumption is growing with its value (see Figure below). > Although scaling PoW is necessary to maintain the security of the network, > reliance on massive energy consumption has scaling drawbacks and leads to > mining > centralization. A major consequence of the central role of local > electricity > cost in mining is that today, most existing and potential participants in > the > Bitcoin network cannot profitably mine Bitcoin even if they have the > capital to > invest in mining hardware. From a practical perspective, Bitcoin adoption > by > companies like Tesla (which recently rescinded its acceptance of Bitcoin as > payment) has been hampered by its massive energy consumption and perceived > environmental impact. > > [[https://github.com/PoWx-Org/obtc/raw/main/img/btc_energy-small.png]] > > Figure. Bitcoin price and estimated Bitcoin energy consumption. > Data sources: [https://cbeci.org Cambridge Bitcoin Electricity > Consumption Index], [https://www.coindesk.com CoinDesk]. > > We propose a novel proof-of-work paradigm for Bitcoin--Optical > proof-of-work. It > is designed to decouple Bitcoin mining from energy and make it feasible > outside > of regions with low electricity costs. ''Optical proof-of-work'' (oPoW) is > a > modification of Hashcash that is most efficiently computed using a new > class of > photonic processors. Without compromising the cryptographic or > game-theoretical > security of Hashcash, oPoW shifts the operating expenses of mining (OPEX), > to > capital expenses (CAPEX)--i.e. electricity to hardware. oPoW makes it > possible > for billions of new miners to enter the market simply by investing in a > low-energy photonic miner. Shifting to a high-CAPEX PoW has the added > benefit of > making the hashrate resilient to Bitcoin's price fluctuations - once > low-OPEX > hardware is operating there is no reason to shut it down even if the value > of > mining rewards diminishes. oPoW is backward compatible with GPUs, FPGAs, > and > ASICs meaning that a transitional period of optical and traditional > hardware > mining in parallel on the network is feasible > > More information is available here: [https://www.powx.org/opow]. > > == Abstract == > > As Bitcoin gained utility and value over the preceding decade, the > network incentivized the purchase of billions of dollars in mining > equipment and electricity. With the growth of competition, home mining > became unprofitable. Even the most sophisticated special-purpose > hardware (ASIC miners) doesn’t cover its energy costs unless the miner > also has direct access to very cheap electricity. This heavy reliance > on energy makes it difficult for new miners to enter the market and > leads to hashrate instability as miners shut off their machines when > the price of Bitcoin falls. Additionally as the network stores ever > more value, the percentage of world energy consumption that is > associated with Bitcoin continues to grow, creating the potential for > scaling failure and a general backlash. To ensure that Bitcoin can > continue scaling and reach its full potential as a world currency and > store of value, we propose a low-energy proof-of-work paradigm for > Bitcoin. ''Optical proof of work (oPoW)'' is designed to decouple > Bitcoin’s security from massive energy use and make bitcoin mining > feasible outside of regions with low electricity costs. ''Optical > proof-of-work'' is a modification of Hashcash that is most efficiently > computed using a new class of photonic processors that has emerged as > a leading solution for ultra-low energy computing over the last 5 > years. oPoW shifts the operating expenses of mining (OPEX), to capital > expenses (CAPEX)–i.e. electricity to hardware, without compromising > the cryptographic or game-theoretical security of Hashcash. We provide > an example implementation of oPoW, briefly discuss its cryptographic > construction as well as the working principle of photonic processors. > Additionally, we outline the potential benefits of oPoW to the bitcoin > network, including geographic decentralization and democratization of > mining as well as hashrate resilience to price fluctuations. > > == Copyright == > > This BIP is dual-licensed under the Open Publication License and BSD > 2-clause license. > > == Motivation == > > As Bitcoin has grown over the past decade from a small network run by > hobbyists to a global currency, the underlying Proof of Work protocol > has not been updated. Initially pitched as a global decentralized > network (“one CPU-one vote”), Bitcoin transactions today are secured > by a small group of corporate entities. In practice, it is only > feasible for [http://archive.is/YeDwh entities that can secure access > to abundant, inexpensive energy]. The economics of mining limit > profitability to places like Iceland, Texas, or Western China. Besides > the negative environmental externalities, which may be significant, > mining today is performed primarily with the consent (and in many > cases, partnership) of large public utilities and the governments that > control them. Although this may not be a problem in the short term, in > the long term it stands to erode the censorship resistance and > security of Bitcoin and other public blockchains through potential > regulation or [https://arxiv.org/pdf/1605.07524.pdf partitioning > attacks]. > > Recent events, such as the > [https://twitter.com/MustafaYilham/status/1384278267067203590 ~25% > hashrate crash due to coal-powered grid failure in china] and Tesla’s > rescinding of its acceptance of Bitcoin as a form of payment, show > that there are practical real-world downsides to Proof of Works’s > massive reliance on energy. > > [[https://github.com/PoWx-Org/obtc/raw/main/img/emusk_tweet.png]] > > Whether on not the Bitcoin community accepts this common criticism as > entirely valid, it has real-world effects which will only get worse > over time. Eliminating the exponentially growing energy use currently > built into Bitcoin without eliminating the security of PoW would be > ideal and should not be a partisan issue. > > New consensus mechanisms have been proposed as a means of securing > cryptocurrencies whilst reducing energy cost, such as various forms of > Proof of Stake and Proof of Space-Time. While many of these > alternative mechanisms offer compelling guarantees, they generally > require new security assumptions, which have not been stress-tested by > live deployments at any adequate scale. Consequently, we still have > relatively little empirical understanding of their safety. Completely > changing the Bitcoin paradigm is likely to introduce new unforeseen > problems. We believe that the major issues discussed above can be > resolved by improving rather than eliminating Bitcoin’s fundamental > security layer—Proof of Work. Instead of devising a new consensus > architecture to fix these issues, it is sufficient to shift the > economics of PoW. The financial cost imposed on miners need not be > primarily composed of electricity. The situation can be significantly > improved by reducing the operating expense (OPEX)—energy—as a major > mining component. Then, by shifting the cost towards capital expense > (CAPEX)—mining hardware—the dynamics of the mining ecosystem becomes > much less dependent on electricity prices, and much less electricity > is consumed as a whole. > > Moreover, a reduction in energy consumption automatically leads to > geographically distributed mining, as mining becomes profitable even > in regions with expensive electricity. Additionally, lower energy > consumption will eliminate heating issues experienced by today’s > mining operations, which will further decrease operating cost as well > as noise associated with fans and cooling systems. All of this means > that individuals and smaller entities would be able to enter the > mining ecosystem simply for the cost of a miner, without first gaining > access to cheap energy or a dedicated, temperature-controlled data > center. To a degree, memory-hard PoW schemes like > [https://github.com/tromp/cuckoo Cuckoo Cycle], which increase the use > of SRAM in lieu of pure computation, push the CAPEX/OPEX ratio in the > right direction by occupying ASIC chip area with memory. To maximize > the CAPEX to OPEX ratio of the Optical Proof of Work algorithm, we > developed [https://assets.pubpub.org/xi9h9rps/01581688887859.pdf > ''HeavyHash''] [1]. HeavyHash is a cryptographic construction that > takes the place of SHA256 in Hashcash. Our algorithm is compatible > with ultra-energy-efficient photonic co-processors that have been > developed for machine learning hardware accelerators. > > HeavyHash uses a proven digital hash (SHA3) packaged with a large > amount of MAC (Multiply-and-Accumulate) computation into a Proof of > Work puzzle. Although HeavyHash can be computed on any standard > digital hardware, it becomes hardware efficient only when a small > digital core is combined with a low-power photonic co-processor for > performing MAC operations. oPoW mining machines will have a small > digital core flip-chipped onto a large, low-power photonic chip. This > core will be bottlenecked by the throughput of the digital to analog > and analog to digital converters. A prototype of such analogue optical > matrix multiplier can be seen in the figure below. > > [[https://github.com/PoWx-Org/obtc/raw/main/img/optical_chip.png]] > > Figure. TOP: Photonic Circuit Diagram, A. Laser input (1550nm, common > telecom wavelength) B. Metal pads for controlling modulators to > transduce electrical data to optical C. Metal pads for tuning mesh of > directional couplers D. Optical signal exits here containing the > results of the computation and is output to fibers via a grating > coupler the terminus of each waveguide. E. Alignment circuit for > aligning fiber coupling stage. Bottom: a photograph of a bare oPoW > miner prototype chip before wire and fiber bonding. On the right side > of the die are test structures (F). > > The ''HeavyHash'' derives its name from the fact that it is bloated or > weighted with additional computation. This means that a cost > comparable oPoW miner will have a much lower nominal hashrate compared > to a Bitcoin ASIC (HeavyHashes/second vs. SHA256 Hashes/second in > equivalent ASIC). We provide the cryptographic security argument of > the HeavyHash function in Section 3 in > [https://assets.pubpub.org/xi9h9rps/01581688887859.pdf Towards Optical > Proof of Work] [1]. In the article, we also provide a game-theoretic > security argument for CAPEX-heavy PoW. For additional information, we > recommend reading > [ > https://uncommoncore.co/wp-content/uploads/2019/10/A-model-for-Bitcoins-security-and-the-declining-block-subsidy-v1.02.pdf > this article]. > > While traditional digital hardware relies on electrical currents, > optical computing uses light as the basis for some of or all of its > operations. Building on the development and commercialization of > silicon photonic chips for telecom and datacom applications, modern > photonic co-processors are silicon chips made using well-established > and highly scalable silicon CMOS processes. However, unlike cutting > edge electronics which require ever-smaller features (e.g. 5 nm), > fabricated by exponentially more complex and expensive machinery, > silicon photonics uses old fabrication nodes (90 nm). Due to the large > de Broglie wavelength of photons, as compared to electrons, there is > no benefit to using the small feature sizes. The result is that access > to silicon photonic wafer fabrication is readily available, in > contrast to the notoriously difficult process of accessing advanced > nodes. Moreover, the overall cost of entry is lower as lithography > masks for silicon photonics processes are an order of magnitude > cheaper ($500k vs. $5M). Examples of companies developing optical > processors for AI, which will be compatible with oPoW include > [https://lightmatter.co/ Lightmatter], [https://www.lightelligence.ai/ > Lightelligence], [https://luminous.co/ Luminous], > [ > https://www.intel.com/content/www/us/en/architecture-and-technology/silicon-photonics/silicon-photonics-overview.html > Intel], and other more recent entrants. > > == Specification == > > === HeavyHash === > > The HeavyHash is performed in three stages: > > # Keccak hash > # Matrix-vector multiplication > # Keccak of the result xorred with the hashed input > > Note that the most efficiently matrix-vector multiplication is > performed on a photonic miner. However, this linear algebra operation > can be performed on any conventional computing hardware (CPU, GPU, > etc.), therefore making the HeavyHash compatible with any digital > device. > > The algorithm’s pseudo-code: > > <pre>// M is a Matrix 64 x 64 of Unsigned 4 values > > // 256-bitVector > x1 <- keccak(input) > > // Reshape the obtained bitvector > // into a 64-vector of unsigned 4-bit values > x2 <- reshape(x1, 64) > > // Perform a matrix-vector multiplication. > // The result is 64-vector of 14-bit unsigned. > x3 <- vector_matrix_mult(x2, M) > > // Truncate all values to 4 most significant bits. > // This is due to the specifics of analog > // computing by the photonic accelerator. > // Obtain a 64-vector of 4-bit unsigned. > x4 <- truncate_to_msb(x3, 4) > > // Interpret as a 256-bitvector > x5 <- flatten(x4) > > // 256-bitVector > result <- keccak(xor(x5, x1))</pre> > > Which in C can be implemented as: > > <pre> > static void heavyhash(const uint16_t matrix[64][64], void* pdata, > size_t pdata_len, void* output) > { > uint8_t hash_first[32] __attribute__((aligned(32))); > uint8_t hash_second[32] __attribute__((aligned(32))); > uint8_t hash_xored[32] __attribute__((aligned(32))); > > uint16_t vector[64] __attribute__((aligned(64))); > uint16_t product[64] __attribute__((aligned(64))); > > sha3_256((uint8_t*) hash_first, 32, (const uint8_t*)pdata, pdata_len); > > for (int i = 0; i < 32; ++i) { > vector[2*i] = (hash_first[i] >> 4); > vector[2*i+1] = hash_first[i] & 0xF; > } > > for (int i = 0; i < 64; ++i) { > uint16_t sum = 0; > for (int j = 0; j < 64; ++j) { > sum += matrix[i][j] * vector[j]; > } > product[i] = (sum >> 10); > } > > for (int i = 0; i < 32; ++i) { > hash_second[i] = (product[2*i] << 4) | (product[2*i+1]); > } > > for (int i = 0; i < 32; ++i) { > hash_xored[i] = hash_first[i] ^ hash_second[i]; > } > sha3_256((uint8_t*)output, 32, (const uint8_t*)hash_xored, 32); > } > </pre> > > === Random matrix generation === > > The random matrix M (which is a HeavyHash parameter) is obtained in a > deterministic way and is changed every block. Matrix M coefficients > are generated using a pseudo-random number generation algorithm > (xoshiro) from the previous block header. If the matrix is not full > rank, it is repeatedly generated again. > > An example code to obtain the matrix M: > > <pre> > void generate_matrix(uint16_t matrix[64][64], struct xoshiro_state *state) > { > do { > for (int i = 0; i < 64; ++i) { > for (int j = 0; j < 64; j += 16) { > uint64_t value = xoshiro_gen(state); > for (int shift = 0; shift < 16; ++shift) { > matrix[i][j + shift] = (value >> (4*shift)) & 0xF; > } > } > } > } while (!is_full_rank(matrix)); > } > > static inline uint64_t xoshiro_gen(struct xoshiro_state *state) { > const uint64_t result = rotl64(state->s[0] + state->s[3], 23) + > state->s[0]; > > const uint64_t t = state->s[1] << 17; > > state->s[2] ^= state->s[0]; > state->s[3] ^= state->s[1]; > state->s[1] ^= state->s[2]; > state->s[0] ^= state->s[3]; > > state->s[2] ^= t; > > state->s[3] = rotl64(state->s[3], 45); > > return result; > } > </pre> > > == Discussion == > > === Geographic Distribution of Mining Relative to CAPEX-OPEX Ratio of > Mining Costs === > > Below is a simple model showing several scenarios for the geographic > distribution of mining activity relative to the CAPEX/OPEX ratio of > the cost of operating a single piece of mining hardware. As the ratio > of energy consumption to hardware cost decreases, geographic > variations in energy cost cease to be a determining factor in miner > distribution. > > Underlying assumptions: 1. Electricity price y is fixed in time but > varies geographically. 2. Every miner has access to the same hardware. > 3. Each miner’s budget is limited by both the cost of mining equipment > as well as the local cost of the electricity they consume > > budget = a(p+ey), > > where a is the number of mining machines, p is the machine price, e is > the total energy consumption over machine lifetime, and y is > electricity price. > > Note that in locations where mining is not profitable, hashrate is zero. > > [[https://github.com/PoWx-Org/obtc/raw/main/img/sim1.png]] > > [[https://github.com/PoWx-Org/obtc/raw/main/img/sim2.png]] > > [[https://github.com/PoWx-Org/obtc/raw/main/img/sim3.png]] > > > An interactive version of this diagram can be found > [https://www.powx.org/opow here]. > > === Why does CAPEX to OPEX shift lead to lower energy consumption? === > > A common misconception about oPoW is that it makes mining “cheaper” by > enabling energy-efficient hardware. There is no impact on the dollar > cost of mining a block, rather the mix of energy vs. hardware > investment changes from about 50/50 to 10/90 or better. We discuss > this at length and rigorously in our paper[1]. > > === Working Principles of Photonic Processors === > > Photonics accelerators are made by fabricating waveguides in silicon > using standard lithography processes. Silicon is transparent to > infrared light and can act as a tiny on-chip fiber optical cable. > Silicon photonics found its first use during the 2000s in transceivers > for sending and receiving optical signals via fiber and has advanced > tremendously over the last decade. > > By encoding a vector into optical intensities passing through a series > of parallel waveguides, interfering these signals in a mesh of tunable > interferometers (acting as matrix coefficients), and then detecting > the output using on-chip Germanium photodetectors, a matrix-vector > multiplication is achieved. A generalized discussion of matrix > multiplication setups using photonics/interference can be found in > [https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.73.58 Reck > et al.] and [https://arxiv.org/abs/1506.06220 Russell et al.] A > detailed discussion of several integrated photonic architectures for > matrix multiplication and corresponding tuning algorithms can be found > in [https://arxiv.org/pdf/1909.06179.pdf Pai et al.] > > Below is a conceptual representation of a 3D-packaged oPoW mining > chip. Note that the majority of the real estate and cost comes from > the photonic die and the laser, with only a small digital SHA3 die > needed (as opposed to a conventional miner of the same cost, which > would have many copies of this die running in parallel). > > [[https://github.com/PoWx-Org/obtc/raw/main/img/optminer.png]] > > === Block Reward Considerations === > > Although it is out of the scope of this proposal, the authors strongly > recommend the consideration of a change in the block reward schedule > currently implemented in Bitcoin. There is no clear way to incentivize > miners with transaction fees only, as has been successfully shown in > [https://www.cs.princeton.edu/~smattw/CKWN-CCS16.pdf On the > Instability of Bitcoin Without the Block Reward] and other > publications, therefore looking a decade or two ahead it will be > important to implement a fixed block reward or to slow the decay of > the block reward to maintain the security of the network. Given that > oPoW miners have low operating costs, once a large number of machines > are running the reward level sufficient to keep them in operation and > providing robust security can potentially be significantly smaller > than in the case of the current SHA256 ASICs securing Bitcoin. > > === Implementation on the Bitcoin Network === > > A hard fork is not necessarily required for the Bitcoin network to > test and eventually implement oPoW. It’s possible to add oPoW as a > dual PoW to Bitcoin as a soft fork. Tuning the parameters to ensure > that, for example, 99.9% of the security budget would be earned by > miners via the SHA256 Hashcash PoW and 0.1% via oPoW would create > sufficient incentive for oPoW to be stress-tested and to incentivize > the manufacture of dedicated oPoW miners. If this test is successful, > the parameters can be tuned continuously over time, e.g. oPoW share > doubling at every halving, such that oPoW accounts for some target > percentage (up to 100% in a complete SHA256 phase-out). > > == Endnotes == > > With significant progress in optical and analog > matrix-vector-multiplication chipsets over the last year, we hope to > demonstrate commercial low-energy mining on our network in the next 6 > months. The current generation of optical matrix processors under > development is expected to have 10x better energy consumption per MAC > operation than digital implementations, and we expect this to improve > by another order of magnitude in future generations. > > PoWx will also be publishing the designs of the current optical miner > prototypes in the near term under an open-source hardware license. > > == Acknowledgments == > > We thank all the members of the Bitcoin community who have already > given us feedback over the last several years as well as others in the > optical computing community and beyond that have given their input. > > > > > [1] M. Dubrovsky et al. Towards Optical Proof of Work, CES conference > (2020) https://assets.pubpub.org/xi9h9rps/01581688887859.pdf > > [2] > https://sciencex.com/news/2020-05-powering-bitcoin-silicon-photonics-power.html > > [3] KISS random number generator > http://www.cse.yorku.ca/~oz/marsaglia-rng.html > > > > > ---- > We have taken into account the moderator's comments we received previously. > > > > Bogdan and Mike, > > PoWx > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 31502 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-17 21:13 ` Keagan McClelland @ 2021-05-18 6:46 ` ZmnSCPxj 2021-05-18 9:18 ` Devrandom 2021-05-18 12:46 ` Claus Ehrenberg 0 siblings, 2 replies; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 6:46 UTC (permalink / raw) To: Keagan McClelland, Bitcoin Protocol Discussion; +Cc: Michael Dubrovsky > A few things jump out at me as I read this proposal > > First, deriving the hardness from capex as opposed to opex switches the privilege from those who have cheap electricity to those who have access to chip manufacturers/foundries. While this is similarly the case for Bitcoin ASICS today, the longevity of the PoW algorithm has led to a better distribution of knowledge and capital goods required to create ASICS. The creation of a new PoW of any kind, hurts this dimension of decentralization as we would have to start over from scratch on the best way to build, distribute, and operate these new pieces of hardware at scale. While I have not combed over the PoW proposed here in fine detail, the more complicated the algorithm is, the more it privileges those with specific knowledge about it and the manufacturing process. > > The competitive nature of Bitcoin mining is such that miners will be willing to spend up to their expected mining reward in their operating costs to continue to mine. Let's suppose that this new PoW was adopted, miners will continue to buy these chips in ever increasing quantities, turning the aforementioned CAPEX into a de facto OPEX. This has a few consequences. First it just pushes the energy consumption upstream to the chip manufacturing process, rather than eliminating it. And it may trade some marginal amount of the energy consumption for the set of resources it takes to educate and create chip manufacturers. The only way to avoid that cost being funneled back into more energy consumption is to make the barrier to understanding of the manufacturing process sufficiently difficult so as to limit the proliferation of these chips. Again, this privileges the chip manufacturers as well as those with close access to the chip manufacturers. > > As far as I can tell, the only thing this proposal actually does is create a very lucrative business model for those who sell this variety of chips. Any other effects of it are transient, and in all likelihood the transient effects create serious centralization pressure. > > At the end of the day, the energy consumption is foundational to the system. The only way to do away with authorities, is to require competition. This competition will employ ever more resources until it is unprofitable to do so. At the base of all resources of society is energy. You get high energy expenditure, or a privileged class of bitcoin administrators: pick one. I suspect you'll find the vast majority of Bitcoin users to be in the camp of the energy expenditure, since if we pick the latter, we might as well just pack it in and give up on the Bitcoin experiment. Keagan is quite correct. Ultimately all currency security derives from energy consumption. Everything eventually resolves down to proof-of-work. * Proof-of-space simply moves the work to the construction of more storage devices. * Proof-of-stake simply moves the work to stake-grinding attacks. * The optical proof-of-work simply moves the work to the construction of more miners. * Even government-enforced fiat is ultimately proof-of-work, as the operation and continued existence of any government is work. It is far better to move towards a more *direct* proof-of-work, than to add more complexity and come up with something that is just proof-of-work, but with the work moved off to somewhere else and with additional moving parts that can be jammed or hacked into. When considering any new proof-of-foo, it is best to consider all effects until you reach the base physics of the arrow of time, at which point you will realize it is ultimately just another proof-of-work anyway. At least, proof-of-work is honest about its consumption of resources. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 6:46 ` ZmnSCPxj @ 2021-05-18 9:18 ` Devrandom 2021-05-18 10:58 ` ZmnSCPxj 2021-05-18 10:59 ` mike 2021-05-18 12:46 ` Claus Ehrenberg 1 sibling, 2 replies; 15+ messages in thread From: Devrandom @ 2021-05-18 9:18 UTC (permalink / raw) To: ZmnSCPxj, Bitcoin Protocol Discussion; +Cc: Michael Dubrovsky [-- Attachment #1: Type: text/plain, Size: 1653 bytes --] On Mon, May 17, 2021 at 11:47 PM ZmnSCPxj: > > When considering any new proof-of-foo, it is best to consider all effects > until you reach the base physics of the arrow of time, at which point you > will realize it is ultimately just another proof-of-work anyway. > Let's not simplify away economic considerations, such as externalities. The whole debate about the current PoW is about negative externalities related to energy production. Depending on the details, CAPEX (R&D, real-estate, construction, production) may have less externalities, and if that's the case, we should be interested in adopting a PoW that is intensive in these types of CAPEX. On Mon, May 17, 2021 at 2:20 PM Keagan McClelland wrote: First it just pushes the energy consumption upstream to the chip > manufacturing process, rather than eliminating it. And it may trade some > marginal amount of the energy consumption for the set of resources it takes > to educate and create chip manufacturers. The only way to avoid that cost > being funneled back into more energy consumption [...] > I challenge you to substantiate these assertions. Real-estate and human cognitive work are not energy intensive and are a major factor in the expected costs of some alternative PoWs. The expected mining effort is such that the cost will reach the expected reward, no more, so there is every reason to believe that energy consumption will be small compared to the current PoW. Therefore, the total associated negative externalities for the alternative PoWs may well be much lower than the externalities of energy production. This needs detailed analysis, not a knee-jerk reaction. [-- Attachment #2: Type: text/html, Size: 2195 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 9:18 ` Devrandom @ 2021-05-18 10:58 ` ZmnSCPxj 2021-05-18 11:05 ` mike 2021-05-18 10:59 ` mike 1 sibling, 1 reply; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 10:58 UTC (permalink / raw) To: Devrandom; +Cc: Bitcoin Protocol Discussion Good morning devrandom, > On Mon, May 17, 2021 at 11:47 PM ZmnSCPxj: > > > When considering any new proof-of-foo, it is best to consider all effects until you reach the base physics of the arrow of time, at which point you will realize it is ultimately just another proof-of-work anyway. > > Let's not simplify away economic considerations, such as externalities. The whole debate about the current PoW is about negative externalities related to energy production. > > Depending on the details, CAPEX (R&D, real-estate, construction, production) may have less externalities, and if that's the case, we should be interested in adopting a PoW that is intensive in these types of CAPEX. Then let us also not forget another important externality: possible optimizations of a new PoW algorithm that risk being put into some kind of exclusive patent. I think with high probability that SHA256d as used by Bitcoin will no longer have an optimization as large in effect as ASICBOOST in the future, simply because there is a huge incentive to find such optimizations and Bitcoin has been using SHA256d for 12 years already, and we have already found ASICBOOST (and while patented, as I understand it the patent owner has promised not to enforce the patent --- my understanding may be wrong). Any alternative PoW algorithm risks an ASICBOOST-like optimization that is currently unknown, but which will be discovered (and possibly patented by an owner that *will* enforce the patent, thus putting the entire ecosystem at direct conflict with legacy government structures) once there is a good incentive (i.e. use in Bitcoin) for it. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 10:58 ` ZmnSCPxj @ 2021-05-18 11:05 ` mike 2021-05-18 11:36 ` ZmnSCPxj 0 siblings, 1 reply; 15+ messages in thread From: mike @ 2021-05-18 11:05 UTC (permalink / raw) To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion That’s a fair point about patents. However, note that we were careful about this. oPoW only uses SHA3 (can be replaced with SHA256 in principle as well) and low precision linear matrix multiplication. A whole industry is trying to accelerate 8-bit linear matrix mults for AI so there is already a massive incentive (and has been for decades). See companies like Mythic, Groq, Tesla (FSD computer), google TPU and so on for electronic versions of this. Several of the optical ones are mentioned in the BIP (e.g. Lightmatter) Sent from my iPhone > On May 18, 2021, at 6:59 AM, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote: > > Good morning devrandom, > >> On Mon, May 17, 2021 at 11:47 PM ZmnSCPxj: >> >>> When considering any new proof-of-foo, it is best to consider all effects until you reach the base physics of the arrow of time, at which point you will realize it is ultimately just another proof-of-work anyway. >> >> Let's not simplify away economic considerations, such as externalities. The whole debate about the current PoW is about negative externalities related to energy production. >> >> Depending on the details, CAPEX (R&D, real-estate, construction, production) may have less externalities, and if that's the case, we should be interested in adopting a PoW that is intensive in these types of CAPEX. > > Then let us also not forget another important externality: possible optimizations of a new PoW algorithm that risk being put into some kind of exclusive patent. > > I think with high probability that SHA256d as used by Bitcoin will no longer have an optimization as large in effect as ASICBOOST in the future, simply because there is a huge incentive to find such optimizations and Bitcoin has been using SHA256d for 12 years already, and we have already found ASICBOOST (and while patented, as I understand it the patent owner has promised not to enforce the patent --- my understanding may be wrong). > > Any alternative PoW algorithm risks an ASICBOOST-like optimization that is currently unknown, but which will be discovered (and possibly patented by an owner that *will* enforce the patent, thus putting the entire ecosystem at direct conflict with legacy government structures) once there is a good incentive (i.e. use in Bitcoin) for it. > > Regards, > ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 11:05 ` mike @ 2021-05-18 11:36 ` ZmnSCPxj 2021-05-18 11:43 ` mike 0 siblings, 1 reply; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 11:36 UTC (permalink / raw) To: mike; +Cc: Bitcoin Protocol Discussion Good morning Michael, > That’s a fair point about patents. However, note that we were careful about this. oPoW only uses SHA3 (can be replaced with SHA256 in principle as well) and low precision linear matrix multiplication. A whole industry is trying to accelerate 8-bit linear matrix mults for AI so there is already a massive incentive (and has been for decades). > > See companies like Mythic, Groq, Tesla (FSD computer), google TPU and so on for electronic versions of this. Several of the optical ones are mentioned in the BIP (e.g. Lightmatter) Please note that ASICBOOST for SHA256d is based on a layer-crossing violation: SHA256 processes in blocks, and the Bitcoin block header is slightly larger than one SHA256 block. Adding more to a direct SHA3 (which, as a "sponge" construction, avoids blocks, but other layer-crossing violations may still exist) still risks layer violations that might introduce hidden optimizations. Or more succinctly; * Just because the components have (with high probability) no more possible optimizations, does not mean that the construction *as a whole* has no hidden optimizations. Thus, even if linear matrix multiplication and SHA3 have no hidden optimizations, their combination, together with the Bitcoin block header format, *may* have hidden optimizations. And there are no *current* incentives to find such optimizations until Bitcoin moves to this, at which point we are already committed and it would be highly infeasible to revert to SHA256d --- i.e. too late. This is why changes to PoW are highly discouraged. Remember, ASICBOOST was *not* an optimization of SHA256 *or* SHA256d, it was an optimizations of SHA256d-on-a-Bitcoin-block-header. ASICBOOST cannot speed up general SHA256 or even general SHA256d, it only applies specifically to SHA256d-on-a-Bitcoin-block-header. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 11:36 ` ZmnSCPxj @ 2021-05-18 11:43 ` mike 2021-05-18 11:58 ` ZmnSCPxj 0 siblings, 1 reply; 15+ messages in thread From: mike @ 2021-05-18 11:43 UTC (permalink / raw) To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion That’s interesting. I didn’t know the history of ASICBOOST. Our proposal (see Implementation) is to phase in oPoW slowly starting at a very low % of the rewards (say 1%). That should give a long testing period where there is real financial incentive for things like ASICBOOST Does that resolve or partially resolve the issue in your eyes? Sent from my iPhone > On May 18, 2021, at 7:36 AM, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote: > > Good morning Michael, > >> That’s a fair point about patents. However, note that we were careful about this. oPoW only uses SHA3 (can be replaced with SHA256 in principle as well) and low precision linear matrix multiplication. A whole industry is trying to accelerate 8-bit linear matrix mults for AI so there is already a massive incentive (and has been for decades). >> >> See companies like Mythic, Groq, Tesla (FSD computer), google TPU and so on for electronic versions of this. Several of the optical ones are mentioned in the BIP (e.g. Lightmatter) > > > Please note that ASICBOOST for SHA256d is based on a layer-crossing violation: SHA256 processes in blocks, and the Bitcoin block header is slightly larger than one SHA256 block. > > Adding more to a direct SHA3 (which, as a "sponge" construction, avoids blocks, but other layer-crossing violations may still exist) still risks layer violations that might introduce hidden optimizations. > > Or more succinctly; > > * Just because the components have (with high probability) no more possible optimizations, does not mean that the construction *as a whole* has no hidden optimizations. > > Thus, even if linear matrix multiplication and SHA3 have no hidden optimizations, their combination, together with the Bitcoin block header format, *may* have hidden optimizations. > > And there are no *current* incentives to find such optimizations until Bitcoin moves to this, at which point we are already committed and it would be highly infeasible to revert to SHA256d --- i.e. too late. > > This is why changes to PoW are highly discouraged. > > > Remember, ASICBOOST was *not* an optimization of SHA256 *or* SHA256d, it was an optimizations of SHA256d-on-a-Bitcoin-block-header. > ASICBOOST cannot speed up general SHA256 or even general SHA256d, it only applies specifically to SHA256d-on-a-Bitcoin-block-header. > > Regards, > ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 11:43 ` mike @ 2021-05-18 11:58 ` ZmnSCPxj 2021-05-18 12:17 ` mike 0 siblings, 1 reply; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 11:58 UTC (permalink / raw) To: mike; +Cc: Bitcoin Protocol Discussion Good morning Michael, > That’s interesting. I didn’t know the history of ASICBOOST. History is immaterial, what is important is the technical description of ASICBOOST. Basically, by fixing the partial computation of the second block of SHA256, we could selectively vary bits in the first block of SHA256, while reusing the computation of the second block. This allows a grinder to grind more candidate blocks without recomputing the second block output, reducing the needed power consumption for the same number of hashes attempted. Here is an important writeup: https://www.mit.edu/~jlrubin/public/pdfs/Asicboost.pdf It should really be required reading for anyone who dreams of changing PoW algorithms to read and understand this document. There may be similar layer-crossings in any combined construction --- or even just a simple hash function --- when it is applied to a specific Bitcoin block format. > > Our proposal (see Implementation) is to phase in oPoW slowly starting at a very low % of the rewards (say 1%). That should give a long testing period where there is real financial incentive for things like ASICBOOST > > Does that resolve or partially resolve the issue in your eyes? It does mitigate this somewhat. However, such a mechanism is an additional complication and there may be further layer-crossing violations possible --- there may be an optimization to have a circuit that occasionally uses SHA256d and occasionally uses oPoW, that is not possible with a pure SHA256d or pure oPoW circuit. So this mitigation is not as strong as it might appear at first glance; additional layers means additional possibility of layer-crossing violations like ASICBOOST. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 11:58 ` ZmnSCPxj @ 2021-05-18 12:17 ` mike 2021-05-18 12:22 ` ZmnSCPxj 0 siblings, 1 reply; 15+ messages in thread From: mike @ 2021-05-18 12:17 UTC (permalink / raw) To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion, marshall ball [-- Attachment #1: Type: text/plain, Size: 2486 bytes --] Nothing in a dynamic system like PoW mining can be 100% anticipated, for example there might be advanced in manufacturing of chips which are patented and so on. It sounds like your take is that this means no improvements can ever be made by any mechanism, however conservative. We do go into a fair amount of detail about Minimum Effective Hardness in our paper https://assets.pubpub.org/xi9h9rps/01581688887859.pdf , which is actually a special case of hardness that we invented for the context of adding an operation to a PoW, and how it applies to random matrix mults. Sent from my iPhone > On May 18, 2021, at 7:58 AM, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote: > > Good morning Michael, > >> That’s interesting. I didn’t know the history of ASICBOOST. > > History is immaterial, what is important is the technical description of ASICBOOST. > Basically, by fixing the partial computation of the second block of SHA256, we could selectively vary bits in the first block of SHA256, while reusing the computation of the second block. > This allows a grinder to grind more candidate blocks without recomputing the second block output, reducing the needed power consumption for the same number of hashes attempted. > > Here is an important writeup: https://www.mit.edu/~jlrubin/public/pdfs/Asicboost.pdf > It should really be required reading for anyone who dreams of changing PoW algorithms to read and understand this document. > > There may be similar layer-crossings in any combined construction --- or even just a simple hash function --- when it is applied to a specific Bitcoin block format. > >> >> Our proposal (see Implementation) is to phase in oPoW slowly starting at a very low % of the rewards (say 1%). That should give a long testing period where there is real financial incentive for things like ASICBOOST >> >> Does that resolve or partially resolve the issue in your eyes? > > It does mitigate this somewhat. > > However, such a mechanism is an additional complication and there may be further layer-crossing violations possible --- there may be an optimization to have a circuit that occasionally uses SHA256d and occasionally uses oPoW, that is not possible with a pure SHA256d or pure oPoW circuit. > So this mitigation is not as strong as it might appear at first glance; additional layers means additional possibility of layer-crossing violations like ASICBOOST. > > > > > Regards, > ZmnSCPxj > [-- Attachment #2: Type: text/html, Size: 3451 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 12:17 ` mike @ 2021-05-18 12:22 ` ZmnSCPxj 2021-05-18 12:58 ` ZmnSCPxj 0 siblings, 1 reply; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 12:22 UTC (permalink / raw) To: mike; +Cc: Bitcoin Protocol Discussion, marshall ball Good morning Michael, > Nothing in a dynamic system like PoW mining can be 100% anticipated, for example there might be advanced in manufacturing of chips which are patented and so on. > > It sounds like your take is that this means no improvements can ever be made by any mechanism, however conservative. Not at all. Small-enough improvements over long-enough periods of time are expected and anticipated --- that is why there exists a difficulty adjustment mechanism. What is risky if a large-enough improvement over a short-enough time that overwhelms the difficulty adjustment mechanism. ASICBOOST was a massive enough improvement that it could be argued to potentially overwhelm this mechanism if it was not openly allowed for all miners. > > We do go into a fair amount of detail about Minimum Effective Hardness in our paper https://assets.pubpub.org/xi9h9rps/01581688887859.pdf , which is actually a special case of hardness that we invented for the context of adding an operation to a PoW, and how it applies to random matrix mults. This certainly helps as well. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 12:22 ` ZmnSCPxj @ 2021-05-18 12:58 ` ZmnSCPxj 0 siblings, 0 replies; 15+ messages in thread From: ZmnSCPxj @ 2021-05-18 12:58 UTC (permalink / raw) To: ZmnSCPxj, Bitcoin Protocol Discussion; +Cc: marshall ball Good morning Michael, > Good morning Michael, > > > Nothing in a dynamic system like PoW mining can be 100% anticipated, for example there might be advanced in manufacturing of chips which are patented and so on. > > It sounds like your take is that this means no improvements can ever be made by any mechanism, however conservative. > > Not at all. > > Small-enough improvements over long-enough periods of time are expected and anticipated --- that is why there exists a difficulty adjustment mechanism. > What is risky if a large-enough improvement over a short-enough time that overwhelms the difficulty adjustment mechanism. > ASICBOOST was a massive enough improvement that it could be argued to potentially overwhelm this mechanism if it was not openly allowed for all miners. Or to put it in another perspective: * Small improvements to PoW mining are tolerated by Bitcoin. * Such improvements are expected to be common. * Large improvements to PoW mining are potential extinction events for Bitcoin, due to massive centralization risk. * Such improvements are expected to be *rare* but *not* nonexistent. * The number of possible circuit configurations is bounded by physical limits (matter is quantized, excssively-large chips are infeasible, etc.), thus the number of expected optimizations of a particular overall algorithm are bounded. Suppose two manufacturers find two different small improvements to PoW mining. In all likelihood, "the sum is better than its parts" and if the two have a cross-licensing deal, they can outcompete their *other* competition. Further, even if some small competitor violates the patent, the improvement may be small enough that the patent owner may decide the competitor is too small to bother with all the legal fees involved to enforce the patent. Thus, small improvements to PoW mining are expected to eventually spread widely, and that is what the difficulty adjustment mechanism exists to modulate. But suppose a third manufacturer develops an ASICBOOST-level optimization of whatever the PoW mining algorithm is. That manufacturer has no incentive to cross-license, since it can dominate the competition without cross-licensing a bunch of smaller optimizations (that may not even add up to compete against the ASICBOOST-level optimization). And any small competitor that violates patent will be enforced against, due to the major improvement that the large optimization has and the massive monopolistic advantage the ASICBOOST-level optimization patent holder would have. SHA256d-on-Bitcoin-block-header has already uncovered ASICBOOST, and thus the number of possible other large optimizations is that much smaller --- the number of possible optimizations is bounded by physical constraints. Thus, the risk of a black-swan event where a new optimization of SHA256d-on-Bitcoin-block-header is large enough to massively centralize mining is reduced, compared to every other alternative PoW algorithm, which is an important reason to avoid changing PoW as much as possible, without some really serious study (which you might be engaged in --- I am not enough of a mathist to follow your papers). We are more likely to want to change SHA256 for SHA3 on the txid and Merkle trees than on the PoW. Regards, ZmnSCPxj ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 9:18 ` Devrandom 2021-05-18 10:58 ` ZmnSCPxj @ 2021-05-18 10:59 ` mike 1 sibling, 0 replies; 15+ messages in thread From: mike @ 2021-05-18 10:59 UTC (permalink / raw) To: Devrandom; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 3385 bytes --] Devrandom is correct to point out that there is nuance to these things and it’s better to look at the details rather than proclaiming that PoW is PoW. (I do agree though w the original point that other ideas often turn out to reduce to PoW despite their convoluted architecture) A note on the key difference between hardware and energy as it relates to centralization: Hardware is easily transferable. If you have low electricity costs, Bitcoin ASICS need to be physically located in proximity to use it. You can’t sell your low power costs on an open liquid market (you can sell your hash rate but that still requires all the miners next to the power plant). Hardware can be sold online freely to anyone anywhere in the world. If a small number of foundries are producing low energy opow hardware (just as there are a small number producing SHA256 ASICS- in fact it would be the same set foundries, somewhat expanded because optical chips use larger, older nodes... for example Global Foundries has a great photonics process at 90nm), they can (and will) still sell the hardware to people all over the world. There is a huge latent demand for BTC mining. Many people currently buying alt coins or even BTC would prefer to invest in mining if they could turn a profit despite their high energy cost. Another clear benefit would be the difficulty of detecting and controlling low energy mining relative to the ASIC-warehouse-next-to-waterfall model used today. You can’t move a waterfall if the local government decides to regulate you. Just some thoughts. Sent from my iPhone > On May 18, 2021, at 5:18 AM, Devrandom <c1.bitcoin@niftybox.net> wrote: > > > On Mon, May 17, 2021 at 11:47 PM ZmnSCPxj: >> >> When considering any new proof-of-foo, it is best to consider all effects until you reach the base physics of the arrow of time, at which point you will realize it is ultimately just another proof-of-work anyway. > > Let's not simplify away economic considerations, such as externalities. The whole debate about the current PoW is about negative externalities related to energy production. > > Depending on the details, CAPEX (R&D, real-estate, construction, production) may have less externalities, and if that's the case, we should be interested in adopting a PoW that is intensive in these types of CAPEX. > > On Mon, May 17, 2021 at 2:20 PM Keagan McClelland wrote: > >> First it just pushes the energy consumption upstream to the chip manufacturing process, rather than eliminating it. And it may trade some marginal amount of the energy consumption for the set of resources it takes to educate and create chip manufacturers. The only way to avoid that cost being funneled back into more energy consumption [...] > > I challenge you to substantiate these assertions. Real-estate and human cognitive work are not energy intensive and are a major factor in the expected costs of some alternative PoWs. The expected mining effort is such that the cost will reach the expected reward, no more, so there is every reason to believe that energy consumption will be small compared to the current PoW. > > Therefore, the total associated negative externalities for the alternative PoWs may well be much lower than the externalities of energy production. This needs detailed analysis, not a knee-jerk reaction. > [-- Attachment #2: Type: text/html, Size: 5621 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 6:46 ` ZmnSCPxj 2021-05-18 9:18 ` Devrandom @ 2021-05-18 12:46 ` Claus Ehrenberg 2021-05-18 16:47 ` Keagan McClelland 1 sibling, 1 reply; 15+ messages in thread From: Claus Ehrenberg @ 2021-05-18 12:46 UTC (permalink / raw) To: ZmnSCPxj, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 6055 bytes --] > Ultimately all currency security derives from energy consumption. > Everything eventually resolves down to proof-of-work. This is ideology. Yes, without energy and work, not many things happen. But the amounts of energy and work to achieve a goal vary widely. Detailed analysis comparing one alternative with the other in depth is required. And I would not look for order-of-magnitude improvements, 25% better is also a big deal, if discovered. > * Proof-of-space simply moves the work to the construction of more storage devices. One needs a cost/benefit analysis, not just an account of the cost. For example, if PoW could do calculations that are otherwise useful (maybe solve a queue of standardized math-jobs, such as climate simulations) there would be more benefit, or, let's say the data storage in proof-of-space is useful. > * Proof-of-stake simply moves the work to stake-grinding attacks. Simply not true, there are PoS implementations that are immune to stake-grinding attacks, and even where not, the possible amount of computations is limited compared to PoW > * The optical proof-of-work simply moves the work to the construction of more miners. The idea was to shift from energy to cap-ex. We can get a financial penalty for misbehavior from three sources: - cost of energy/labor (PoW) - cost of capital (PoS) - cost of cap-ex There might be a better mix than PoW only. I have written code for mixed PoW/PoS systems and it works. Adding more cap-ex to the mix can make sense, but the environmental impact needs to be analyzed, it could also make it worse than just the use of electricity. At least electricity as such does not leave waste behind. Mining in orbit with solar power would be totally acceptable. > At least, proof-of-work is honest about its consumption of resources. Agreed, but we can't be satisfied with that. If we try hard enough we can do better. Cheers Claus On Tue, May 18, 2021 at 8:47 AM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > > A few things jump out at me as I read this proposal > > > > First, deriving the hardness from capex as opposed to opex switches the > privilege from those who have cheap electricity to those who have access to > chip manufacturers/foundries. While this is similarly the case for Bitcoin > ASICS today, the longevity of the PoW algorithm has led to a better > distribution of knowledge and capital goods required to create ASICS. The > creation of a new PoW of any kind, hurts this dimension of decentralization > as we would have to start over from scratch on the best way to build, > distribute, and operate these new pieces of hardware at scale. While I have > not combed over the PoW proposed here in fine detail, the more complicated > the algorithm is, the more it privileges those with specific knowledge > about it and the manufacturing process. > > > > The competitive nature of Bitcoin mining is such that miners will be > willing to spend up to their expected mining reward in their operating > costs to continue to mine. Let's suppose that this new PoW was adopted, > miners will continue to buy these chips in ever increasing quantities, > turning the aforementioned CAPEX into a de facto OPEX. This has a few > consequences. First it just pushes the energy consumption upstream to the > chip manufacturing process, rather than eliminating it. And it may trade > some marginal amount of the energy consumption for the set of resources it > takes to educate and create chip manufacturers. The only way to avoid that > cost being funneled back into more energy consumption is to make the > barrier to understanding of the manufacturing process sufficiently > difficult so as to limit the proliferation of these chips. Again, this > privileges the chip manufacturers as well as those with close access to the > chip manufacturers. > > > > As far as I can tell, the only thing this proposal actually does is > create a very lucrative business model for those who sell this variety of > chips. Any other effects of it are transient, and in all likelihood the > transient effects create serious centralization pressure. > > > > At the end of the day, the energy consumption is foundational to the > system. The only way to do away with authorities, is to require > competition. This competition will employ ever more resources until it is > unprofitable to do so. At the base of all resources of society is energy. > You get high energy expenditure, or a privileged class of bitcoin > administrators: pick one. I suspect you'll find the vast majority of > Bitcoin users to be in the camp of the energy expenditure, since if we pick > the latter, we might as well just pack it in and give up on the Bitcoin > experiment. > > > Keagan is quite correct. > Ultimately all currency security derives from energy consumption. > Everything eventually resolves down to proof-of-work. > > * Proof-of-space simply moves the work to the construction of more storage > devices. > * Proof-of-stake simply moves the work to stake-grinding attacks. > * The optical proof-of-work simply moves the work to the construction of > more miners. > * Even government-enforced fiat is ultimately proof-of-work, as the > operation and continued existence of any government is work. > > It is far better to move towards a more *direct* proof-of-work, than to > add more complexity and come up with something that is just proof-of-work, > but with the work moved off to somewhere else and with additional moving > parts that can be jammed or hacked into. > > When considering any new proof-of-foo, it is best to consider all effects > until you reach the base physics of the arrow of time, at which point you > will realize it is ultimately just another proof-of-work anyway. > > At least, proof-of-work is honest about its consumption of resources. > > > Regards, > ZmnSCPxj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 6857 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW 2021-05-18 12:46 ` Claus Ehrenberg @ 2021-05-18 16:47 ` Keagan McClelland 0 siblings, 0 replies; 15+ messages in thread From: Keagan McClelland @ 2021-05-18 16:47 UTC (permalink / raw) To: Claus Ehrenberg, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7557 bytes --] >One needs a cost/benefit analysis, not just an account of the cost. For example, if PoW could do calculations that are otherwise useful (maybe solve a queue of standardized math-jobs, such as climate simulations) there would be more benefit, or, let's say the data storage in proof-of-space is useful. Any discussion on whether Proof of Work is suitable for the task needs to recognize that the "waste" is what creates the security. If you manage to make the proof of work useful for tasks external to the protocol, you reintroduce the "nothing at stake" problem in a roundabout way. Useful computation is something people will pay for. If they pay for it, miners can be compensated in such a way that choosing to mine one of the Not-The-Heaviest-Chain's becomes costless. This erodes the security of the network substantially. It is not a matter of coming up with the "right" kind of useful computation that is not subject to these problems. These problems are a natural consequence of it being useful outside the protocol *at all*. Keagan On Tue, May 18, 2021 at 8:24 AM Claus Ehrenberg via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > Ultimately all currency security derives from energy consumption. > > Everything eventually resolves down to proof-of-work. > This is ideology. Yes, without energy and work, not many things happen. > But the amounts of energy and work to achieve a goal vary widely. Detailed > analysis comparing one alternative with the other in depth is required. > And I would not look for order-of-magnitude improvements, 25% better is > also a big deal, if discovered. > > > * Proof-of-space simply moves the work to the construction of more > storage devices. > One needs a cost/benefit analysis, not just an account of the cost. For > example, if PoW could do calculations that are otherwise useful (maybe > solve a queue of standardized math-jobs, such as climate simulations) there > would be more benefit, or, let's say the data storage in proof-of-space is > useful. > > > * Proof-of-stake simply moves the work to stake-grinding attacks. > Simply not true, there are PoS implementations that are immune to > stake-grinding attacks, and even where not, the possible amount of > computations is limited compared to PoW > > > * The optical proof-of-work simply moves the work to the construction of > more miners. > The idea was to shift from energy to cap-ex. We can get a > financial penalty for misbehavior from three sources: > - cost of energy/labor (PoW) > - cost of capital (PoS) > - cost of cap-ex > There might be a better mix than PoW only. I have written code for mixed > PoW/PoS systems and it works. Adding more cap-ex to the mix can make sense, > but the environmental impact needs to be analyzed, it could also make it > worse than just the use of electricity. At least electricity as such does > not leave waste behind. Mining in orbit with solar power would be totally > acceptable. > > > At least, proof-of-work is honest about its consumption of resources. > Agreed, but we can't be satisfied with that. If we try hard enough we can > do better. > > Cheers > Claus > > On Tue, May 18, 2021 at 8:47 AM ZmnSCPxj via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> >> > A few things jump out at me as I read this proposal >> > >> > First, deriving the hardness from capex as opposed to opex switches the >> privilege from those who have cheap electricity to those who have access to >> chip manufacturers/foundries. While this is similarly the case for Bitcoin >> ASICS today, the longevity of the PoW algorithm has led to a better >> distribution of knowledge and capital goods required to create ASICS. The >> creation of a new PoW of any kind, hurts this dimension of decentralization >> as we would have to start over from scratch on the best way to build, >> distribute, and operate these new pieces of hardware at scale. While I have >> not combed over the PoW proposed here in fine detail, the more complicated >> the algorithm is, the more it privileges those with specific knowledge >> about it and the manufacturing process. >> > >> > The competitive nature of Bitcoin mining is such that miners will be >> willing to spend up to their expected mining reward in their operating >> costs to continue to mine. Let's suppose that this new PoW was adopted, >> miners will continue to buy these chips in ever increasing quantities, >> turning the aforementioned CAPEX into a de facto OPEX. This has a few >> consequences. First it just pushes the energy consumption upstream to the >> chip manufacturing process, rather than eliminating it. And it may trade >> some marginal amount of the energy consumption for the set of resources it >> takes to educate and create chip manufacturers. The only way to avoid that >> cost being funneled back into more energy consumption is to make the >> barrier to understanding of the manufacturing process sufficiently >> difficult so as to limit the proliferation of these chips. Again, this >> privileges the chip manufacturers as well as those with close access to the >> chip manufacturers. >> > >> > As far as I can tell, the only thing this proposal actually does is >> create a very lucrative business model for those who sell this variety of >> chips. Any other effects of it are transient, and in all likelihood the >> transient effects create serious centralization pressure. >> > >> > At the end of the day, the energy consumption is foundational to the >> system. The only way to do away with authorities, is to require >> competition. This competition will employ ever more resources until it is >> unprofitable to do so. At the base of all resources of society is energy. >> You get high energy expenditure, or a privileged class of bitcoin >> administrators: pick one. I suspect you'll find the vast majority of >> Bitcoin users to be in the camp of the energy expenditure, since if we pick >> the latter, we might as well just pack it in and give up on the Bitcoin >> experiment. >> >> >> Keagan is quite correct. >> Ultimately all currency security derives from energy consumption. >> Everything eventually resolves down to proof-of-work. >> >> * Proof-of-space simply moves the work to the construction of more >> storage devices. >> * Proof-of-stake simply moves the work to stake-grinding attacks. >> * The optical proof-of-work simply moves the work to the construction of >> more miners. >> * Even government-enforced fiat is ultimately proof-of-work, as the >> operation and continued existence of any government is work. >> >> It is far better to move towards a more *direct* proof-of-work, than to >> add more complexity and come up with something that is just proof-of-work, >> but with the work moved off to somewhere else and with additional moving >> parts that can be jammed or hacked into. >> >> When considering any new proof-of-foo, it is best to consider all effects >> until you reach the base physics of the arrow of time, at which point you >> will realize it is ultimately just another proof-of-work anyway. >> >> At least, proof-of-work is honest about its consumption of resources. >> >> >> Regards, >> ZmnSCPxj >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 8795 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2021-05-18 16:47 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-17 19:32 [bitcoin-dev] Proposal: Low Energy Bitcoin PoW Bogdan Penkovsky 2021-05-17 21:13 ` Keagan McClelland 2021-05-18 6:46 ` ZmnSCPxj 2021-05-18 9:18 ` Devrandom 2021-05-18 10:58 ` ZmnSCPxj 2021-05-18 11:05 ` mike 2021-05-18 11:36 ` ZmnSCPxj 2021-05-18 11:43 ` mike 2021-05-18 11:58 ` ZmnSCPxj 2021-05-18 12:17 ` mike 2021-05-18 12:22 ` ZmnSCPxj 2021-05-18 12:58 ` ZmnSCPxj 2021-05-18 10:59 ` mike 2021-05-18 12:46 ` Claus Ehrenberg 2021-05-18 16:47 ` Keagan McClelland
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox