ASICs in Zcash Software / Proof of Work/ Proof of Stake/ Fork Discussion

This thread is for users to discuss the pros/cons of different Proofs of Work for mining Zcash.

This is a continuation of the epic 2000 post “Lets talk about ASIC Mining” : Let’s talk about ASIC mining - #2003

We decided there are two main themes of discussion taking place in that thread. Hardware (GPU vs ASIC) and Software (Proof of Work) for ASIC vs GPU discussion see this thread: ASICs vs GPU for Zcash Hardware Discussion

To summarize where we are currently with regards to a Fork:

  1. Zcash Company does not have the time/resources/desire to Fork ASAP for a few reasons: Sapling and Overwinter upgrades are complex and the core developers feel that getting them right is the priority.
    See these posts:
    Let’s talk about ASIC mining - #1197 by zooko
    Let’s talk about ASIC mining - #1046 by str4d
    Let’s talk about ASIC mining - #1522 by nathan-at-least

  2. Zcash Foundation has decided to take on the responsibility of researching new Proof of Work.
    See this post:
    home - zcash foundation

Investigation and principled decision making. We are committing funds and effort to investigate the presence and power of ASICs on the Zcash network. We do not know for sure how effective the upcoming AntMiner Z9 mini will be, or the degree to which ASICs already affect the mining process, or whether more powerful ASICs will be developed in the future. All of these questions matter when deciding to change the Equihash parameters, adopt a new PoW type altogether, or welcome ASICs. Board member Andrew Miller is planning to create a proposal through the grants program to convene a Technical Advisory Board to provide scientifically grounded inputs into this decision.

Making research and development of a more ASIC resistant strategy an immediate technical priority for the Foundation. We have already outlined a technical roadmap for the next year and are in the process of hiring and project-planning to execute on it. Our roadmap includes development on Bolt payment channels, on alternative wallets, and starting an independent, consensus-compatible implementation of full node software. We are now adding ASIC resistance development as an additional technical priority.

Based on continued community approval and the results of our investigation above, we have a rough goal of developing and submitting a mitigation plan through the ZIP process, targeting a deployment in late 2018. Having the ability to carry out a PoW change in the future, especially if it is lead by the Foundation, means we should start now. The Company is signalling they may not do this, but we think there is already a loud and clear interest in the community to at least have this option available. (This is an easy case, the governance experiments are really about harder cases!)

Continuing to run the ballot process to gauge community sentiment.

Also see these topics on Github:
ASIC Resistant PoW · Issue #14 · ZcashFoundation/GrantProposals-2018Q2 · GitHub
Create asicresistance_ballot.md by amiller · Pull Request #1 · ZcashFoundation/Elections · GitHub

The Foundation is going to be studying this topic closely, let your voice be heard!

Should Zcash change Proof of Work? What are the different Proofs of Work that should be considered? What about Proof of Stake instead?

Should Zcash seriously tackle the ASIC resistance piece I think making it further memory hard would be a good starting point (make it more expensive for ASIC). Short of that, an approach similar to X16R might be a good idea. Multiple Algo’s, where you would be able to swap in/out algos and change the order to keep the ASIC at bay.

I like the idea of having a dual proof of work where half of the mining reward is given to a PoW algorithm which is intended to be ASIC-Resistant, and half is given to a PoW which is intended to be ASIC-friendly. Then in the future it could be expanded to one-third ASIC-Resistant, one-third ASIC-Friendly, and one-third Proof-of-Stake.

The security consequences of this are obscure and deserve scientific study, but my intuition is that it results in a more resilient consensus algorithm, at least in some ways.

5 Likes

I don’t think that would have many downsides really if done right. It is like the best of all worlds approach really while still safeguarding against centralization. It also sets up a future for POS, which would be the next likely progression to support the network after there is no more mining to be done. (Assuming somebody doesn’t come up with a better solution than POS). This is at least “balanced” so it benefits “everyone”.

I still prefer the original intent though. Keep to what was expected whether you truly believe it was implied or not (intentionally or accidentally). You have a community that came together for a number of reasons, and this nonsense is ripping it apart.

Of all? Really?

What effect will this have on profitability for GPU miners?
What do you think?

The effect on security with this… seems not easy to predict.

I am againest having 2 pow.
Logic is simple, currently we have one gpu pow and asic has been developed. What will stop ethicless bitmain and others from developing a second one for the gpu only pow ?
In other words.
Suppose we take that path and both are mining and working, after few months the asic pow becomes less profitable, and bitmain builds an asic capable of solving the new gpu pow.
What will be the solution then ?
Some will say we will change something in that new gpu pow to make the newer asic obselete.
Then comes the question, why then go on that tidious path in the first place, and not stop asic to begin with ?
Obviously Bitmain doesnt care about the coin or the community. Why should we care of saving their asses on their new miner.
We owe them nothing. Do we ??..

I rather invest in a new dynamic pow that can be easily altered without a hard fork. This will guarantee that no one will risk invest in something that will be doomed if it sees the light.
Or other pow that changes annually without hard fork.

I am not a specialized in this. But fore sure its not impossible.

3 Likes

My Proposal is:

Step 1:

  • right now, immediatly and as soon as possible iniciate some kind of emergency block reward halving
  • have an emergency plan for the hashwork network security. For example or as an idea: Zcash Foundation to buy from different resources hashpower in case the network drops to much after halving

This in my opinion would show immediatly how much Zcash can rely on a loyal and stable network. I say stable because it it would immediatly because it would result in the following:

  • auto profit pools hashrate would drop as with a halving Zcash won’t mostly be attractive for these pools
  • Asics on the network at the moment moslty would switch as well to another coin while staying for course on equihash.
  • Larger gpu facilities as well will switch mostly.

This would have the following effect:

Pros:

  • Zcash would know on what network hashrate it can rely.
  • It would be a stable hashrate
  • It would be way more decentraliyed as it’s now. As facilities mostly wouldn’t be on the network
  • It is more easy than a hardfork
  • Less risks than a hardfork
  • It would give time to prepare Zcash for further developement on multi algo together with sapling/winterover.
  • Easy reverseable, or adjustable if it does not work out as intented.

Cons:

  • the network hashrate would drop a lot, eventually to a level that would be considered as dangerous.
  • Price, possible this could have an temporay effect on price as value (network hash rate) would be lower.

Conclusion: Everything in life has it’s price. IF idealism for pure dezentralisation is the main argument, this is the way to go. The price for that see cons, but than again, you have more decentralization

Step 2:

  • do the research that is in progress allready to see what how when why affects with Asics/without Asics.
  • Focus on Sapling and Winterover (most important)
  • Prepare without haste for Multi-Algo to have Asics and GPUs on the network
  • Eventually work on a Bonus system for loyal miners.
  • adjust the block reward system.

Pros:

  • No delay in winterover/sapling
  • no losses in the allreayd made investements and working hours on sapling/winterover
  • mostly a safer network with multi-algo

Cons:

  • mostly more work involved maintaining 2 algos

Dangers:

  • having in mind that nobody knows what the Z9 is actually, on what it’s based, how it works, what it’s limits are and what Bitmain is working at all this could be meaningless. Even the 2nd algo if this or the next Asic could mine on the gpu route anyway.

  • there is a good chance that Bitmain is using it’s Sophon technology, we don’t know. I’am not an expert here in no way and i have no idea what their Tensor Computing Processor BM1680 and their Deep Learning Accelerating SC1 and SC1+ Graphic cards are able to do, even less the next generation ones.

  • Another problem that many may not see is that resources and working hours used for forking delay the real tech deployment. What a coin/project gives most value is it’s tech deployment. Each time such resources are used for forking, or if you want out of topic to fix mistakes, bugs, whatever, the project loses ground to it’s competition projects. The more ahead a project is the bigger the chance it will be successfull in the long run.
    Just as an easy example: What would be the news if winterover/sapling or something very similar is added to Zcash IF allready 20 other coins have it 3 months earlier?? Nobody would even notice it as it would be allready the standard. Things are different if you are the 1st to come up with tech developement.

  • Now 2 Asics for equihash are released for public. We do not know if there are any others on the network? Baikal, the leader when it comes to multi algo asics, eventually?

I’am saying this because we have no information and i would say the worst case is that you investe in something, be it a fork, a multi algo, whatever, with finances and working hours and at the end it doesn’t matter because the AI chips or next generation Asics are that advanced that they can easyly adapt to whatever a gpu is capable to do. These are thing someone really should have in mind as well.

Finally: Proof of Stake. In my opinion, while more green. The worst case scenario for whole cryptocurrency. Here you have really about 0 competition and the biggeat potential for centralization. Here i totally agree to “the richer get richer”. For a project like NEO it might not matter as they are centralized anyway, but for every other project that is trying to be decentralzed this is a huge problem, in my opinion at least.

Thinking all about this, it’s hard for devs/teams to make the right choices. And while some say, easy, just do it (whatever, not related to asics!) i really do not want to be in their place to make such decisions. A major mistake, a major bug, a missed opportunity, a wrong investement, wrong partnership, wrong anything and a given project can hit the ground… These are multi million dollar businesses in their early stages, i can understand zooko that he is more than carefull with whatever decision, delay, change.

1 Like

It would be so good news if zcash changed to proof of stake rather than being handed to bitmain

That a whole different debate.
What makes coins so valuable, is the mining process. The work/electricity used to mine said network.

MY OPINION-proof Of stake is centralization.
AGAIN, only the rich people will benefit…who has the money to buy 100 eth or 100 ZEC. or 1000 where the stake is enough to actually make something.

Or you have decentralization. Where little guy can get in with gpu’s /$2000 rig most can afford.
This debate is just nuts.
I wish these companies would give a definitive answers. This whole thing, stringing everyone along is bad for the ZEC

1 Like

I almost agree with you that proof of stake at this stage can create some form of centralization but it would be a path much better than falling under bitmain hands.
I would go far and reword bitmain CEO’s words and say that bitcoin has the largest market share of crypto in the market because bitmain still want to.

While you are focused on bitmain, proof of stake has it’s very own much bigger risks. For me personally it’s the pure nightmare of centralization.

1 Like

I think to make money from proof of stack you will have to invest a huge amount of money especially zcash market share is not low and hurting the ecosystem at this stage will mean the person with most invested share will have the highest share of loss so it will means the more share you have the more loyal you will be which is very important thing.

On the other hand I see bitmain are of course not loyal to zcash nor any other coin they will just drain zcash until last penny.

I expect after Z9 mini, there will be maxi, Z10, Z11 and endless cycle of luring and dumping which will destroy the whole ecosystem for zcash and it will make every one loser and bitmain will get the highest return and share of zcash.

But anyway I am not detailed of proof of stake so can you elaborate more why it is nightmare or pose a threat than ASICs and bitmain monopolization on ASICs?

Proof of Stake indeed leeds to some degree of centralization, but IMO it’s still much better than just Bitmain controlling everything.

1 Like

Yeah, like PIVX. I would like that. Skip the ASIC debate, keep GPUs working until you introduce POS anyway.

1 Like

To solve the ASIC issue once and for all and leverage AMD and Nvidia GPU’s which will keep on improving with each generation and are generally available world wide from different manufacturers an image generation POW should be researched and could use the SHA256 of that image to secure the block change…if that make sense.

i.e. some thing like https://arxiv.org/ftp/arxiv/papers/1707/1707.04558.pdf but different to leverage GPUS’s

Here some readings why i personally think POS is a nightmare:

The Monopoly effect
Forgers on the PoS blockchain typically receive rewards proportional to their staked value. This means that already quite influential participants on the blockchain will become even more influential over time. Because each token has the same chance of being picked as the next validator, the odds to get chosen as the next validator rises with the amount of token one holds. Whereas PoW works to the benefit of those with the most hashing power, PoS designs the game in favor of those with the most tokens available for staking. Just like Bitcoin mining adheres to the principle of economies of scale, in PoS the profit margins of high stakers are significantly higher. Regardless of the amount of tokens staked, the wallets of participants have to be online. To be online, participants need resources including hardware, electricity, and an internet connection. In a way, there are fixed costs associated with forging blocks on a PoS consensus algorithm. Consequently, the forger who stake 1 ETH and the forger who stakes 3 ETH both have to pay the same amount of fixed cost to stake. This entails that the higher the stake of the forger the higher their profit margins. Additionally, the staking algorithm will reward those that are most active on the protocol. One might find this a desirable property of the blockchain, because it encourages participation, but a similarly unequal distribution of influence and wealth may result as in PoW. If participation is rewarded in token and more token creates disproportionate opportunity to influence the system, then unequal influence over the system may arise in PoS blockchains by default. Without a correction in the protocol a larger ETH stakeholder will grow their stake faster than a small ETH stakeholder. After some time the relative cost for some forgers to stay in the network will be too high and they will be forced off the network.

Proof of stake – General thoughts on the weakness

With PoW, the hash puzzle is generated by the network. The difficulty is set by consensus rules and the randomness is set by the data in the previous block. The miner needs to generate a random nonce to find a solution to the hash puzzle.
The only way to do a double spend is by withholding blocks and secretly mining a longer chain than the entire network. this requires 51% of the hashrate (or a bit less if you’re lucky).

With PoS, there is no hash puzzle. This means that the validator whose turn it is to sign a block can easily create multiple blocks (and thus forks) to try to doublespend coins. Also there is no objective way to determine which chain is “the real chain”. With PoW this is determined by the chain with the most accumulative PoW, but this option (obviously) isn’t available with PoS.
There is also no real randomness. So it’s deterministic based on data in the blockchain which user/address will be allowed to sign the next block based on blockchain data which means that a signer can know in advance which user/address will be allowed to sign the next block based on the block data he is signing.

PoS reverts back to an unsafe version of PoW

If a signer knows which address will be picked as the next validator, it is (at least theoretically) possible for the current validator to manipulate the data in the block he’s currently signing in such a way that he’ll be the next signer.

Some examples on how block data can be manipulated:

transaction malleability
sending transactions to oneself
dropping transactions from the block
changing the order of the transactions within the block
This leads to a very dangerous attack: when a validator is picked by the network, he can then calculate (Proof of Work!) a lot of possible blocks and try to find a new block that will enable him to be the new validator. He can even try to find a series of blocks that will make him the validator for (for example) the next 10 blocks. Meanwhile he can publish another block for which he won’t be the next validator. By doing this, he has the abiity to double spend. Once he managed to pull of the double spend, he releases his other chain for which he’s the only validator. This chain will then become the longest chain and the attacker doubled spent successfully.

Note that if the validator didn’t manage to “attack” the network, he can try again when it’s again his turn to sign a block. One does not need 51% of the coins to be able to attack. This assumption made by proponents of PoS is -imho- false.
Also the cost of attacking is significantly lower compared to PoW. While for a 51% on PoW you need to spend a lot of money on electricity and you need to continuously spend that money, an attack on PoS can be done with a minimal amount of energy.

Reverting a transaction retroactively is nearly impossible with a PoW system, because you’ll need to have a lot of hashing power to “go back in time”. If you want to revert a transaction that has 1 confirmation, you need to mine 2 blocks while the whole network is searching for 1 block.
h^2 = (1-h) => h = 61.8%
You need 61.8% of the total hashrate to change a transaction with 1 confirmation, on average. Note that if a transaction has more confirmations, you need a larger share of the total hashrate of the network.

In the case of PoS, you can easily try to revert every transaction from a block height in the chain where you were a validator and you don’t need spend substantially more to revert a transaction that has more confirmations.

PoS attacks can be “solved” by centralization

This attack can be “solved” by having a limited number of “trusted” witnesses that keep track of which blocks they received first. If they then detect an alternative version of a block, it indicates a attempt to attack the chain. Then these witnesses can flag the attacker and he may be punished by loosing a part of his stake.
The problem with this is that this group of witnesses/people/nodes/validators/… need to be trusted. It’s not decentralized. Once the witnesses are in power, they can collude to attack the chain.
This witness system also raises a lot of questions surrounding reaching consensus: what is a few witnesses disagree with the others? Who is right? The majority? It’s not as easy as it looks because an attacker can try to submit his block with the double spend to a majority of the witness nodes and the ‘fair’ block to a minority of the nodes. If he succeeds, the attacker “legitimately” double spend!

It is pretty obvious a currency doesn’t want to have anonymous witnesses. If they are anonymous, they have a very big incentive to attack the chain themselves and perform double spends. After all, there is no objective way to determine who “is telling the truth” when a double spend happens. So there will usually exist a process to appoint these witnesses. This will in practice often look like elections.
In Bitshares it’s quite literally that. they use “Delegated proof of stake” (DPOS) in which people need to be trusted community members to be able to raise enough stake votes to become a witness. In DASH the requirement to be a witness (aka masternode) is currently owning 1000 DASH, but this will change once the “evolution savings account” goes live which will be a variant of DPOS. The Casper system proposed by Ethereum will likely also be a variant of DPOS with a limited number of witnesses. So for currencies who have some kind of witness election, these public people who act as witnesses can be forced by governments to censor or even revert certain transactions.

Proof of stake – the choice between a constant forking blockchain or centralized witnesses

To conclude, the a naive implementation of PoS will lead to a blockchain that is able to fork and do reorgs constantly, which is completely unworkable. Why didn’t we see this yet? My guess is because the on chain value never was high enough to be worthy of an attack.

The “solution” by centralization depends not on decentralized hash puzzles but on trusting individuals to not cheat. This is certainly not permisionless. These solutions aren’t decentralized and the government can thus easily try to force witnesses to censor certain transactions.

This leads me to the conclusion that PoS currencies can’t guarantee censorship free transactions, which is -imho- the only value behind a cryptocurrency. If we accept censorship, we can just start using Paypal. No need for an inefficient blockchain at all.

Some authors argue that proof of stake is not an ideal option for a distributed consensus protocol. One issue that can arise is the “nothing-at-stake” problem, wherein block generators have nothing to lose by voting for multiple blockchain histories, thereby preventing consensus from being achieved. Because unlike in proof-of-work systems, there is little cost to working on several chains, anyone can abuse this vulnerability by attempting to double spend “for free”
Statistical simulations have shown that simultaneous forging on several chains is possible, even profitable. But proof of stake advocates believe that most described attack scenarios are impossible or so unpredictable as to be only theoretical.

Just some arguments. There are more if you look more far for example. While for many Bitmain looks like the evil #1, i could think about 100 more dangerous evils that could take advantage of POS.

Just as a fictive scenario. Let’s say we have a project on POS that somehow can compete Paypal, Mastercard or Visa. As said, just as an fictive example. All one of these companies had to do is buying in a high stake and take it “more or less” hostile over or even sabotage it. Just something that comes in my mind immediatly.

As said, it’s only my personal opinion that POS is the worst compared to POW in whatever form.

6 Likes

I wanted to say some of that. But you did a great job elaborating, better than I could. I completely agree. When coins go POS. I LEAVE CRYPTO

1 Like

I refuse to participate in any network with PoS as the consensus protocol. Everyone else in the community should as well.

1 Like

Trying to boil this all down into something simple :-

PoS = ‘trust those with lots of coins’

PoW + ‘ASIC friendly’ = ‘trust those with LOTS of hashpower’

PoW + ‘ASIC hostile’ = ‘trust a network that nobody controls’

Allowing hashpower to concentrate for significant time could result in the same group building a massive stake & able to dominate PoS.

The whole point is trust in a network not dominated by a single player.

5 Likes