Proof of work update

igno.peverell · 2018-08-27 22:17:24 UTC

Over the past 6 months, it has become apparent to the team that:

The availability of an ASIC for Cuckoo Cycle at launch is a distinct possibility.
The current ASIC market is centralized, especially when it comes to recent cryptocurrency releases. The development of a competitive ASIC market takes time.
A healthy and grassroot GPU mining community at launch is highly desirable.

After a significant amount of discussion, the Grin development team is proposing an update to its proof-of-work algorithm.

Two proofs of work for the first 2 years (roughly): Cuckoo Cycle and Equihash.
Equihash parameters are set to use around 7GB of memory, likely parameters are (108, 3). To avoid confusion with other parameters, we will refer to this as Equigrin.
A multiplier is adjusted with the difficulty to maintain a constant ratio of blocks between Cuckoo and Equihash, on average.
The ratio at launch should be 10% for Cuckoo, the rest for Equihash. This will smoothly transition to 100% Cuckoo over the next 2 years (roughly) by increasing the ratio by 1% every 12,000 blocks (about 8 days).
If this solution is accepted, we will hard fork a tweak to Equihash every 6 months, with our planned hard forks, to deter stealth ASIC mining.
After 2 years, Equihash will be abandoned and Grin will only have Cuckoo Cycle for proof-of-work.

Comments and thoughts are highly welcome! This will also be discussed tomorrow 8/27 at 15:00 UTC on Gitter, during our governance meeting.

P.S. If you’re reading this and plan on mining or investing in mining on grin, consider contributing to the latest funding campaign.

FAQ:

Why not just Cuckoo? Cuckoo as it is now is very ASIC friendly. In the early days of Grin and as its mining market matures, we cannot expect full reliance on ASICs. A grassroot upstart with a more open distribution is also closer the Grin’s ethos. Finally, a mature ASIC market is needed to minimize centralization.
Why not just Equihash? In the long term, ASICs can’t be prevented. We do not want to keep forking regularly, especially as the Grin mining market matures. Once only ASICs are profitable, Cuckoo is the simplest and optimal solution.
But Equihash already has ASICs! Mostly for Zcash and because the Equihash parameters chosen require little memory (about 140MB). Grin’s flavor of Equihash, Equigrin, should require at least 7GB. This increases the cost of ASIC production and obsoletes some of the larger GPU mining farms (i.e. NiceHash). In addition, we will tweak some Equihash parameters every 6 months to obsolete any ASIC development.
Why not ProgPOW instead of Equihash? For 2 main reasons: 1) Equihash remains a lot simpler 2) ProgPOW places an additional burden on proof-of-work verification making it less suited to light environments (cell phones, small VPCs, etc).
Why not Equigrin only for 2 years, followed by Cuckoo Cycle We do want a Cuckoo Cycle ASIC market to emerge gradually. This is the optimal (and unavoidable) long term option. The 2 years period should allow a gradual transition from a grassroot GPU market to a mature ASIC market.

opacey · 2018-08-27 17:53:21 UTC

Have you considered working with a range of ASIC manufacturers to have a competitive market in place from main net launch date?

That would avoid adding permanent complexity into the chain for the sake of delaying ASICs.
ASICs are desirable both because they invest the miners into the long term success of the coin and also because the sooner the silicon can be maximally optimised (commodified) the sooner it can become decentralised.

There are lots of well funded start-up manufacturers now who may be glad to profit from a less competed market than Bitcoin.

amamam · 2018-08-27 18:22:23 UTC

I agree with @opacey, Obelisk Launchpad provides this service.

Question : isn’t it more efficient to simply increase memory requirement for cuckoo cycle ?

Question 2 : crude calculations with the 108,3 parameters seem to show maximum efficiency at 18GB ram. Can you confirm that this is true and if so, that these efficiency gains will not negatively impact miners who have 8-11GB GPUs ?

monkyyy · 2018-08-27 18:45:08 UTC

Couldn’t the same objectives be done by having random size for cuckoo with roughly the same complexity?

And if your using randomness, it becomes a spectrum not a binary market

igno.peverell · 2018-08-27 19:16:24 UTC

@opacey @amamam we definitely thought about it. But it’s a far riskier approach, we can neither trust nor fully expect those manufacturers to come through. Any market upturn or downturn could drastically affect past commitments and our launch.

Re: Cuckooo memory requirements increase/randomness (for @monkyyy), it wouldn’t be sufficient. The Cuckoo cycle lean miner has much lower memory needs (while mean sacrifices more memory for performance), so ASICs could be designed for Cuckoo32 and would be able to trivially do 30. Randomness wouldn’t change that picture, ASICs can figure that out just as much as a GPU.

@opacey as indicated in the post, the memory requirement for equickoo should come up around 7GB. You can’t use the simple formula. For example Zcash uses (200, 9). The @tromp solver can do it in 140MB, which is much lower than the theoretical figure.

tromp · 2018-08-27 19:38:07 UTC

maximum efficiency at 18GB ram

Could you please share your calculation of this value?

amamam · 2018-08-27 20:02:52 UTC

I used the memory formula and scaled the 200,9 required memory accordingly at a 1:1 ratio

(2 ^ ( (200 / (9+1) ) + 1) = 002,097,152
(2 ^ ( (108 / (3+1) ) + 1) = 268,435,456

tromp · 2018-08-27 20:15:43 UTC

That’s too simplistic, as memory depends not only on n/(k+1) (exponentially, as you note), but on k as well (roughly linearly).

Cafevoodoo · 2018-08-27 20:17:38 UTC

What GPU miner is actively seeking a way to mine on a cell phone? Furthermore, what cell phone can mine Equihash, let alone a 7GB Equihash?

tromp · 2018-08-27 20:21:44 UTC

mine on a cell phone

Igno was talking about “proof-of-work verification”.
As you know, verification is very different from mining…

Cafevoodoo · 2018-08-27 20:24:17 UTC

I knew I was missing something somewhere. I must have skipped that word. Thank you!

Michal · 2018-08-27 20:35:18 UTC

Why not Ethash instead of Equihash? I read that it’s been designed to be ASIC resistant and light to be verified.

tromp · 2018-08-27 20:58:09 UTC

Same objections as to ProgPoW (a proposed ethash variant) …

opacey · 2018-08-27 21:56:48 UTC

If you had plans in place with, let’s say, ten dispersed and unrelated ASIC manufacturers then it’s likely that more than three will make good on the plans. If none of them succeed, it would almost certainly be the case that the entire industry was in global crisis, and then the risk of a secret monopoly running custom and private ASICs would be impossible. At this point the GPU and/or CPU miners (depending on the scale of the crisis) would be able to provide a safely distributed security platform based on Cuckoo alone.

I’m not sure how many exist now but off the top of my head there are Bitmain, Halong, GMO, Samsung?, WhatsMiner, Innosilicon, ASICMiner, Obelisk, Canaan, Fulijuntuan, Ebang (about to IPO) and ShenMa.

EDIT: At least it seems sensible to start conversations with some of these firms to test the appetite.

amamam · 2018-08-27 22:14:38 UTC

I’m wondering how it came up to 7Gb. Can you provide the correct calculations ?

amamam · 2018-08-27 22:34:35 UTC

Given that cuckoo cycle was proposed as a substitute to cryptonote for Monero, there’s no doubt asic development is already taking place. Seeing how one main company currently has more than 65% of the asic market, trusting market dynamics isn’t safe.

Isn’t there a point when GPUs becomes competitive, when increasing the number of cycles, in GPS/$ spent (either in latency or bandwidth) ? If so, is increasing to a high cycle number right at launch feasible ?

tromp · 2018-08-27 22:37:11 UTC

Lines 269 and on in https://github.com/tromp/equihash/blob/master/equi_miner.h
explain the memory layout for my 200,9 miner. With 108,3 this changes to something like

       heap0     heap1
round  
0      A A A 0   . . .     81 bits of hash remaining in A
1      A A A 0   B B 1     54 bits of hash remaining in B
2      C . 2 0   B B 1     27 bits of hash remaining in C

resulting in 7 * 2^28 * 4 bytes = 7 GB if buckets were sized exactly at the average number of elements in them. In practice they need to be bigger to account for size variance, for instance around 8 or 9 GB.

igno.peverell · 2018-08-27 22:59:20 UTC

Remove the ones that have never produced anything other than bitcoin miners, for which there’s close to zero chance they would start with a brand new untested coin at launch, and see how short that list gets. It’s just not a strategy we can rely on to start with.

That being said, we’re happy to start those conversations regardless. I’m looking forward to collaborating over the coming years.

igno.peverell · 2018-08-27 23:10:05 UTC

We’ve spent quite a bit of time with @tromp exploring all options with Cuckoo Cycle only. Adding another proof-of-work isn’t really in line with keeping things simple. We’ve narrowed down on that specific proposal because it seems to be the only realistic option.

Neo · 2018-08-27 23:14:33 UTC

Setting parameters that use 7gb of memory is only suitable for the latest Gen of Cards. Lot’s of GPU miners are going to be running with 4gb/6gb cads. So it’s not exactly an ideal way to build a grass roots mining community.

What about running with a the New version of Cryptonight(V2) that Monero are looking to merge in their next release. https://github.com/monero-project/monero/pull/4218

Monero are one of the only top tier projects that are actually committed to ASIC resistance. Using a CN algo means you bring back CPUs and all older model GPUs. That’s how you build a grass roots mining community.