public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Natanael <natanael.l@gmail•com>
To: Erik Aronesty <earonesty@gmail•com>, erik@q32•com
Cc: Bitcoin Dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Malice Reactive Proof of Work Additions (MR POWA): Protecting Bitcoin from malicious miners
Date: Tue, 18 Apr 2017 00:34:55 +0200	[thread overview]
Message-ID: <CAAt2M19iCd4=qyquvhFNw77YqO3++p6ckMWZLHCAa+8xUWGbAg@mail.gmail.com> (raw)
In-Reply-To: <CAJowKgK-0rqqeKkQZj0itZf79fT++OOYXJKg1pik-7mFieU=ZA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2307 bytes --]

Den 17 apr. 2017 16:14 skrev "Erik Aronesty via bitcoin-dev" <
bitcoin-dev@lists•linuxfoundation.org>:


It's too bad we can't make the POW somehow dynamic so that any specialized
hardware is impossible, and only GPU / FPGA is possible.



Maybe a variant of Keccak where the size of the sponge is increased along
with additional zero bits required.  Seems like this would either have to
resist specialized hardware or imply sha3 is compromised such that the size
of the sponge does not incerase the number of possible output bits as
expected.


Technically SHA3 (keccak) already has the SHAKE mode, an extensible output
function (XOF). It's basically a hash with arbitary output length (with
fixed state size, 256 bits is the common choice). A little bit like hooking
a hash straight into a stream cipher.

The other modes should *probably* not allow the same behavior, though. I
can't guarantee that however.

You may be interested in looking at parameterizable ciphers and if any of
them might be applicable to PoW.

IMHO the best option if we change PoW is an algorithm that's moderately
processing heavy (we still need reasonably fast verification) and which
resists partial state reuse (not fast or fully "linear" in processing like
SHA256) just for the sake of invalidating asicboost style attacks, and it
should also have an existing reference implementation for hardware that's
provably close in performance to the theoretical ideal implementation of
the algorithm (in other words, one where we know there's no hidden
optimizations).

Anything relying on memory or other such expensive components is likely to
fall flat eventually as fast memory is made more compact, cheaper and moves
closer to the cores.

That should be approximately what it takes to level out the playing field
in ASIC manufacturing, because then we would know there's no fancy tricks
to deploy that would give one player unfair advantage. The competition
would mostly be about packing similar gate designs closely and energy
efficiency. (Now that I think about it, the proof MAY have to consider
energy use too, as a larger and slower but more efficient chip still is
competitive in mining...)

We should also put a larger nonce in the header if possible, to reduce the
incentive to mess with the entropy elsewhere in blocks.

[-- Attachment #2: Type: text/html, Size: 3992 bytes --]

  reply	other threads:[~2017-04-17 22:35 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-18 16:01 John Hardy
2017-03-20 15:38 ` Andrew Johnson
2017-03-20 15:46   ` John Hardy
2017-03-20 16:10     ` Andrew Johnson
2017-03-20 15:55   ` Marcos mayorga
2017-04-16 20:04     ` Erik Aronesty
2017-04-17  1:28       ` bfd
     [not found]         ` <CAJowKg+1vUBmr7cTzUy8gAdjEWTM_+07G9Z96Bo=wd6_htgv1Q@mail.gmail.com>
     [not found]           ` <CAJowKgJPjWb_S0jb+RJ9-90sucb=ZeU2-qrNqrVN5USTaxDjDw@mail.gmail.com>
2017-04-17  7:47             ` Erik Aronesty
     [not found]               ` <CAJowKgKqyb7DCs-yrbj4Z8Kzmgg0GCKXh+wwdSvfPHregiwdvA@mail.gmail.com>
     [not found]                 ` <CAJowKgL=UmJvE0KpSsa20AJBF6Ur85ghRymHY+=11VOezmaaxw@mail.gmail.com>
2017-04-17 11:17                   ` Erik Aronesty
2017-04-17 22:34                     ` Natanael [this message]
2017-03-20 18:02   ` Nick ODell
2017-03-20 18:51     ` David Vorick
2017-03-20 21:29     ` John Hardy
2017-03-20 17:49 ` Bram Cohen
2017-03-20 21:23   ` John Hardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAt2M19iCd4=qyquvhFNw77YqO3++p6ckMWZLHCAa+8xUWGbAg@mail.gmail.com' \
    --to=natanael.l@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=earonesty@gmail$(echo .)com \
    --cc=erik@q32$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox