Hacker News new | past | comments | ask | show | jobs | submit login
Optical Proof of Work (arxiv.org)
81 points by ArtWomb 26 days ago | hide | past | web | favorite | 32 comments

In my view, the idea that optical PoW will reduce the energy cost of PoW mining is only temporary, because the Capex aspect of photonic miners is likely to be only a temporary competitive advantage - just like the Capex advantage of building ASIC miners is only a temporary, until each newer and more efficient ASIC is rolled out.

Photonic technology is new and not as readily available - for now.

If it turns out to be a way of minting money, demand will rise, and the competitive process of PoW will surely result in every photonic-miner owner trying to build a bigger, faster farm, just like all the others, and then we're right back to energy.

The ratio of HW cost to energy use is different for each computing platform and depends on algorithm etc. For example, it seems Cuckoo Cycle PoW has somewhat higher capex/opex in ASICs because of the heavy memory use.

For photonics the ratio changes significantly due to fundamental physical properties of analog computation, photons vs. electrons and so on.

Anyhow the process of the Si Photonics (and memristors/other analog approaches to AI) maturing to the same degree as digital ASICs will likely be long and gradual so this isn't a practical issue for next decade.

I had high hopes for Cuckoo Cycle PoW, but it turns it cannot be scaled linearly, or even at all predictably. So unless the consensus is to regularly tweak the algorithms pretty heavily, it runs the risk of reaching a situation in the future where the currently immense memory requirements being a piece of cake.

See the long discussion in https://www.grin-forum.org/t/grin-improvement-proposal-1-put...

It will take many years for 1GB of on-chip cache to be common, but when that happens, hopefully commodity computing devices can support somewhat efficient Cuckoo mining...

Does anyone have any insight into what the actual nature of HeavyHash is?

> This leads to the selection of a hybrid design that composes digital hashing with low precision vector-matrix multiplication (intended for photonic acceleration) to produce HeavyHash. HeavyHash is an iterated composition of an existing hash function, i.e. SHA256, and a weighting function such that the cost of evaluation of HeavyHash is dominated by the computing of the weighting function.

What is the weighting function? How do we verify that the result is valid? There have been other attempts to make proof of work more capex sensitive (especially memory-hard variants, like birthday paradox) but they all end up suffering from the fact that the very fact that you can verify the result means that you can brute force the outcome, and often that's a tradeoff that works.

Without knowing specifics it's very hard to say whether this particular proof of work algorithm does not permit an energy-inefficient brute force solution that will end up making the energy problems just as bad -- my intuition is that of course this won't work, as a matter of "no free lunch" -- the cost to secure a coin will be equal to the value of keeping it secure.

I guess we'll have to wait:

> Beyond these intuitions, the specifics of the algorithm and a detailed proof of its security will be published in a separate manuscript. [54]

> [54] Michael Dubrovsky and Marshall Ball. Towards optical proof of work; oPoW. Unpublished Manuscript, 2019.

> the very fact that you can verify the result means that you can brute force the outcome

No; you cannot brute-force the outcome in any realistic sense. For example, a Cuckoo Cycle [1] proof consists of 42 n-bit indices of edges that together form a cycle in a random bipartite graph on 2^n+2^n nodes, with typically n >= 29. Brute forcing over all possible size-42 subsets of 2^n indices will take well beyond the heat death of the universe. It's way easier to brute force the 256-bit private keys of all bitcoin balances...

[1] https://github.com/tromp/cuckoo

Can you please expand or refute on my comment above. (User jacobush.)

Hey, MD here... You are right that these tradeoffs are difficult to engineer.

However, it's easier to make it work on top of a more radical shift in hardware. At the basic level, we are just using simple random matrix-vector mults. Of course, the photonics or other analog low-energy approaches have to win in the market for this operation, and that will be tested empirically (though there has been a ton of investment into this kind of processing going analog as we discuss in the paper).

So the big problem is that Market Forces are the largest decision factor in any distributed system.

Right now the barrier to entry is relatively low. Miners just need cheap electricity and off the shelf GPUs to get started. It's also well known to use and get started with building your own mining cluster.

The only way to fix it is to introduce graduated electricity rates that increase as more electricity is used.

Actually, electricity rates drop with economies of scale and willingness to set up in remote areas.

Have you looked into mining Bitcoin with GPUs lately? You would need free GPUs and free electricity to justify the effort to set it up...

BTC is only profitable with a. ASICs b. Very cheap energy source

Same is increasingly true for other coins.

I've spent a lot of time trying to understand PoW and came to the conclusion that is a distributed clock of sorts, described here https://grisha.org/blog/2018/01/23/explaining-proof-of-work/

Pretty much, yes. It's kind of spelled out in the Nakamoto paper. From the introduction:

" In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions."

Everything else in Bitcoin is just turning that timestamp server into a practical(ish) system.

Yes, that's why non PoW distributed ledger like the XRPL work essentially the same by only sorting Tx by time and then use a federated byzantine agreement to "filter out" Tx that did not propagate trough the network in a specific time and thus cant be put in correct order. These Tx will be added to the next ledger(block) instead which isn't a problem if block times are just seconds.

Well, it relies on a synchronized clock, so it can't provide a clock. PoW adjusts the difficulty based on the time to try to meet some difficulty target.

In fact, if the time of nodes is not synchronized, it can cause significant problems and vulnerabilities. If time is too fast, the difficulty adjustment algorithm will think it mined too few blocks and decrease the difficulty.

Those aren’t really “significant problems and vulnerabilities”: any given node can lie about what time it is, but you’re not trusting a particular node for more than the outcome of a single contiguous block—and block difficulty “velocity” is capped—so you’d need a Sybil attack to actually walk the difficulty down. Otherwise, even at 49% malicious nodes, consensus is just going to bounce between nodes that say the time was really short, and nodes that give “regular” timestamps, keeping the difficulty roughly constant within the network’s margin of error.

Really, the timestamp field in most PoW systems’ “block” structs (Bitcoin’s, Ethereum’s, etc.) is just defined as “a number that is higher than the one in the parent block, and not so high that when interpreted as a POSIX timestamp it would land 30+ seconds in the future relative to the local node’s time.” So you just need >50% of the nodes to have a ±30s clock sync in order to agree on which blocks are valid for consideration; and even if you don’t have that level of synch, those blocks will still become valid eventually, once they’re old enough that all the nodes do consider them to be in the past. (And most PoW systems keep around near-“future” blocks until they’re valid for just such a case.)

The timing aspect is an important part of PoW, but it's not the entire purpose. The Bitcoin whitepaper itself goes on to say, "The proof-of-work also solves the problem of determining representation in majority decision making." That is, PoW also solves the problem of deciding which consensus rules to enforce, not just when.

This is a really fascinating paper. Given that cryptocurrency is here for the long haul - a reasonable assumption, even if it’s only for money laundering - finding a way to cut the power cost and make mining resistant to bots makes a lot of sense.

If the cost of operation is minimized and transferred to at the time of purchase, it will just make people buy MORE hardware, not less. Instead of realizing that money in operations, it will be shifted to purchase of increasingly more amounts of hardware as the primary mode of competition.

Building the hardware could maybe be optimized, but is unlikely to be energy efficient or environmentally friendly. At least with energy you can optimize the point source of pollution at the source, and as such use sources of energy that are renewable or environmentally friendly.

This scheme seems to be robbing Peter to pay Paul.

Yes, more HW would be purchased.

There's much less embodied energy in $1 of chip (especially cutting edge HW where you are covering R&D) than in $1 of energy.

Also once hardware (access to capital much better distributed than access to huge quantities of discounted power) is purchased it's portable and condensed. Much better for decentralization.

For existing PoW hardware (even GPUs) it seems like proximity to the Chinese supply chain is more important than capital. I don't see why that would change.

For existing PoW, proximity to cheap energy is required before anything else.

This can't be fought at every level but there are PoW schemes that focus on memory capacity, or bandwidth, etc, that are harder to optimize. It turns to problem from "tile these small functional units across silicon" into "create another high performance desktop computer."

I'm not sure this theory works. If the opex is sufficiently low, even if the capex is higher then miners would migrate to it as the total ROI is greater. They seem to admit this partway through the paper - "a low energy PoW can be achieved by tailoring a PoW algorithm to a hardware paradigm with a CAPEX dominated cost perhash/trial".

But while they've demonstrated a low-energy way of computing an equivalent hash, presumably this is in no way currently competitive. Therefore this proof-of-concept itself is not an example of an algorithm with capex-dominated costs.

Given that capex versus opex is primarily a matter of accounting (i.e. do I buy a PC, or do I rent a VM from AWS?), I don't understand how that algorithmic distinction can even be achieved. If the ongoing cost of running the device become negligible, then you just incentivise the miners to "spend the saving" by buying more mining devices up-front.

Naively, it seems to me that as long as the profit you get out of mining scales linearly with the amount of money you put in, the richest player will eventually control all of the hash rate. Yet this doesn't seem to be the case (so far?). Is my thinking incorrect, if so, why?

Well, one thing is that the amount you mine isn’t linear in your hash power, it is proportional to the proportion of the hash power that you control.

Also, measures of how centralized the mining is, is widely believed to have a substantial impact on the price. Miners may believe that if they were to purchase enough mining power to control a majority, that the price they could sell the tokens for would go down, actually reducing their profit. Whether this actually would reduce their profit, I don’t know. Also, conceivably, if they were to buy more mining power, possibly their main sources of competition might respond in kind, resulting in the same income, but higher costs.

By a similar argument to the “avoid there being a majority”, might also want to avoid the case where “if just one large miner drops out, there would be a majority” if people think there is a non-trivial chance of such a miner dropping out.

There is, as I understand it, a relatively small collection of large miners such that together they would comprise a majority. Perhaps this is around the smallest number of independent entities that people will expect to be large enough that they will not collude to do bad stuff, and therefore no miner will buy enough additional mining power to cause this number to shrink, out of fear of making the price go down?

I don’t know, these are just some ideas.

Why would it? E.g. if mining has a 1% return on investment and there are three actors with 4, 5, and 7 units of hash power, and they reinvest profits into more mining rigs, then a year later they will have 4.04, 5.05, and 7.07 units of hash power---the ratios stays the same.

Turns out, I really didn't think this through. Thanks for the correction.

Profit from mining (for example Bitcoin) does not scale linearly with the amount of money you put in. If only a few miners control the hash power of the network, that will discourage use of the currency and drive the price of it down. It's not in the interest of miners to control > 50%.

It's not in the interest of miners to admit to controlling > 50%. If you can do so in secrecy, it's a pretty fantastic racket.

They’re falling just shy of mentioning which silicon photonics providers we should be buying :)

These designed optical chip devices look like alien technology really...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact