
Monero Declares War on ASIC Manufacturers - Osiris
https://www.ccn.com/monero-declares-war-asic-manufacturers/
======
tedivm
You can actually see one of the pull requests about this already. [1]

My favorite part about it is response to criticism that the changes may break
the underlying cryptography they are using-

> We do not have cryptographers familiar with this kind of thing, sadly. [2]

1\. [https://github.com/monero-
project/monero/pull/3253](https://github.com/monero-project/monero/pull/3253)

2\. [https://github.com/monero-
project/monero/pull/3253#issuecomm...](https://github.com/monero-
project/monero/pull/3253#issuecomment-365115603)

~~~
dragontamer
It not only creates a bias (which decreases entropy), but its an operation
that would easily be implemented faster on an FPGA than on a CPU. I mean, its
basically a singular LUT, there's nothing more efficiently done on an FPGA
than LUTs.

Basically, I think it actually weakens the FPGA-resistance of Cryptonight.

Fortunately, the main idea of the changes would discourage ASICs being made
for Monero. But it doesn't seem to discourage FPGAs, which are just one
"resynthesize" away from fixing any code changes. And as long as the community
becomes accustomed to regular changes, then any issues in the encryption can
be fixed later.

~~~
stevedc3
FPGAs cost 10x ASICs so this argument is unimportant. The reason for using
ASICs is lower cost / lower compute resources.

~~~
28mm
I am confused by this—-aren’t ASICs the costliest option until some (high)
number are fabricated and put into use?

If FPGAs can implement these changes efficiently—more efficiently than cpu
miners—-and be re-synthesized to implement further changes, doesn’t that
advantage them?

~~~
ethbro
Parent was presumably leaving unsaid "... at scale", aka enough to move a
chunk of the hash power.

~~~
stevedc3
Thanks yes I totally meant scale. Main cost of new ASIC chips is design and
fabrication. Only serve a very narrow specific purpose and all that cost is
sunk. But after that, unit production chip cost is negligible.

~~~
arthurcolle
do you happen to know b/e costs given difficulty/profitability ratio using
current market electricity prices?

------
mrb
As a Bitcoin miner since 2010, the hostility toward ASIC-based mining rig
manufacturers has rarely made sense to me. ASICs _strengthen_ your network.
The requirement to have specialized hardware to mine profitably, hence pushing
miners to the highest joule/hash metric physically reachable will make a PoW-
based cryptocurrency much more secure with respect to majority attacks (so-
called 51% attacks.) Cryptocurrency devs should welcome and embrace ASIC
miners.

By far, the majority of GPU farms mine Ethereum. This mean any GPU-mineable
coin other than Ethereum is trivially vulnerable to majority attacks. The only
thing preventing these attacks from happening is the financial incentives
_against_ performing such a purely destructive attack.

ASIC-mineable coins are safe from such attacks from GPU miners.

People point out that the high barrier of entry into ASIC manufacturing can
lead to monopolies, such as Bitmain which is a quasi- (not quite) monopoly
with its 70-80% market share in Bitcoin with the S9. But first and foremost,
manufacturing monopolies don't matter to the _function_ of Bitcoin. A
manufacturing monopoly isn't a hashrate monopoly: Bitmain cannot attack
Bitcoin. They themselves only directly own <10% of the hashrate.¹

¹ Not to be confused with Bitmain's mining pools which represent more than a
third of the hashrate. People usually misunderstand the function and nature of
mining pools. End-users choose to mine at whatever pool they want. If
Bitmain's pools started sending malicious mining jobs to stratum clients, the
community would react and the end-users would promptly abandon them. So in
practice Bitmain cannot do whatever they want for however long they want with
their pools' hashrate. They enjoy the privilege of representing this hashrate,
and this privilege could evaporate overnight.

~~~
FridgeSeal
Because not everyone can afford ASIC's, which puts the mining power _solely_
in the hands of those who can afford the hardware.

This once again reduces the playing field to a small, powerful group of
players and essentially no one else can participate. Doesn't this defeat the
purpose of a decentralised currency based on not having "trusted nodes"?

~~~
wmf
Realistically the cost of entry is more like $2,000 which is not a small,
powerful group of players.

~~~
FridgeSeal
Yeah I've totes got $2k spare to use on just getting an ASIC, which likely
won't have any resale value, and is only valuable for a very finite time

Comparatively, I do have a nice graphics card (which I can use for gaming and
stuff), and I can rent from cloud providers at price points I can afford if I
wanted more access to cards.

------
cocktailpeanuts
I think this is short-sighted.

Just like mining pool was not an expected event, humans will always figure out
a hack to make more money where there's money. Especially when there is no
legal implication for doing so.

These monero developers think they're doing good for their network, but all
this is doing is weaken their network based on the limited knowledge they have
about what's possible currently. I would even go further to say this is
arrogance.

There are many ways to compromise a network, and the best way to protect
against this is to strengthening it, instead of making foolish decisions based
on some conspiracy theory that nobody has ever actually seen played out.

For example if someone figures out a way to bring together the coinhive JS
mining library and a clever web exploit scheme to create a global ultimate
monero mining worm, it could compromise the entire network and they will have
no choice but to hard fork. The only way to protect against this sort of
attack is to strengthen the network. And only then you deserve to worry about
centralization.

I know this "miner centralization" is a controversial topic, but what I know
for sure is that people are making decisions to permanently change protocols
that are already working, in order to "fix" some hypothetical situation that
may or may not happen.

If humans were so good at prediction, we would not have great depressions. The
best way to deal with these issues is to solve them when they actually happen.
I think this is the best for all cryptocurrencies because IF some sort of
centralization actually does end up happening, people can fork and take a huge
chunk of network with them always.

The people who think we can't recover from these hypothetical centralization
are making some assumptions that are more likely to be false than true.

------
tom_mellior
Relevant quote: "Moving forward, developers will seek to protect the network’s
ASIC resistance by slightly modifying its PoW algorithm at every scheduled
hard fork, which generally occurs twice annually. These changes will not be
noticeable to ordinary XMR users, but they will alter the network’s hashing
algorithm enough that Cryptonight ASIC miners would become obsolete following
every fork."

We'll see how this works out. Hard to tell without any technical details about
what these changes to the algorithn will be. I'm not quite sure though about
amateurs mucking with the details of hash functions, it smells like going
against the rule of "don't roll your own crypto".

Also, and in the full understanding that this ship has sailed, it's stupid to
call a planned update everyone goes along with a "hard fork".

~~~
madez
> the rule of "don't roll your own crypto".

There is no such rule in general. In many situations it might be better to use
available solutions, but in others it might be better to do something
different. It depends on your attack model and what you are trying to achieve.

~~~
IncRnd
> _There is no such rule in general._

Actually, the general rule is, "Do not roll your own crypto."

> _It depends on your attack model and what you are trying to achieve._

It depends on so much more than those two items, which is why people are told,
"don't roll your own crypto."

There is almost a 1to1 relationship between looking at homemade crypto and
finding severe vulnerabilities such as oracles, input reuse, incorrect
encryption modes for the purpose of use, use of broken crypto, and a million
other gotchas that most people don't know they need to know.

~~~
madez
Not all "own crypto" is "homemade".

~~~
IncRnd
You're playing with semantics. You didn't address any of the points about
crypto, choosing instead to superficially focus on a single word.

However, "own crypto" is indeed "homemade." Crypto is not independent from the
purpose of use.

------
paulmd
OK, so now if Bitmain develops an ASIC they just won't tell anyone about it.
Apart from the increase in difficulty (which is increasing all the time
_anyway_ ), how would you know?

The ASIC companies are already de-facto mining operations. Bitmain premines on
the customer's hardware and only ship once they've taken their profit and
spiked the difficulty up. BFL did the same thing back in the day.

~~~
ryan-c
> OK, so now if Bitmain develops an ASIC they just won't tell anyone about it.

"Moving forward, developers will seek to protect the network’s ASIC resistance
by slightly modifying its PoW algorithm at every scheduled hard fork, which
generally occurs twice annually. These changes will not be noticeable to
ordinary XMR users, but they will alter the network’s hashing algorithm enough
that Cryptonight ASIC miners would become obsolete following every fork."

~~~
paulmd
A cat-and-mouse game where you have no idea if you're successful or not?
Doesn't sound winnable to me. And remember that those changes will have to be
choreographed well in advance so that other miners can implement the changes
too - at which point Bitmain will know the changes as well. And you're going
to do a major enough shakeup of the algorithm to break ASICs every 6 months,
and it's not going to piss off the miners?

This is a pretty tall order IMO.

------
comboy
I'm surprised I haven't heard about any big FPGA mining operations. It would
work nicely with this change plus it allows to mine coins with different algos
depending on what is most profitable at the moment (along with running some
wallet recovery / vanity address generator services).

~~~
wmf
Back in the Bitcoin days FPGA mining had little or no advantage over GPUs.

~~~
mrb
Actually FPGAs had 10× better energy efficiency. This was huge. Eg. the
popular Spartan6 LX150 used in many miners was rated 50 joule per gigahash,
compared to 500 J/GH for an HD 5970. I used to run both GPU and FPGA mining
operations. That said, they were comparable to GPUs in terms of $/GH.

------
nkurz
_Moving forward, developers will seek to protect the network’s ASIC resistance
by slightly modifying its PoW algorithm at every scheduled hard fork, which
generally occurs twice annually._

I presume they've considered this, but this seems like a dangerous approach.
How will they decide which change occurs, how far advance will it be decided,
and how will they keep this decision secret? Think of the potential advantage
to a party who uses foreknowledge of the exact change to have ASIC's ready at
the official announcement. If done on a small scale, it's possible that no one
would ever know. If done on a large scale, it would be obvious after the fact
that a leak had occurred, but the repercussions would likely destroy the
currency.

~~~
plasticmachine
Everything is open and transparent, so a "leak" is absolutely guaranteed. It
appears the plan is to merely make some sort of change every 6 months such
that an ASIC manufacturer hardly has time to develop a change, tape out, and
actually mine for longer than a month or two. This should make it
prohibitively expensive.

------
api
Couldn't you defeat ASICs pretty definitively (at least for a long time) by
making the algorithm dependent upon a gigantic completely random substitution
table? It would at the very least require ASICs to have giant amounts of ROM
or RAM (with a memory controller etc) which would multiply ASIC cost.

AFIAK for today's ASICs a table larger than a few megabytes would be a strong
deterrent. Go really big (e.g. 64mb) and you'd have some margin.

This would also be completely deadly to GPUs, especially if combined with
branches and complex algorithms.

Edit: even worse: perturb the table using entropy from the block chain, making
it impossible to burn into ROM and requiring tons of on-board RAM or a memory
controller.

~~~
tatersolid
This is exactly what “memory-hard” hashing algorithms like scrypt, Argon2, and
ballon hashing already do.

You can tune their parameters to use GBs of memory if you wish.

------
ezoe
I don't get it.

A crypto-currency which will hard-fork twice yearly and all miners accept that
hard-fork? If you trust changes not backed by computations but from central
authority regularly, why don't you use the traditional bank backed by a
nation-currency?

~~~
stale2002
The little known secret of ALL cryptos, is that they are all fundamentally
backed by a SOCIAL consensus, and not just a technical definition.

If everyone in the world just decides that a new fork of bitcoin IS bitcoin,
then it really does become bitcoin.

This exact thing happened with Ethereum. A bunch of people in the community
just decided to hardfork, and then it happened. And now the hard forked
ethereum is the real ethereum.

Computing power doesn't stop your "real" version of the old currency from
becoming worthless, and the "new" "forked" version of the same currency from
becoming worth more money.

~~~
erikpukinskis
I agree this is super important and often missed.

People think the blockchain prevents bad things from happening, but it’s the
exact opposite:

The blockchain allows EVERYTHING.

It permits all possible universes with all possible transactions. I can go
back to the first block and pretend Satoshi never mined more than the first
one, and I have all the bitcoins.

That reality is just as valid as any other. This is the central idea of
blockchain tech: you assume all realities will exist. Then you code ways for
people to do business _despite_ inevitable lack of consensus.

Coincidentally this is exactly what young hippies miss about anarchism when
they are trying to run consensus processes. They think anarchism is about
obtaining consensus. But it’s really the opposite: anarchism is about what
happens when you DONT have consensus. If you have consensus it doesn’t matter
what political system you’re in: monarchy, communism, libertarianism, it’s all
the same when there’s consensus.

This all became clear to me after reading The Dispossessed (rip Ursula K
Leguin). An anarchist syndicate is differentiated (from e.g. a co-op) by how
people react when someone DISSENTS.

If you dissent from the co-op you have essentially no rights. Unless you have
a voting quorum the others can use the police to stop you operating against
policy.

In a syndicate, a dissenting member has the same rights as _the entire rest of
the syndicate_. They have equal claim to the facilities, the resources, even
the staff. They stand peer to peer with the syndicate itself.

Bitcoin is the same. A fork has all the same capabilities as the long chain.

------
eftychis
I am a bit confused by the reaction and commentary. ASICs are kind of the
natural next step, so it is not surprising at all for any serious miner to go
there. Hence, this appears as a too reactive really short term move and I
wonder about the reasoning behind this.

The number of units to break even is not that high -- here is one random
example, a google search away, that seems right to me -- from what I can
recall -- [http://www.deepchip.com/downloads/fpga-vs-
asic.pdf](http://www.deepchip.com/downloads/fpga-vs-asic.pdf). A reasonable
volume or am I missing something?

Consider FPGAs as the efficient R&D step (due to its re-useability) towards an
ASIC. ASIC will be generally faster and considerably more cost effective
option per unit; plus more compact (so more units per space -- although there
are other factors to account here). Usually you might end up with something
less power hungry also, although I really doubt here one will see such a
benefit.

Hence Monero is going against this step as a way to mitigate centralization
and the introduction of more market entry barriers. I think this is a bit
late. For instance, there is a great incentive for miners to join pools -- see
a bitcoin analysis [http://www.jbonneau.com/doc/SBBR16-FC-
mining_pool_reward_inc...](http://www.jbonneau.com/doc/SBBR16-FC-
mining_pool_reward_incentive_compatibility.pdf)

------
QML
Ironic that the plan to keep mining decentralized requires centralization
itself. Same thing happened with SIA earlier when another company beat SIA's
founders to the market with an ASIC.

------
tzs
How trustworthy are these people?

I have not heard anything bad about the Monero people, but given the number of
bad actors in the cryptocurrency space they should probably describe what
steps they are taking to ensure that nothing like what I'm about to describe
can occur.

> Moving forward, developers will seek to protect the network’s ASIC
> resistance by slightly modifying its PoW algorithm at every scheduled hard
> fork, which generally occurs twice annually. These changes will not be
> noticeable to ordinary XMR users, but they will alter the network’s hashing
> algorithm enough that Cryptonight ASIC miners would become obsolete
> following every fork

Suppose an insider is conspiring with one of the ASIC makers. The insider gets
the modifications to the ASIC maker before they go public. The ASIC maker gets
a head start on making new ASICs.

During the time between the modifications going public and other ASIC makers
getting chips out, the conspiring maker does NOT sell their chips. They use
them themselves, splitting the results of their mining with the insider.

~~~
plasticmachine
There are no "insiders" with Monero. Just like many FOSS projects, everything
is developed in the open and entirely transparently. The first time anyone has
visibility on PoW changes is when someone comes up with specifics and opens a
PR, and as can be seen on the current PR there's little chance that the first
pass is the one that will go in.

------
guelo
What are these scheduled hard forks? Is it a property built into Monero's
algorithm or is it a process centrally planned by the governance.

~~~
tylersmith
The developers have a release cycle that includes periodic hard forks. AFAIK
there is nothing algorithmic to entice or force a fork like the Ethereum
difficulty bomb does.

~~~
AndrewBissell
The scheduled hard fork is announced weeks in advance, and high-profile
clients like exchanges are "strongly encouraged" to upgrade. If you run your
own XMR full node on an old version past the fork date, you get a bright red
warning message telling you to get the new version.

~~~
matthewbauer
That sounds extremely centralized.

~~~
plasticmachine
Anyone can be a Monero contributor and can work on the hard fork.

------
pera
Is it possible to synthesize cryptographic hashing function circuits randomly?

~~~
IncRnd
A cryptographic hash is a one-way function that produces repeatable not random
output.

~~~
pera
This is not what I meant :) my mistake, I will rephrase my question:

Is it theoretically possible for a computer program to synthesize new
cryptographic hash functions which are significantly different one from the
other (i.e. not just changing constants, or number of iterations)?

~~~
IncRnd
One would need to define what is meant by "significantly different" as well as
the exact purpose of the hash functions. i.e. I suggest not to start with the
implementation but with what is trying to be achieved. Putting the cart before
the horse, so to speak, is a recipe for creating bad crypto.

------
admax88q
It seems to me the only reliable way to favour general purpose computers over
specifically manufactured hardware would be to change the algorithm
periodically.

------
kuroguro
I wonder how nicehash will handle the upcoming hard forks as there are other
cryptocurrencies running on the original cryptonight algorithm.

------
_nalply
A variant are memory-hard PoW algorithms like Equihash. To calculate a hash
you need a lot of memory which makes ASICs infeasible.

~~~
dragontamer
I disagree.

I've outlined my main points in a post on Reddit:
[https://www.reddit.com/r/Monero/comments/7x82yp/technical_cr...](https://www.reddit.com/r/Monero/comments/7x82yp/technical_cryptonight_discussion_what_about/)

In short: a memory-hard PoW algorithm (such as Cryptonight) can be gamed by
using exotic low-latency memory like RLDRAM3, QDR-IV, or Hybrid Memory Cube.

Its not as many orders-of-magnitude better than BTC, but it'd probably be on
the order of 1x to 10x more power-efficient in the case of RLDRAM3. Although
due to the costs of developing an ASIC and buying expensive RAM like RLDRAM3,
it would likely cost a bit more than commodity hardware.

You'd make it up eventually in energy savings however.

The recent Hybrid Memory Cube RAM looks incredibly fast and power-efficient
however. I wouldn't be surprised if HMC + FPGAs or ASICs completely destroys
any "ASIC-resistance". Fortunately for the cryptocoin community, HMC is
incredibly exotic, expensive, and rare at the moment.

~~~
wmf
It's interesting that you didn't consider internal SRAM; 2 MB of SRAM is less
than 10 mm2 in a 10 nm process so an entire CryptoNight core might be ~12 mm2.
This would be roughly twice the area efficiency of x86.

~~~
dragontamer
QDR-IV is SRAM.

I think buying QDR-IV and externally interfacing would be easier. But I
haven't thought too much about this aspect of the problem.

In effect, QDR-IV already exists and is already mass produced. So if you
wanted SRAM, there it is. Already to order from numerous suppliers. I don't
see much reason why you'd want to design it into an ASIC when its a ready off-
the-shelf part.

Overall, I think the optimal design would use RLDRAM3 anyway. RLDRAM3 is
cheaper and uses less Watts than QDR-IV. The tRC latency issue on RLDRAM3
doesn't seem to affect the expected workload of a memory-heavy Cryptocoin, so
QDR-IV (aka SRAM) wouldn't have much of an advantage over RLDRAM3 anyway.

------
s73v3r_
This is awful. I would like to be able to buy a graphics card for it's
intended use (gaming) at a reasonable price.

------
kingosticks
So not a war on TSMC etc like I thought this article was about. But a war on
Bitcoin ASIC designers.

------
dna_polymerase
Trying to defend the mining from ASICs makes somewhat sense keeping in mind
recent news. Monero could really gain momentum (more, than they have by now)
by becoming the alternative to online advertising by being the coin to be
mined in Browsers around the world.

Salon.com already tried it, and if it works out for them, it could become a
pretty great alternative to ads. It would also change the dynamics of online
content, as page-reloads would mean a dip in hashing power.

~~~
Matt3o12_
[http://coinhive.com/](http://coinhive.com/) also offers this but users do not
seem to like it. They offer two miners, one which only operates with users
consent and another one without explicit consent. Either one seem to have been
banned by my ad blocker, although the one which requires consent has a not
which clearly states that it should not be in any filter because they user
wanted to run the script and it might break the website.

They even have a pretty cool usecase for it too: to have x amount of hashes as
a captcha replacement, with a nice UI and such (you can find it by click on
login at their page & disabling your ad blocker). Unfortunately, it does not
work really well for many of my use cases. When I'm on my phone it is fairly
slow. When I'm on an old phone (iPhone 5 and 5s, for instance), it is so slow
that many users would just close the page because they believe it is broken
but it probably is a decent defense against brute force attacks because it
still requires quite a bit of work to try a login.

~~~
duskwuff
The biggest problem I see with Coinhive is that they've systematically failed
to prevent malicious uses of their service. The Coinhive script is frequently
injected into compromised web sites, or into _all_ web sites by locally
installed malware, and Coinhive's payout scheme -- fully automated payouts
every two hours -- makes it very easy for a malicious user to "get away" with
their profits.

(Coinhive claim to disable accounts associated with abuse, but even if they do
that promptly, the lack of any meaningful holding period means that abuse can
still be quite profitable.)

