Incentivizing ASIC resistance in a POW fork

[freetrader]

Opening a general thread here for discussion of measures by which a POW fork can keep up ASIC resistance.

The first suggestion that has been made repeatedly is to consider a difficulty bomb, similar to what Ethereum has to incentivize itself to move from POW to POS [1], except it would be used to keep Bitcoin moving from ASIC-resistant POW to (((next ASIC resistant POW))) at sufficient speed to ensure mining decentralization.
This is a code device that triggers an increase in difficulty at a pre-set time after the fork (e.g. 1 year after).
The difficulty will then gradually increase until the system is no longer usable because the difficulty exceeds hashing capability.

Personally, my initial stance is one of opposition to such an "incentive" that threatens the operation of the system. Don't let that dissuade you from arguing the other side. I would like to hear your opinions in this thread, let's debate this.

And vote in the poll after you've heard and considered various arguments.

I encourage everyone to make more suggestions as well, this thread is not limited to a bomb.

[1] http://ethereum.stackexchange.com/questions/323/what-is-the-difficulty-bomb-and-what-is-the-goal-of-it

 

[freetrader]

So, to expound my view on the 'bomb' topic (and why I voted against it) a little:

I don't think a bomb is a responsible device to use in the leading cryptocurrency, because it is by design not fail-safe, and I think Bitcoin software should always degrade safely rather than catastrophically.

I think people will, in the course of time, depend on Bitcoin, in some cases with their livelihoods and ultimately, that means lives. To build a device into the software that could ultimately jeopardize lives doesn't feel right to me.

The aim is to exert pressure on the various development teams to come to a solution.
But a bomb does not guarantee a good solution, nor that the solution is applied at the time it is needed.

Indeed, some correctly argue that the next subsequent HF can remove the bomb entirely, so why have it in the first place?

Ultimately, for me it boils down to responsibility that we as Bitcoin developers have for the system's health. Implanting a bomb or other mechanism which is detrimental to the functioning of the system goes against my grain as a software developer. It sends a mixed message to users as well. Personally, it would shake my confidence in the system's future, knowing that something like this lurks in the depths, that a clock is ticking and put my ability to USE my money at risk.

 

[lunar]

If you knew what the next POW was going to be, could you not simply produce ASICs ahead of time and come in with a running start. Sounds like a risk of one big company owning the network.

Maybe you could have a *random POW that couldn't be known ahead of time?

This might lead to the development of hybrid ASICs (contradiction in terms) specialised but multipurpose chips?

 

[Justus Ranvier]

There's no value in ASIC resistance.

Changing the PoW algorithm in a situation where you've got no other option than firing the existing miners, sure.

ASIC mining in general is good though.

 

[freetrader]

@Justus Ranvier : I am inclined to agree with that. So how do we ensure that we only get ASICs back in the game if they are sufficiently commoditized and decentralized? Phasing them back in slowly as part of a multi-POW solution seems viable.
How satisfied are we that we can get reasonably reliable measurements of the centralization state of the system, and can this be fed back into the system to regulate itself instead of having some central planners decide what might be good for it?

In retrospect the thread title should rather have been "Incentivizing decentralization".

 

[Justus Ranvier]

@Justus RanvierSo how do we ensure that we only get ASICs back in the game if they are sufficiently commoditized and decentralized?

Why do you assume this is desirable or necessary?

 

[Richy_T]

Not sure if it's directly relevant but i was thinking earlier about a potential PoW transition scheme whereby SHA256 proofs would still be accepted but if a non-SHA256 block were mined at the same time, the SHA256 block would be orphaned by default. This would still provide income to existing miners and hashpower for the blockchain but would encourage a move to alternate block generation methods.

 

[freetrader]

@Justus Ranvier : I shall mull your question and come back once I'm able to answer that.

 

[Justus Ranvier]

I think there are two ways to characterize Bitcoin early adopters:

• The ones who said, "Wow, somebody finally made Milton Friedman's prediction come true by inventing digital inflation-proof money."
• The ones who said, "Wow, some people got rich by leaving their computers running. I want to get rich by leaving my computer running too!"

It was the latter group who created all the drama about GPU mining, which turned into drama about FPGA mining, which turned into drama aobut ASIC mining.

That doesn't prove them to be incorrect, of course, but it does mean you shouldn't take their conclusions at face value. Examine their methodology carefully to make sure they aren't just ex post facto justifying their desire to get rich by leaving their computer running.

 

[Richy_T]

Good point. I bought most of my Bitcoins with cash because by that point, it was clear that mining would not produce a decent amount without significantly more investment than just ponying up some cash.

I think we now also face those whose mentality is "I'm much smarter than all these people who made lots of money by just leaving their computer runnin so I'm going to find some way to force my way in even if it damages the ideas and values" *cough*back*cough*

 

[Justus Ranvier]

The best case scenario for Back's and Maxwell's motives is that they are convinced that Confindental Transactions is so necessary and so beneficial that all the damage (which they may or may not be capable of comprehending) they are doing is worth it.

Even in that best case, they're wrong.

CT is a modest privacy improvement at best. It would have been great 3 or 4 years ago but the attackers are already pretty advanced and will be able to degrade the practical effectiveness of CT substantially.

It also makes Bitcoin vulnerable to quantum cryptography in a way that it currently isn't.. Right now the integrity of the currency supply is a simple matter of arithmetic. With CT the integrity of the currency supply depends on the hardness of the discrete log problem.

Once a quantum computer with sufficient qbits exists to break the DLP, then it will be able to create infinite inflation in Bitcoin.

 

[freetrader]

@Justus Ranvier : When I said earlier "I am inclined to agree with that", I should have been more precise.

I agree with the statement "ASIC mining in general is good", and under that premise the thread title is unsatisfactory. My personal view is that ASICs should not be resisted in principle. They are a manifestation of trying to secure the chain at the lowest possible energy expenditure. This should be good for Bitcoin and it should be good for the environment, all things being equal. Why should we be using valuable general-purpose computers to solve specialized math puzzles which only revolve around proving that some work has been done?

This thread is of course to debate the merits and demerits of that proposition either way.

There's no value in ASIC resistance.

This is the part I'm unsure about. I think it might be a temporary or cyclical value that pops up due to other factors, mainly arising when there is unhealthy centralization due to the way production and distribution of ASICs are controlled.

As we know, several large mining operations, allied with or owning chip forges, are effectively able to act as a cartel, preventing growth of Bitcoin for some reason, perhaps because they eye other business in sidechains and layer-2 payment processing. Corporations like BitFury don't sell their latest tech to small fry customers. The general trend has become to warehouse these chips and use them oneself first. Greed wins over the principle of decentralization.

Changing the PoW algorithm in a situation where you've got no other option than firing the existing miners, sure.

Let's say the existing miners have been fired.
What I believe you're saying, and I agree with, is that it's not a foregone conclusion that ASICs should be excluded from there on forwards. I think it is certainly feasible to keep excluding them. Whether it's wise is an entirely different question. I think it isn't, since CPU/GPU is again vulnerable to an extent which I've perhaps been downplaying subconsciously. I had a look at botnet sizes etc. last night, and yes, I think it's reasonable to feel unsafe about moving away from the citadel of SHA256 ASICs. Perhaps it just means we have to arm ourselves well.

In my mind, ASICs are a tradeoff between security and decentralization that has to be weighed at regular intervals. I see some merit in that approach, and hence wanted to poll opinion about the 'bomb' proposal in particular. It's got its adherents, and I think their main motive is maintaining decentralization. Individual benefit from mining is probably not as significant as imagined if mining decentralization is increased much more. The real money is to be made by centralization.

For the moment though, access to ASICs grants rather exclusive access to the service industry of processing transactions (aka mining). The wider that industry is spread out, the more robust Bitcoin also becomes to a large number of threats, including "inside" threats such as censorship & price collusion and external threats such as surveillance, oppressive financial regulation etc.

I'm not going to deny the reality of a centralization pressure that comes from a (imo non-negotiable) need to scale if Bitcoin is to stay ahead of the competition in the 'p2p electronic cash' market.

We're in the unfortunate situation that we have a need to fire the miners (unless they change course rapidly and decisively) and decentralize at the same time. I'm hoping the former would not arise without the latter, in a healthy system.

So, acknowledging that ASICs are good, I come to the conclusion that they (or the ability to manufacture them?) need to be widely distributed, essentially to the point of being a commodity, to have a chance of avoid the central problem that causes us to have to "fire miners". This is why I think "only get ASICs back in the game if they are sufficiently commoditized and decentralized" is desirable.

It may be that other priorities will weigh heavier in favor of ASICs though - defense against attacks, producing less waste heat etc. It looks like a chicken-and-egg problem to arrive at the next suitable ASIC, if, for the moment, we need to step away from the current tech. I'm not sure how we can safely get back to ASICs, or whether those interested in controlling/centralizing Bitcoin will solve that problem for us by finding a way.

I started on a non-POW fork initially because I cannot predict which way the market will go on the POW/non-POW decision.

But for the POW fork, I will listen to all the arguments - even those advocating continued resistance to ASICs on the grounds of "previous bad experience that has to be avoided".

If my thoughts are not making much sense, I apologize and hope you can share more of your view. Please do continue to challenge my assumptions

 

[Justus Ranvier]

In my mind, ASICs are a tradeoff between security and decentralization

Of course that's what's in your mind - there's been a long-running propaganda campaign to establish this idea as being an obvious truth.

The problem is that nobody has ever proved it. Peter Todd (apparently) funded the development of a very polished, zero-content propaganda film in 2013 to begin the campaign.

Neither he nor anyone else has produced a non-circular explanation for what decentralization means, much less why it should be considered a value.

People will say things like, "decentralization is what makes Bitcoin different than a SQL database," but that's just an empty slogan. It fells truthy so people just blindly repeat it.

Any time you press them for some firm definitions and logical rigor that would allow their hypothesis to be independently examined, they scurry like a bunch of cockroaches.

Several times I've explicitly laid out what would be needed for them to prove their case and they categorically refuse. Apparently we're expect to take "decentralization is our highest value" on faith alone, as well "doing what we tell you do is the best thing for decentralization, trust us."

 

[freetrader]

So today I learned about why some proponents of the difficulty bomb in Bitcoin are for it. And apparently, it has little to do with POW, or decentralization, but with preferring HF's as an upgrade mechanism (as Mike Hearn had pointed out in terms of the differences to soft-forks, which are now apparent to all here).
So, a difficulty bomb would set the expectation that a HF happens and the system is kept up to date.

It would also - and this argument I find most intriguing - reduce the possibility of the minority chain being artificially pumped up in the case of the fork. Thus contributing, so goes the argument, to the safety of future HF's.

I am sorry to rehash what must be terribly old arguments to almost everyone here. And I agree we are not near a usable definition of centralization which would be usable to steer things like necessity of POW change.

I would still like to hear the crowd's opinion on the HF upgrade argument w.r.t. a bomb, weighed against possible counterarguments you might bring forward.

 

[Richy_T]

Could it be possible to have a hybrid algorithm? One that requires some work from CPUs/GPUs to take the focus off ASICs but also requires SHA256 work to keep botnets at bay? So it's no good having 10,000 rooted Windows boxes if you can't put together 10TH to go with it.

This doesn't rule out an attack from a big miner if they wanted to hook up with a botnet seller but it would make it more complex and risky to arrange.