Bitcoin mining efficiency and Botnets

[Cathal Garvey]

> However there are some valid counter arguments.  SHA256 is simple and
> easy to put into silicon blurprints for fabrication replicated
> multiple times. Even small and seemingly significantly incompetent
> outfits like butterfly can just about do it.  Apparently many more
> are coming online.  Thats good because you could do it yourself with
> a modest budget and necessary skills.

This is a very good point, but for one big glaring reason I disagree;
the costs of actually fabricating mining chips of your own design is a
capital-intensive process.

Plus, given that you're *designing equipment to print money* in effect,
you would only have a good reason to sell it if it wasn't worth the
price, right? Unless you're idealistic and good-natured.

The reason CPUs are great is because they already have market
saturation; anyone can go and buy a CPU tomorrow for as low a capital
input as you're likely to accomplish in this area. Not so for FPGAs or
ASICs.

I'll accept GPUs as a close-runner-up; although also available widely
like CPUs, they're harder to set up than just running an application on
your PC. I'm looking not at the profitability angle, remember, but the
anarchism angle. How can we make a 'coin where, if someone looks about
to accomplish dominance, we can all fire up the daemon and prevent it?
In bitcoin, that's not even remotely possible. Even if we all had the
cash, there's an ASIC bottleneck, and the relationship of
hash-power/cost isn't linear enough to permit us to collectively
overthrow a wealthier opponent. His €10,000 gets better hardware than 10
* €1,000 does.

So yea, Litecoin's nearly there. Maybe we can make a CPU-hash, maybe
not. But at least we can make a hash that either guarantees GPU-only
for a few years, or one that's hardcoded to match Moore's Law so it'll
always stay ahead of the curve (bearing in mind Bunnie's plausible
suggestion that Moore's Law is levelling off:
http://www.bunniestudios.com/blog/?p=1863 )

On Tue, 15 Oct 2013 14:04:56 +0200
Adam Back <adam at cypherspace.org> wrote:

> On Tue, Oct 15, 2013 at 11:03:41AM +0100, Cathal Garvey wrote:
> >The wealthy will always be able to out-mine the poor if it's a
> >straight battle of who-buys-more-hardware.
> 
> I dont think that matters so much as that everyone gets the same
> hashing power per dollar.  I had some rant I posted on bitcointalk a
> while back (first post there) to say using hashcash-scrypt(1) would
> be better than hashcash-SHA256.  (scrypt(1) meaning scrypt(iter=1)).
> 
> However there are some valid counter arguments.  SHA256 is simple and
> easy to put into silicon blurprints for fabrication replicated
> multiple times. Even small and seemingly significantly incompetent
> outfits like butterfly can just about do it.  Apparently many more
> are coming online.  Thats good because you could do it yourself with
> a modest budget and necessary skills.
> 
> If the mining function was really complex it would create eg $10m or
> $100m barrier to make a very fast implementation of it, then you hae
> a real barrier to entry and a mining centralization problem.
> 
> The not so good part is maybe anyone with the skills will get the
> chips fabricated and mine them themselves.  So it depends on ready
> market availility from multiple competitors, that question is a bit
> up in the air at present but there is some evidence of improvements
> in availability.
> 
> Dont think mining is a get rich quick scheme, its very easy to lose
> money at this stage, as its an arms race as the fab tech used quickly
> catches up to moore's law and then tracks it.
> 
> Also the miners dont actually have that much power, all they are doing
> really is ordering transactions, so for double-spends you can chose
> the first one as valid.  A big company or individual who invested
> millions and is earning big bucks from their mining operation
> probably doesnt want to commit spending fraud - they'll get sued and
> lose their investment and freedom.
> 
> Now if governments or other organized criminals do it, thats a
> different issue as there is no useful legal sanction at that level.
> 
> They cant really censor tansactions btw even then see the
> committed-coins proposal if you want to know how that can be fixed.
> 
> https://bitcointalk.org/index.php?topic=206303.0
> 
> >Now that Litecoin's basically GPU only, it's also a little worse
> >than it started, but there's no evidence at this point that it'll go
> >FPGA.
> 
> Rumor is there are people working on a litecoin ASIC.  Scrypt wasnt
> even designed to protect against memory-time tradeoffs, nevermind
> intentional large design mm^2/minimum gatecount.  I think if you can
> make the algorithm complex and dynamic enough, and yet still
> efficienty verifiable, (and to have no progress so its like a
> lottery) you should be able to push thing so that whoever does make
> ASICs is basically making a custom multi-core chip and competing head
> on with scientific and graphics GPUs.  AMD & Nvidia are probably
> going to win there, or if they dont people will buy your dynamic
> agile algorithm miners for programmeable scientific uses.
> 
> >My ideal hash for a 'coin, unrealistic as it is even in theory, is a
> >hash that practically defines the instruction set and architecture
> >of a prototypical CPU, so that translating it into specialised
> >hardware is either impossible, or merely creates a more efficient
> >CPU, which is better marketed as a CPU than a mining rig. In other
> >words, the state-of-the-art in CPUs is exactly the state-of-the-art
> >in CPUcoin mining. :)
> 
> I see you had the same idea, and I dont think thats so unrealistic.
> Making it fast to verify is a bit harder.  For example include all 16
> AES encryption finalists and 16 SHA3 finalists etc and combine them
> with data dependent selection of algorithms.  This will push the gate
> count up.  Scale that design process a few times and you're there.
> Mix in some memory (apparently memory is not so fun to put on ASICs,
> if you need lots of memory per execution instance (whih is not memory
> cpu tradeable like scrypt) that makes it expensive to ASIC.
> 
> I do think CPUs are probabl a losing bet should aim for GPUs.
> Consider they are largely not made but better CPUs can be made for
> mining than are sold. eg consider a 100 core intel atom.  They have
> the gate-count to do it, its just people would sooner have a faster
> single thread (via super-scalar design & higher clocks, better cache
> etc) lower core chip.  Most of the silicon on an i7 is wasted in
> achieving blistering single thread performance, that is a complete
> waste for mining. https://en.wikipedia.org/wiki/Transistor_count
> (atom 47mil transistors, and there are multiple 4.7 billion
> transistor GPUs on the market.) If you succeeded in wedding an
> algorithm to the intel instruction set, this is what would get
> built.  Its remarkably like a GPU really right?  Lots of cores.
> Clearly if you strip out the intel backwards compat overhead and add
> SIMD in groups of 16 cores, you can get 2048 cores per chip as that
> is what AMD is doing in the 7970 (or 7990 two cores!) So be careful
> what you wish for :) You can always do better in hardware.
> 
> The harder part is to have a relatively fast verification, but thats
> probably reasonably doable per scrypt design.
> 
> Adam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20131015/743344f0/attachment-0002.sig>