Bitcoin mining efficiency and Botnets

Adam Back adam at cypherspace.org
Tue Oct 15 05:04:56 PDT 2013 

On Tue, Oct 15, 2013 at 11:03:41AM +0100, Cathal Garvey wrote:
>The wealthy will always be able to out-mine the poor if it's a straight
>battle of who-buys-more-hardware.

I dont think that matters so much as that everyone gets the same hashing
power per dollar.  I had some rant I posted on bitcointalk a while back
(first post there) to say using hashcash-scrypt(1) would be better than
hashcash-SHA256.  (scrypt(1) meaning scrypt(iter=1)).

However there are some valid counter arguments.  SHA256 is simple and easy
to put into silicon blurprints for fabrication replicated multiple times. 
Even small and seemingly significantly incompetent outfits like butterfly
can just about do it.  Apparently many more are coming online.  Thats good
because you could do it yourself with a modest budget and necessary skills.

If the mining function was really complex it would create eg $10m or $100m
barrier to make a very fast implementation of it, then you hae a real
barrier to entry and a mining centralization problem.

The not so good part is maybe anyone with the skills will get the chips
fabricated and mine them themselves.  So it depends on ready market
availility from multiple competitors, that question is a bit up in the air
at present but there is some evidence of improvements in availability.

Dont think mining is a get rich quick scheme, its very easy to lose money at
this stage, as its an arms race as the fab tech used quickly catches up to
moore's law and then tracks it.

Also the miners dont actually have that much power, all they are doing
really is ordering transactions, so for double-spends you can chose the
first one as valid.  A big company or individual who invested millions and
is earning big bucks from their mining operation probably doesnt want to
commit spending fraud - they'll get sued and lose their investment and
freedom.

Now if governments or other organized criminals do it, thats a different
issue as there is no useful legal sanction at that level.

They cant really censor tansactions btw even then see the committed-coins
proposal if you want to know how that can be fixed.

https://bitcointalk.org/index.php?topic=206303.0

>Now that Litecoin's basically GPU only, it's also a little worse than it
>started, but there's no evidence at this point that it'll go FPGA.

Rumor is there are people working on a litecoin ASIC.  Scrypt wasnt even
designed to protect against memory-time tradeoffs, nevermind intentional
large design mm^2/minimum gatecount.  I think if you can make the algorithm
complex and dynamic enough, and yet still efficienty verifiable, (and to
have no progress so its like a lottery) you should be able to push thing so
that whoever does make ASICs is basically making a custom multi-core chip
and competing head on with scientific and graphics GPUs.  AMD & Nvidia are
probably going to win there, or if they dont people will buy your dynamic
agile algorithm miners for programmeable scientific uses.

>My ideal hash for a 'coin, unrealistic as it is even in theory, is a
>hash that practically defines the instruction set and architecture of a
>prototypical CPU, so that translating it into specialised hardware is
>either impossible, or merely creates a more efficient CPU, which is
>better marketed as a CPU than a mining rig. In other words, the
>state-of-the-art in CPUs is exactly the state-of-the-art in CPUcoin
>mining. :)

I see you had the same idea, and I dont think thats so unrealistic.  Making
it fast to verify is a bit harder.  For example include all 16 AES
encryption finalists and 16 SHA3 finalists etc and combine them with data
dependent selection of algorithms.  This will push the gate count up.  Scale
that design process a few times and you're there.  Mix in some memory
(apparently memory is not so fun to put on ASICs, if you need lots of memory
per execution instance (whih is not memory cpu tradeable like scrypt) that
makes it expensive to ASIC.

I do think CPUs are probabl a losing bet should aim for GPUs.  Consider they
are largely not made but better CPUs can be made for mining than are sold. 
eg consider a 100 core intel atom.  They have the gate-count to do it, its
just people would sooner have a faster single thread (via super-scalar
design & higher clocks, better cache etc) lower core chip.  Most of the
silicon on an i7 is wasted in achieving blistering single thread
performance, that is a complete waste for mining. 
https://en.wikipedia.org/wiki/Transistor_count (atom 47mil transistors, and
there are multiple 4.7 billion transistor GPUs on the market.) If you
succeeded in wedding an algorithm to the intel instruction set, this is what
would get built.  Its remarkably like a GPU really right?  Lots of cores. 
Clearly if you strip out the intel backwards compat overhead and add SIMD in
groups of 16 cores, you can get 2048 cores per chip as that is what AMD is
doing in the 7970 (or 7990 two cores!) So be careful what you wish for :)
You can always do better in hardware.

The harder part is to have a relatively fast verification, but thats
probably reasonably doable per scrypt design.

Adam

More information about the cypherpunks mailing list