Zcoin's Stance on the ASIC Resistance Arms War

in #zcoin6 years ago (edited)

ASIC_resistance_article-01.jpg

There's been a hot debate as to whether ASIC development for any algorithm is a futile effort and that an ASIC can be developed for any algorithm. This is definitely partly true since CPUs and GPUs are generalized computing units that are designed to do a variety of things and therefore ASIC specialization can always lead to gains. David Vorick from the SIA team made an excellent post and a powerful argument detailing why he thinks ASIC resistance is futile and that monopolies are the eventual outcome of Proof of Work systems.

Some of the important arguments he makes are :

  • Flexible ASICS can be designed that although will be less efficient will still outperform GPUs
  • You can merge computational and storage portions of the chip greatly increasing performance so even the use of memory is not necessarily a hindrance to ASIC development
  • Even scheduled hard forks can be answered by flexible ASICS if the algorithm changes are only parameter changes
  • Drastic hard forks will just make ASIC development go secret
  • Algorithm developers often underestimate ASIC developers

His key takeaway is for any algorithm, there will always be a path that custom hardware engineers can take to beat out general purpose hardware. It’s a fundamental limitation of general purpose hardware.

Is ASIC resistance still worth pursuing?

We believe that despite the technical challenges above, ASIC resistance is still worth pursuing. Although recent developments may indicate that companies like Bitmain can roll out ASICS for almost any algorithm, we doubt that the real boundaries of how far ASIC resistance can be taken have been tested. Flexible ASIC designs are quite rare and have been only for relatively simple hashing algorithms.

There are many benefits of ASIC resistance that make it still a goal worth pursuing:

  • Better distribution especially if CPUs can also mine alongside GPUs at a reasonable profit since custom hardware is not required and people can mine with existing hardware. In a cryptocurrency, distribution is perhaps one of the most important things and enabling users to get Zcoin without having to buy specialist hardware or go to an exchange is a powerful distribution mechanism.
  • ASICS put mining out of reach for the average user. ASIC monopolies mean that even if an ASIC is widely available to the masses, they would only be sold at a price that makes sense to the manufacturer to do so instead of just keeping it to mine themselves. This means the average user will always be at a disadvantage. We can see how Bitmain could alter its price of its Ethereum ASIC from 800 USD in the first batch to 2150 USD in the second batch meaning that its cost price is many times lower.
  • Censorship resistance. It's easier to ban the import of ASICs as opposed to banning GPUs/CPUs. This has happened in Venezuela.

ASIC resistance is akin to an arms race as a battle between algorithm designers and ASIC designers and it is our opinion that it is premature to throw in the towel.

This is not because companies like Bitmain are evil as many would like to paint them, they are simply pursuing profit and cannot be blamed. They are extremely good at what they do and no other manufacturer has come close to developing such a wide breadth of ASICs in such a short space of time and being able to bring them to market quickly and effectively.

So what about MTP?

Zcoin is set to be the first coin to have a working implementation of MTP with a stated goal of a good combination of ASIC resistance, anti-botnet and performance. Although we agree that specialized hardware will always beat out general hardware, the idea is of course to make the development of such specialized hardware as technically difficult and as costly as possible to the point that effective ASIC resistance is achieved and there is an upper limit to how much gains an ASIC can achieve.

There are certain features of MTP that makes it more challenging than existing algorithms to develop an ASIC:

  • its large use of memory. MTP can use memory anywhere from 2 GB to 8 GB. Although the original paper described the use of 2 GB of RAM, we believe for future proofing, it makes sense to increase this to 4 GB of RAM in our implementation. This size is large enough to make the use of SRAM or eDRAM unfeasible at this point in time. This compares favorably to Scrypt's use of 128 kb of memory (as used in Litecoin) or Cryptonight's use of 2MB (as used in Monero).
  • MTP can be implemented in such a way that MTP memory capacity can be a function of the current difficulty and the block number if required that we foresee will greatly increases the development cost of any ASIC.

The post from David Vorick acknowledges that the cost of development of a flexible ASIC is much higher than an inflexible one.

We foresee that although we are launching MTP, this may not be its final form and may be subject to further improvements.

What about Equihash?

An Equihash miner the Z9 mini was recently designed by Bitmain and slated to launch in June.

This has lead to criticism on Equihash as to how such an ASIC could have been developed so quickly. This was actually foreseen early on as elaborated in Solar Designer's analysis of Equihash and similarly Alex Biryukov, one of the authors of Equihash and also MTP also indicated that he felt that the parameters were set too low.

There were certain design decisions taken by Zcash in choosing the weaker parameters namely that they wanted to allow smartphones to mine (a goal which we feel is not worth the shortening of life to the phone) and also the inefficient code for the solvers at the time which required the downgrade to get mining working at a reasonable speed. However with the development of better solvers, even in 2016, there were calls to adjust these parameters. The choice to stick to those parameters inevitably hastened the development of Equihash ASICs because of the parameters chosen by Zcash and subsequently adopted by all other coins using Equihash.

Another criticism by David Vorick, was that in Equihash 'the manipulations that you need to make to the data are simple enough that you can just merge the memory and computation together'. However Alex Biryukov also indicated that when designing Equihash and MTP, they had always assumed that memory and logic can be intertwined in an ASIC when designing Equihash.

What about Ethash?

Unlike MTP which requires the memory to be written at every single block, Ethash allocation of memory (around 4 gb) happens only once every 100 hours and is then untouched until the next epoch (30,000 blocks). This makes it easier for mining platforms with low write speeds. Generally it is always faster to read memory than to write to it.

Ethash was meant to be an ad-hoc scheme and there hasn't been any analysis as to whether it can be done with less memory. The current generation of Ethereum 'ASICS' released by Bitmain aren't significantly more efficient than existing well tuned GPU solutions and Vitalik Buterin has a suspicion that they are merely general computers that have all unnecessary parts stripped out. Bitmain has also encountered problems with lesser than expected performance from its circuits which lead to delay in its roll out and it has yet to be seen whether these Ethash miners will meet the advertised specifications.

Despite this, David Vorick's post indicates that Ethash is the most ASIC resistant algorithm he has seen thus far (we understand he hasn't taken a look at MTP yet) which indicates that even with an ad-hoc scheme, a good degree of ASIC resistance can still be achieved.

Takeaways

Although we agree that ASIC manufacturers have made huge gains in designing and bringing to market ASICS for algorithms previously viewed as ASIC resistant, our opinion is that it is premature to declare that the ASIC resistance wars are dead. The recent rollout of ASICs for Equihash and Ethash are not nails in the coffin but merely ups the ante for algorithm designers.

Bringing MTP to a working implementation would encourage greater research and development into ASIC resistance and we understand other groups are continuing to put research into this area as well. Ad-hoc hard forks although effective in the short term would only encourage ASIC manufacturers to go underground and develop and roll out in secret and as such we are more in favor of addressing ASIC resistance from a technological standpoint as far as possible.

Links

Zcoin website
About MTP
Youtube explanation on MTP