Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 762AAC0001 for ; Tue, 18 May 2021 12:17:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 627D4405FA for ; Tue, 18 May 2021 12:17:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=powx-org.20150623.gappssmtp.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ThzyAwk_yf6G for ; Tue, 18 May 2021 12:17:48 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) by smtp4.osuosl.org (Postfix) with ESMTPS id 3FB7F40509 for ; Tue, 18 May 2021 12:17:48 +0000 (UTC) Received: by mail-qt1-x834.google.com with SMTP id t20so7207557qtx.8 for ; Tue, 18 May 2021 05:17:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=powx-org.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=Vr7hrV0SZsnUwlSoTy5jZXZBIycmVog5OfFEOraTLZs=; b=E0s97VdInt2rFQ1qGgXIaq+8qEVYiuIO7BqNEo9AA6eVtqxbh8SjPAog2Dhd/f8Yv7 zDcWo5gLAqqEoRQMiwCFgu6ttv/88NhuA4w3PP4lV1S4R7CEX130Tkb24uaPKAT4hnGC /w5FlTnsfAv1jxS5NDdBFTaxUaUQGqsUd9NjH5gWe/fhZ96oYMGELZPcrz3sQsOQ0+06 +BmkFoJk3nrIHkXNbv27Mt1ZPn+E8iIxPABVrpZtW0UNhfWI7HNjgIJbHUcqGkBCjO2r p9AFJy6VZHLzMn/W5TF5p3jRA0nv46G7h8+sfeRjduEwzmCdQtYwTKunwZCSYJ5fFXB8 TvrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=Vr7hrV0SZsnUwlSoTy5jZXZBIycmVog5OfFEOraTLZs=; b=TlY/qWQb0mw4tf1daXwlPbAznjiRu1kqqA/bKbmcFd2jGH8V58PRjqt+QJoUDs9hQI SWElFM+eK3shs3V4+PTEYHybGS4e1MMpm/rZ+9QskS1W8lU4zIJAdoRaSCwH+HROILAs wrvvHibpKKbup267VhJwq1C6iGBQwZZAaEO+bTQNjVuIUiJcDpKu1llAgMyWzVzN1pVA 4PCCURG0Y1F2MBhxc+jvLZMgwaTACXpNJn2cMvoJyFCMtj2sc8QZKzWKVzJbLmgfcPdU i5tABX7Pv6HM7LJzfMJGgyEkCH5ftFUnBsSnlpORsu6k4M22ki18+J4mVP3CEBLZBNuP V8RA== X-Gm-Message-State: AOAM531BouPMOzG58hMlmt+5CkSC58XwsvekGNnFhI3xuWo/w5/CO5ZM PAjHQ2X0d27PmVBWGHBUwz6lR519ludOEwju X-Google-Smtp-Source: ABdhPJyLmHy7NOiWfh9bzk7SOrpFLe2kzP4KM2L6VE3F9LuyHAX4ZS0j1uoin+ViMj/WIUy3YQdowQ== X-Received: by 2002:ac8:6b0a:: with SMTP id w10mr4365538qts.60.1621340267008; Tue, 18 May 2021 05:17:47 -0700 (PDT) Received: from [192.168.4.35] ([73.143.249.71]) by smtp.gmail.com with ESMTPSA id z187sm12652153qkb.129.2021.05.18.05.17.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 May 2021 05:17:46 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-1E226B23-1DD8-4164-843B-0B81FBF43D4B Content-Transfer-Encoding: 7bit From: mike@powx.org Mime-Version: 1.0 (1.0) Date: Tue, 18 May 2021 08:17:46 -0400 Message-Id: <864F983C-841D-4334-94F4-5A9F7D617B70@powx.org> References: In-Reply-To: To: ZmnSCPxj X-Mailer: iPhone Mail (18D70) X-Mailman-Approved-At: Tue, 18 May 2021 14:24:16 +0000 Cc: Bitcoin Protocol Discussion , marshall ball Subject: Re: [bitcoin-dev] Proposal: Low Energy Bitcoin PoW X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2021 12:17:51 -0000 --Apple-Mail-1E226B23-1DD8-4164-843B-0B81FBF43D4B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Nothing in a dynamic system like PoW mining can be 100% anticipated, for exa= mple there might be advanced in manufacturing of chips which are patented an= d so on.=20 It sounds like your take is that this means no improvements can ever be made= by any mechanism, however conservative. We do go into a fair amount of detail about Minimum Effective Hardness in ou= r paper https://assets.pubpub.org/xi9h9rps/01581688887859.pdf , which is act= ually a special case of hardness that we invented for the context of adding a= n operation to a PoW, and how it applies to random matrix mults. =20 Sent from my iPhone > On May 18, 2021, at 7:58 AM, ZmnSCPxj wrote: >=20 > =EF=BB=BFGood morning Michael, >=20 >> That=E2=80=99s interesting. I didn=E2=80=99t know the history of ASICBOOS= T. >=20 > History is immaterial, what is important is the technical description of A= SICBOOST. > Basically, by fixing the partial computation of the second block of SHA256= , we could selectively vary bits in the first block of SHA256, while reusing= the computation of the second block. > This allows a grinder to grind more candidate blocks without recomputing t= he second block output, reducing the needed power consumption for the same n= umber of hashes attempted. >=20 > Here is an important writeup: https://www.mit.edu/~jlrubin/public/pdfs/Asi= cboost.pdf > It should really be required reading for anyone who dreams of changing PoW= algorithms to read and understand this document. >=20 > There may be similar layer-crossings in any combined construction --- or e= ven just a simple hash function --- when it is applied to a specific Bitcoin= block format. >=20 >>=20 >> Our proposal (see Implementation) is to phase in oPoW slowly starting at a= very low % of the rewards (say 1%). That should give a long testing period w= here there is real financial incentive for things like ASICBOOST >>=20 >> Does that resolve or partially resolve the issue in your eyes? >=20 > It does mitigate this somewhat. >=20 > However, such a mechanism is an additional complication and there may be f= urther layer-crossing violations possible --- there may be an optimization t= o have a circuit that occasionally uses SHA256d and occasionally uses oPoW, t= hat is not possible with a pure SHA256d or pure oPoW circuit. > So this mitigation is not as strong as it might appear at first glance; ad= ditional layers means additional possibility of layer-crossing violations li= ke ASICBOOST. >=20 >=20 >=20 >=20 > Regards, > ZmnSCPxj >=20 --Apple-Mail-1E226B23-1DD8-4164-843B-0B81FBF43D4B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Nothing in a dynamic system like PoW mining= can be 100% anticipated, for example there might be advanced in manufacturi= ng of chips which are patented and so on. 

It sounds= like your take is that this means no improvements can ever be made by any m= echanism, however conservative.

We do go into a fair amou= nt of detail about Minimum Effective Hardness in our paper https://assets.pubpub.= org/xi9h9rps/01581688887859.pdf , which is actually a special case o= f hardness that we invented for the context of adding an operation to a PoW,= and how it applies to random matrix mults.   

Sent from my iPhone

On May 18, 2021, at 7:58 AM, ZmnSCPxj <ZmnSCPxj@protonmail.com>= wrote:

=EF=BB=BFGood morning Michael,

That=E2=80=99s interesting. I didn=E2=80=99t know the h= istory of ASICBOOST.

History i= s immaterial, what is important is the technical description of ASICBOOST.
Basically, by fixing the partial computation of the second bl= ock of SHA256, we could selectively vary bits in the first block of SHA256, w= hile reusing the computation of the second block.
This allow= s a grinder to grind more candidate blocks without recomputing the second bl= ock output, reducing the needed power consumption for the same number of has= hes attempted.

Here is an important writeup= : https://www.mit.edu/~jlrubin/public/pdfs/Asicboost.pdf
It s= hould really be required reading for anyone who dreams of changing PoW algor= ithms to read and understand this document.

There may be similar layer-crossings in any combined construction --- or ev= en just a simple hash function --- when it is applied to a specific Bitcoin b= lock format.



Our proposal (see Implem= entation) is to phase in oPoW slowly starting at a very low % of the rewards= (say 1%). That should give a long testing period where there is real financ= ial incentive for things like ASICBOOST

D= oes that resolve or partially resolve the issue in your eyes?

It does mitigate this somewhat.

However, such a mechanism is an additional complication= and there may be further layer-crossing violations possible --- there may b= e an optimization to have a circuit that occasionally uses SHA256d and occas= ionally uses oPoW, that is not possible with a pure SHA256d or pure oPoW cir= cuit.
So this mitigation is not as strong as it might appear= at first glance; additional layers means additional possibility of layer-cr= ossing violations like ASICBOOST.



Regards,
ZmnSCPxj<= /span>

= --Apple-Mail-1E226B23-1DD8-4164-843B-0B81FBF43D4B--