Proposal to switch to SHA-3 proof of work #103
Comments
|
Then why not switching to an algo which is asic/gpu/cpu and nature friendly? |
|
Your title Implementing an ASIC-friendly POW will likely result in no ASICs being manufactured in the current market due to unprofitability, and if/when a manufacturer chooses to do so, they will likely be the only one (again, due to the tiny market), resulting in conditions ripe for 51% attack. No sane manufacturer will sell their ASICs under such conditions, since it will only eat into their own profitability by increasing the proportion of hash they don't control. In any case, if an ASIC friendly PoW is somehow chosen, the shift should obviously change over a long period in time, similar to what Grin is doing with their choice of PoW. |
|
@Bendr0id such as? |
|
Cuckaroo cycles for example |
|
My reply: The Aeon community is too small at the moment to do this. All small pools will die. I'll probably shut down PoolTupi, because nobody is South America will be able to afford ASICs. Aeon will become a mine-and-dump coin (which is at the moment with ASIC farms). ASICs are mining Aeon now because they have limited options on what to mine. They are not mining because they believe the coin is worth something. Mining is and will be centralized. This is not BTC, ETH with thousands of people interested. This is Aeon, with a tiny community that wants a place in the crypto space. Coins released in 2017/2018 with no purpose (meme/scam) have a LARGER community than Aeon. Switching to SHA-3 will kill the coin. But that's just my opinion. EDIT: also, a good read on the subject: |
|
I still like CPU friendly algos. Easier to reach wider range of miners (even though mining at lost). |
|
@plavirudar Key derivation functions and mining have some similarities but also some critical differences. A 20% or 50% or even perhaps 99% improvement in a KDF is nearly useless in terms of enabling brute forcing but these are absolutely effective in terms of mining. The intense competitive nature of mining means that small to moderate differences are very important and this makes the ASIC-resistance task far more difficult and less likely to succeed than for KDFs. |
I think the point is that for a given degree of resistance relative to the fixed cost of ASICs and the extent of any efficiency improvement, the market may always be too small, or at least may stay too small for a sufficient period of time as to not require frequent forking. Many algorithms became fully GPU-, FPGA-, and/or ASIC-dominated a lot faster than CN did, because CN did indeed have a degree of resistance. That degree of resistance turned out to be insufficient once Monero got to a certain size. Increase the resistance and the necessary size becomes larger, potentially (theoretically) to the point where no cryptocurrency would ever reach that size, even if it became the global standard currency. To be fair I don't think anyone has demonstrated this is feasible in practice, but it isn't impossible in theory. |
|
Sha3 is not currently crowded with ASICS, so it would be at it current state, a cpu/gpu mining friendly pow change. People say fork to cnR and if it doesn’t work then fork to sha3. Imo this creates additional work and if you were going to switch anyway in the long run why not omit that task in the first place then. I believe that this drastic change will allow AEON to stand out from the pool of CN coins and step into the eye of developers who may not have paid any attention to AEON in the first place. This also may increase the value of Aeon as those developers (or early investors) step in. It may work. It may not work. But if you do not try you will never know the outcome. EDIT: |
|
2 sats from old pool owner. You have to respect miners, they are who drive the network with their actions and behavior. In my opinion, it is a mistake to think that the miners of those living, community, can be exchanged/replaced for/by ASICs. ASICS are mining only for profit/dump coins, miners also but if they have other purpose of use they go that way too. And if thoughts are going in this direction, whether cn-lite variant 0 was not enough to draw conclusions. Sorry for my eng but even i understand stoffu point of view and thinking long term it should be always way to allow general purpose of what aeon have described on their web page. Now it looks like big change. |
I disagree with this argument. Efficiency increase by ASICs varies depending on how much resource was put into development; i.e. producing less optimized ASICs is cheaper than producing more optimized ones. But those less optimized ASICs will still be measurably faster than CPUs/GPUs driving them away from mining. I don't think it's reasonable to assume that there can exist a PoW algorithm that is so ASIC resistant that any kind of efficiency improvement over CPUs/GPUs can never be devised even when the currency becomes the global standard. |
|
Posted this on Reddit as well: The arguments for SHA-3 are sound in the long run ... eventually. Not Yet Time to Become ASIC-Friendly: ReasoningThe Individual Miner will Avoid Anything Branded ASIC-Friendly I am speaking from the standpoint of an individual miner. I am a computer guy, so I wanted to learn by doing ... by participating in the technology ... by mining. That is how I found Aeon, and if Aeon had not been CPU-friendly, I would have not given it a thought. Conclusion: if Aeon had been marketed as asic-friendly coin 2 years ago, I would not be here. The Individual Miner Often Becomes Active in the Community I am also speaking from the standpoint of Community Contributor over the past year or so. I am regularly on the Discord channel, I made a lot of general Aeon information available via some How-To's. I was instrumental in standing up the Community pages on github. I have contributed and plan to contribute more to testing ... PR-testing is a critical function that requires basic technical skills ... the skills an Individual Miner has. The Aeon Community Is Still Small, evidenced in several ways:
ASIC Makers Will Not Become Community Members Does anyone believe that ASIC creators and ASIC-Farmers will become active in the Aeon Community and contribute to our growth? Network stability is nothing in the face of a small community that cannot take the coin forward more than a few halting steps a year. WHO will replace the lost potential of pulling in a few more thriftyMinnows and Camthegeeks? We better have a compelling answer to that question! Will Aeon Get Recognition for Moving to SHA-3? Probably Not. Who, exactly, is going to tell anybody about this if it happens? Our small community will tell some of our tech friends maybe. A small % of the Monero community will know about it, and maybe tell some people ... and then go back to working on Monero. We need to get our act together with some real Marketing plans, and have some Marketing avenues that draw attention to our message ... otherwise we will adopt SHA-3 and there will still be exactly 100 people that know Aeon exists. (That's slightly sarcastic, but not much.) Alternative Approach To Differentiation And ASICsHere are my thoughts: a variation on the SHA-3 theme.
When We Near the Emission Tail Phase, SHA-3 Makes More Sense
|
Yes but only to a point. The big CPU and GPU makers already put many billions of dollars into designing their chips, and then benefit from enormous economies of scale in producing them. If the "work" being performed is close enough to what those chips are designed to do (which is what approaches like CN-R and randomX are attempting to do) then you are at or very close to the point of diminishing returns where no amount of money will result in significant improvements. I'm not claiming this will be accomplished but I also am not convinced by arguments that it is impossible. A lot of the intuition about ASICs comes from simple hash functions such as SHA, scrypt, or even cryptonight (which is a scrypt variant). No one questions that simple hash functions can be computed much more efficiently by ASICs. That's very different from claiming that there does not exist any function which can not be computed much more efficiently by ASICs. |
|
This argument seems to imply that a perfectly ASIC resistant PoW is something which commodity CPUs/GPUs would perform the best (i.e. creating ASICs better than CPUs/GPUs would be impossible) to complete the hash calculation. But CPUs/GPUs are designed to best perform a variety of tasks in common people's daily life, such as:
CPU/GPU manufactures make decisions on a good balance between different aspects of processors (e.g. memory bandwidth, branch prediction, etc) so as to best serve the largest customer base and thus maximize their profit. Let's call this balance "the average computational need". The perfect ASIC resistant PoW must adhere to this average computational need, which seems very problematic because:
|
|
The reason manufacturers make decisions on a good balance is because it is not economical to create specialized solutions for every single customer application. Even the identifiable market segments that do exist (such as gaming) end up with products which are small variants of the general solution (higher clock rate, etc.) and not fully-specialized. This all benefits from many billions of dollars going into a processor family R&D and unit costs advantages of producing huge volumes of the same product (or small variations thereof). I'm not really sure what you mean by 'as complex' or 'too complex'. That term seems poorly defined if at all. As for your last point about identifying the 'average computational need', I don't believe that is required in any specificity. Anything that is within the general cloud of all the applications you listed and others is fine. The market tells us that a general solution is fine because no one builds specialized chips any of those. At most you see some variations of the same chips (workstation version with more cores/cache, etc. vs. consumer version) With non-ASIC resistant mining you can imagine all of the sorts of applications you mentioned (as well as many others) being in some cloud of 'best performed by a general purpose solution' and mining being well outside that cloud. The goal of ASIC-resistant is to move it closer or inside that cloud. I don't know of a way to prove that is impossible, though clearly no one has yet accomplished it. |
|
BTW, I think a better argument for why it might be impossible would be to focus on ways in which mining is profoundly different, not so much the workload itself. For example, mining calculations don't need to be reliable at all. A 10% failure or error rate is perfectly acceptable if doing so give you an 11% increase in hash rate/efficiency. No one builds any sort of general purpose computers like that at all, afaik. It is a completely different sort of animal. |
By 'complex' I mean the power consumption needed for calculating a single hash being high. 'Too complex' is indeed subjective, and can vary depending on how much weight one puts on what. The 'too complex' bar for Bitcoin is kept very low while ASICs are accepted. Monero is currently lifting that bar higher and higher to keep resisting ASICs. No one knows how high it can go and still remain practically relevant, only time will tell. I personally thought Aeon is aiming for keeping that bar as low as possible, ideally to the level of Bitcoin's. Thus ASIC friendliness seemed to make sense to me, but I could be wrong (in which case I'd stop supporting Aeon). |
|
I would definitely consider lower cost per hash for verification to be a major positive. It is true that as far as I know, no one has any idea whatsoever how to make a randomX-type ASIC-resistant (maybe) algorithm with low cost per hash. So that is a certainly a good point. |
|
SHA-3 will be PFGA first. Where an atomMiner (700$) does 500 MH/s at 17W, an RX580 does 310 MH/s at 225W. Those FPGAs will be bought in batches by big farms. For average Joe, the item will be "out of stock". CPU/GPUs will be out since day 1. |
@stoffu I'm confused about this argument. A Bitcoin ASIC consumes +1000W, while an AMD Vega 64 ~200W. The algo is lighter, but the machines created to mine it are big and power hungry (because they need to be as fast as possible to compete with other ASICs). Could you please elaborate? |
I did not know that one of Aeons core values was being designed to be the most efficient crypto in regards to mining power consumption. Did I miss something? |
|
@BigslimVdub I believe stoffu compared SHA256 complexity and power consumption with Cryptonight. SHA3 is not much different from SHA256. Just trying to understand his point on "power consumption", because Bitcoin ASIC farms consume more Watts than GPU farms. |
|
Ahh yes. If you were to compare consumption between cpu,gpu,asic at the same hash rates, Asic would consume a fraction of the power for the same hash rate so they would be the best for efficiency. However, as noted, farms of ASICS typically do consume far more power than any other large scale mining outfits. |
|
The power consumption I mentioned earlier is what it takes to compute a single PoW hash which is necessary every time a node verifies one block. Let's say it takes The power consumption for some ASIC or GPU devices has nothing to do with this discussion. Let's say an ASIC consumes |
I don't quite agree with this argument. Regarding accuracy, floating point for GPUs in the early days was not very accurate (but is fixed by now, https://stackoverflow.com/a/12111435). I think this is because initially GPUs were developed to improve graphics capability which is useful for gaming. Over time, people started to use GPUs for general purpose computing and demanded accuracy, so it got later improved. The point I'm making here is that even inaccurate computation is acceptable as long as there's a demand in the market. I don't see mining as some completely different kind of task compared to other tasks. |
I disagree. A CPU contains various components of different degrees of capability (core, cache, etc) in a particular layout such that the average computational task can be best performed. If a PoW algorithm utilizes only some part of the entire layout, an ASIC designer can drop the unused part and direct money to improving the efficiency of the parts needed by the PoW. In order to force an ASIC to become exactly the same as a typical CPU, the PoW needs to be designed to make use of the entirety of the CPU's components with the exact same (relative) degree of workload for each component. Designing SHA-256 ASICs was relatively easy because the function is straightforward and compute-intensive. Designing CryptoNight ASICs was also not so hard because the function is still fixed and only needs a good cache capacity. Designing RandomX ASICs seems relatively hard, but I expect it to be quite possible because it's still some very specific process vastly different from the average computational task, such that there should be a large room for dropping unneeded parts and investing in what's needed by the PoW. |
You could say the same thing for other workloads. Likely gaming would benefit, to some extent, from a different layout or different set of components. Likewise office computing. Likewise media processing. But for the most part you don't see those products existing. It costs too much relative to the billions of dollars that already goes into designing a (mostly) single product that gets reasonably good performance across a range/cloud of usages. Further microoptimizing does not pay in terms of the added engineering costs and reduced production volumes.
No, because typical computing workloads already do not use the entirety of all CPU components, especially not with the same relative degree of workload, and we see that it does not pay to design and build many different chips for different workloads (at most, we get a few small variations with different number of cores, etc.)
Only to the extent there is enough of a gain here to justify designing and manufacturing a separate product in smaller quantities. For example, many workloads are very light on floating point, some may be light on cache usage, memory bandwidth, etc. There are many other examples. It doesn't pay (as it did in earlier years of computing) to build CPUs without floating point. In fact, even in cases where CPUs are built with less cache or fewer cores, sometimes this is done by soft-locking them solely for market segmentation purposes, rather than actually designing and manufacturing a separate optimized chip.
The goal of RandomX is to not have the task be vastly different from the average computational task, but inhabit some point in the workload space that is relatively close to the others. Each randomX hash attempt is supposed to imitate at least some typical computational tasks in some broad sense in terms of mix of operations, memory references, etc. If it doesn't do that, then it will likely fail. It is likely not perfect, but I simply don't see a strong argument why it can not be close enough and not fail.
Okay, this is another example where it doesn't pay to build two separate products for every specialized application. GPU manufacturers could continue to build inaccurate GPUs for gaming, video rendering, etc. where precise accuracy is not needed, and perfectly accurate ones for general parallel computing, but they don't. There is more to be gained by building designing a single product satisfactory to both workloads and focusing engineering effort on it than there would be from specialization. So maybe this is a further argument in favor of ASIC-resistance (or at least not an argument against it). |
The reason why there are no specialized hardware for these daily tasks is, as you pointed out, because there are not enough demand in the market to justify the cost for producing such hardware. And for mining, though this is only my speculation, due to its outstanding importance compared to other daily tasks, the demand will grow to an overwhelming level such that it'll definitely be worthwhile to build dedicated hardware for mining.
I guess there was some misunderstanding. I defined above the average computational task as the global weighted average of all kinds of various computational tasks for common people on this planet, and a typical CPU is (or aims to be) optimized for best performing this average computational task. So by definition, typical (average) computational workload does fully make use of the entirety of all CPU components. This is not an argument, just an axiom I made up for discussion. In practice, I think identifying such an average computational need is quite an ambiguous/undefined problem requiring the full knowledge of the market, but I imagine CPU manufacturers are trying to make best guesses.
Yes, exactly. And I believe the demand will grow exponentially and justify the creation of ASICs.
I completely agree. This is the point I tried to make in my earlier comment.
This is subjective again, but I believe that the demand will grow so significantly that any imperfection of this attempt to imitate makes for a large enough room for optimization and justifies the creation of ASICs. After all, almost all of different options in the cryptocurrency scene are something that cannot be proven mathematically. We don't even know whether PoW blockchain itself is really feasible or viable. For this ASIC resistance vs ASIC friendliness debate, I just want to bet on the healthy growth of the market (i.e. ASICs being commoditized and no 51% attacks occur) rather than on our human being's ability to design some perfectly ASIC resistant PoW in an undefined amount of time. There seems to exist some large enough set of people supporting ASIC friendliness, and I see a definite demand for a SHA-3 CryptoNote. I thought Aeon can serve this demand, but if not due to strong oppositions, a new coin must be created. |
How do you think the demand will grow exponentially? From what source will this exponential demand come from? Aeon clearly doesn't have anywhere close to enough of a market to support an ASIC. Unless a larger coin adopts it (in which case the coin will be at the mercy of 51% attackers from their network), or if there is another massive bull-run bubble, there doesn't seem to be a path to this demand. |
My prediction comes from observing Bitcoin's history. I should also probably rephrase my sentence since 'exponentially' is a mathematical term and may be unsuitable for expressing what I meant: I seriously look for a future where Aeon truly becomes the global currency adopted worldwide, something like what US dollar is today (or even more).
The current market size doesn't matter. Bitcoin was like Aeon for its first few years. I expect the market to grow organically. Again, this is all subjective and speculative by nature. You're free to disagree with me and have different opinions, but you can't deny my perspective conclusively because there's no proofs whatsoever on either sides. I just see a legitimate need for exploring a different PoW strategy alternative to Monero's. |
What if this SHA-3 exploration kills a portion of the already small community and makes the coin even smaller? Is there a Plan B? |
|
Hmm wownero/meta#21 So will Aeon sit around and watch wownero move to sha3 or alike? |
Nope. If SHA-3 Aeon gets 51% attacked all the time and its price crashes to zero and stays there, Aeon dies. Too bad, our experiment failed, despite our genuine belief in success. The same can be said for any cryptocurrencies including Monero and Bitcoin though. Even fiat are not guaranteed to keep functioning (central bankers make promises solely backed by 'good faith'). I see a real risk in keeping ASIC resistance. That approach is already being explored by Monero, so there should be a coin that would explore the other approach. Which one will succeed, no one knows (but probably not both). If Aeon sticks to take the same approach as Monero, I don't see much point in supporting this coin, so I'll move on to something else. |
You have been talking a lot about this "moving to something else". I'm curious, where that would be? |
This is roughly the same thing I have been thinking for some time. I think it's far beyond time for AEON to evolve into something else. |
To stop caring about Aeon and launch a new coin. |
yes,you are right |
|
@stoffu We could go back and forth on philosophy but let's just agree to disagree to an extent. Where we agree is that effective ASIC resistance does not exist right now. CN-R is not likely to be strongly ASIC-resistant, even if perhaps a bit better than previous CNs. RandomX is not ready and I have doubts about its first iteration (at least to the extent the first iteration looks a lot like its current in-progress state) being all that resistant. I would suggest that we proceed to the PR stage. There is significant support (definitely more than I originally expected) for it and while there are some disagreeing, I don't believe we can realistically expect nor require unanimity. Further, I don't see any other coherent proposals from anyone willing to do the work, or even really any at all. Those who don't support it are free to continue to use the old chain as some did for a time with Monero, or create their own fork/coin. |
That's a very bad joke :) |
RandomX is actually much broader and harder than your average computational task. It aims to utilize most of the 'useful' parts of the CPU. It scores higher than most other workloads in many metrics such as IPC, power consumption or memory accesses per second.
RandomX has gone through two major changes since its conception, so you could call it the third iteration. Not sure which one you are referring to. If you want to share the reasons for your doubts, feel free to drop a comment in the RandomX repository. Anyways, I hope Aeon can be the pioneer for Monero's eventual switch to Keccak/SHA-3. We'll see how it plays out. |
|
Hi, I'm one of the people who wrote the FOSS CryptoNight ASIC and thought I'd chime in with a few points. I think ProgPoW will probably succeed in preventing ASICs from being more efficient than the existing GPUs that are already optimized with billions in effort. RandomX has a chance of succeeding as well, but it's much trickier with CPU's. IMHO these PoWs would just hand an ASIC duopoly to the incumbent companies, and long-term I wouldn't be surprised to see an AMD or Intel ASIC for RandomX. No-one else would be able to compete with them. What then? You think they will be "nice?" They have shareholders. Keccak is an excellent choice for ASIC-friendly PoW, not only because it's extremely efficient in hardware, but also because it's easy to implement. That means a low barrier to entry and maximum competition from ASIC manufacturers. ASIC miners have strong incentive to help the coin, as long as their mining hardware can only be used for that one coin. Claims of "mine & sell" are true because miners have operating costs to cover, but overall they need the coin to be healthy or they are the owners of useless bricks. To keep ASIC miner incentives aligned with your coin, you might consider using your own parameterization of Keccak's In any case, Aeon doesn't have the market cap to support ASIC development. There's at least $5m in sunk costs to get any chip off the ground, so the coin needs to be mining something on the order of $50-100m annually before chip makers will take notice. Even if you switch to an ASIC-friendly PoW, I wouldn't expect ASIC's to be built. If moving to Keccak doesn't generate an ASIC market, you should be mindful that FPGA's might possibly supplant GPU miners. For almost every PoW, FPGA's are wayyy too expensive for mining, but since Keccak is especially fast in hardware, FPGA's might actually be economically viable. We synthesized the Athena project's VHDL for Keccak on the Intel (Altera) Arria 10. Something like this $410 part would get about 140 Gbit/s for Keccak-1600. Of course it would also need a logic board and system around it. Note that the Athena VHDL is from the SHA-3 Finalist round and has some minor differences from the accepted SHA-3 specification. Anyway, if we assume another $100-200 for system stuff on top of the $410 part, you get something around $3.50 - $4.50 capex cost per Gbps. You can compare to existing GPU implementations. |
professional |
no |
I'm not saying Intel and AMD are perfect, but they are closely watched publicly traded companies. I don't think they could pull off some of the things that private ASIC companies do: imposing arbitrary constraints on the purchase of their products (KYC rules, not shipping to certain countries etc.) or mining secretly with their equipment before selling it. |
already dead, because of mining centralization due to a few highly efficient miners. |
Thanks a lot for bringing up an interesting point; could you elaborate a bit more? What do you mean by 'natural configuration'? What implications does the SHA-3 variant have (other than being just different)? Is it better or worse in some aspects? What makes the SHA-3 variant a drop-in replacement for SHA-2 and why can't other variants be the drop-in replacement? |
|
@stoffu |
SHA256d ASIC is ~7500 times more efficient. CryptoNight ASIC is ~250 times more efficient. So clearly CryptoNight is more resistant to hardware speedup. And CryptoNight doesn't use DRAM and barely uses the CPU core, so there is further room to close the gap. |
yes, i see bitman sell they used E3 on 250$,my friend want to buy. |
|
I am a pool operator, and I am for this change. One bonus of SHA3 would be faster syncing for mobile. CN hashes take much more resources and time to complete versus SHA3, which is important for a mobile coin. |
The point I’m trying to make in this thread is that the efficiency gain for ASICs is a function of the coin’s market value. E.g if Monero was valued at the same price as Bitcoin, I expect there to be much more efficient ASICs with 7500 times or more efficiency gain. Whether a given PoW is more or less resistant to ASICs seems like a pointless discussion to me. |
I made sure that my comparison is apples-to-apples, so I used Antminer S7 for the Bitcoin data. This ASIC is from 2015, when Bitcoin was valued at ~$300, which is about the same as Monero in early 2018. Modern Bitcoin ASICs are more like 20 000 times more efficient than a CPU. Also if your statement was true, we would see much more efficient Ethereum ASICs by now, since ETH has had consistently much higher valuation than Monero. But Antminer E3 is only about 1.5x more efficient than a GPU. Why? Because Ethash is ASIC resistant. Semiconductor tech is not magic. It is still limited by physical laws regardless of the amount of money you throw at it. |
Indeed, sorry for overlooking that.
I can see that as well. Under the same budget for developing ASICs, of course simpler algorithms (e.g. SHA-256) result in larger efficiency gains than more complex algorithms (e.g. Ethash) do. So I'd like to rephrase my previous statement as follows: the efficiency gain for ASICs is a function of the coin’s market value and the complexity of the PoW algorithm. Ethash chose to increase the algorithm's computational cost (i.e. memory requirement) to decrease ASICs' efficiency gains, which I believe is harmful for the whole ecosystem in the long run. Also, Ethash's relatively high degree of ASIC resistance can still be defeated by more advanced ASICs if the ETH market value grows substantially.
Of course there are thermodynamic limits to the efficiency for ASICs as mentioned in Andrew Poelstra's note (https://download.wpsoftware.net/bitcoin/asic-faq.pdf), but the progress in semiconductor tech towards approaching those limits does seem quite magical to me (https://cseweb.ucsd.edu/~mbtaylor/papers/Taylor_Bitcoin_IEEE_Computer_2017.pdf). How can ASICs for such a simple function like SHA-256 keep getting improved over and over? Human beings seem to be extremely good at discovering every tiny opportunity for optimizing machines given enough financial incentives. The more complex an algorithm is, the more likely there exist such opportunities. SHA-3 seems preferable in that its simplicity may allow the semiconductor industry to reach the thermodynamic limit relatively quickly. |
|
Closing as #108 was merged |
(Original post: https://www.reddit.com/r/Aeon/comments/aw2xhn/proposal_to_switch_to_sha3_proof_of_work/)
I believe now is the right time for Aeon to become ASIC friendly by switching to SHA-3 PoW (the most recent Secure Hashing Algorithm standardized by NIST). Below I'll try to explain why:
There is no such thing as ASIC resistant PoW.
Whether someone creates an ASIC or not is not determined by how technologically difficult it is to do so, but how economically sensible it is to do so; i.e., when a coin gets more adopted and the price rises, ASICs will appear no matter what.
Below is a quote from Bitcoin StackExchange which makes a good point:
https://bitcoin.stackexchange.com/questions/62336/why-did-satoshi-design-bitcoin-to-be-mineable-only-on-specialized-hardware-if-t#comment71658_62339
For every supposedly ASIC resistant PoW (scrypt, CryptoNight etc), ASICs have been created at some point when the coin became sufficiently large. An often seen argument is "CryptoNight was good at resisting ASICs because it survived the first 3 years without ASICs being developed", which I disagree. CryptoNight ASICs weren't created for the first 3 years simply because the market was too small; it wasn't worthwhile to develop CryptoNight ASICs.
Currently RandomX is receiving a lot of attention as being (almost) truly ASIC resistant by making PoW even more complex, but from the past experience and from logical reasoning, I have no reason to believe so.
Importance of protocol stability:
As a coin gets more widely adopted (and the price goes up), there will be more participants in the network (users, exchanges, merchants, pools, etc), which makes it more difficult to do hard forks (i.e. to force everyone to upgrade their software). Monero's 6 month fork schedule is already becoming almost unworkable due to the sheer network size, and I think they'll be forced to change this policy rather soon.
Imagine a hypothetical future where one particular crypto coin becomes a globally adopted world currency. That coin cannot do hard forks every so often; maybe once every two years is already too much. Ideally, at some point, the protocol should become absolutely stable and require no more hard forks at all.
With this in mind, I immediately see ASIC resistance being incompatible with this future, because hard forks (PoW changes) are rather frequently needed due to ASICs getting created faster and faster as the coin grows. ASIC resistance cannot be a sane strategy for a winning cryptocurrency.
Importance of switching now:
Going from ASIC resistant to ASIC friendly is such a radical change, and a strong opposition is naturally expected from many of the community members who have been supporting ASIC resistance. A compromise solution suggested by @iamsmooth is to adopt CryptonightR which Monero will switch to in the next upcoming hard fork. I think the reasoning is that CN-R is expected to be somewhat better at resisting ASICs and not much more computationally expensive than the previous CN variants (unlike RandomX), so we can wait and see how successful this will be before going full ASIC friendly.
Initially I felt OK with it, but I became unsatisfied after a while of thinking for these reasons:
Arguments for ASIC resistance and their counterarguments:
SHA-3 is the perfect way for Aeon to differentiate itself from Monero.
This change is radical but not stupid. Many people in the Monero community would be curious how things will play out for SHA-3 Aeon. This will surely also attract a lot of attention from the wider crypto community because Aeon will be the first CryptoNote coin that deployed SHA-3. I believe this is a very good opportunity for marketing as well.
Please discuss.
The text was updated successfully, but these errors were encountered: