ZmnSCPxj [ARCHIVE] on Nostr: đź“… Original date posted:2021-05-18 đź“ť Original message:Good morning Michael, > ...
đź“… Original date posted:2021-05-18
đź“ť Original message:Good morning Michael,
> That’s interesting. I didn’t know the history of ASICBOOST.
History is immaterial, what is important is the technical description of ASICBOOST.
Basically, by fixing the partial computation of the second block of SHA256, we could selectively vary bits in the first block of SHA256, while reusing the computation of the second block.
This allows a grinder to grind more candidate blocks without recomputing the second block output, reducing the needed power consumption for the same number of hashes attempted.
Here is an important writeup: https://www.mit.edu/~jlrubin/public/pdfs/Asicboost.pdf
It should really be required reading for anyone who dreams of changing PoW algorithms to read and understand this document.
There may be similar layer-crossings in any combined construction --- or even just a simple hash function --- when it is applied to a specific Bitcoin block format.
>
> Our proposal (see Implementation) is to phase in oPoW slowly starting at a very low % of the rewards (say 1%). That should give a long testing period where there is real financial incentive for things like ASICBOOST
>
> Does that resolve or partially resolve the issue in your eyes?
It does mitigate this somewhat.
However, such a mechanism is an additional complication and there may be further layer-crossing violations possible --- there may be an optimization to have a circuit that occasionally uses SHA256d and occasionally uses oPoW, that is not possible with a pure SHA256d or pure oPoW circuit.
So this mitigation is not as strong as it might appear at first glance; additional layers means additional possibility of layer-crossing violations like ASICBOOST.
Regards,
ZmnSCPxj
đź“ť Original message:Good morning Michael,
> That’s interesting. I didn’t know the history of ASICBOOST.
History is immaterial, what is important is the technical description of ASICBOOST.
Basically, by fixing the partial computation of the second block of SHA256, we could selectively vary bits in the first block of SHA256, while reusing the computation of the second block.
This allows a grinder to grind more candidate blocks without recomputing the second block output, reducing the needed power consumption for the same number of hashes attempted.
Here is an important writeup: https://www.mit.edu/~jlrubin/public/pdfs/Asicboost.pdf
It should really be required reading for anyone who dreams of changing PoW algorithms to read and understand this document.
There may be similar layer-crossings in any combined construction --- or even just a simple hash function --- when it is applied to a specific Bitcoin block format.
>
> Our proposal (see Implementation) is to phase in oPoW slowly starting at a very low % of the rewards (say 1%). That should give a long testing period where there is real financial incentive for things like ASICBOOST
>
> Does that resolve or partially resolve the issue in your eyes?
It does mitigate this somewhat.
However, such a mechanism is an additional complication and there may be further layer-crossing violations possible --- there may be an optimization to have a circuit that occasionally uses SHA256d and occasionally uses oPoW, that is not possible with a pure SHA256d or pure oPoW circuit.
So this mitigation is not as strong as it might appear at first glance; additional layers means additional possibility of layer-crossing violations like ASICBOOST.
Regards,
ZmnSCPxj