Early ASIC Mitigation Hardfork

[AirSquirrels]

Pull request based on the conversation in #958

[pipermerriam]

READ THIS

This pull request is for a technical focused discussion of the proposed changes in this EIP. Comments which stray from this guideline or which do not contribute to the discussion may be deleted.

[pipermerriam]

@AirSquirrels can you explain the addition of the new header field EthhashVersion. I think I understand it's intent to add versioning semantics to the block seal, however it seems like it's not entirely needed as the block number (and corresponding active fork rules) should be sufficient for a client to know what seal verification algorithm to use. Can you explain your thinking on this.

Also, can you verify that your intention is for this to be a new RLP field and not just an extra computed field that the JSON-RPC returns.

update

I'm apparently a poor reader. I see your explanation now under the Agent Changes section.

It might be nice to mark the Node Changes and Agent Changes sections as variants or optional additional changes. There is a core change which is the new ethashV2 algorithm, and then potentially some additional options.

1. Add ethashV2 and the change to the block header.
2. Add ethashV2 and change the return value of getWork to include a new field indicating the ethash version (which could be computed by the node rather than being a new header field).
3. Add ethashV2 and the header change and the getWork change.

[AirSquirrels]

@pipermerriam This was a forward compatibility consideration, although active fork rules could handle future changes in EthashVersion for future block numbers as well. I don't believe it would need to be an RLP field, it could be moved to only a GetWork flag.

My reasoning is not all chains based off ETH would necessarily want to disable ASICs, and requiring individual miner developers to be individually configured for EthashV2 vs. Ethash as opposed to a node dictation of version seemed prudent. I see your point - simplicity could be had by only relying on the block number.

Might I suggest ethereum/go-ethereum#2333 be implemented in that case? The seed hash pre-calculation hack to determine epoch is an annoying quirk of miner development.

[MicahZoltu]

Should read: "and probably actively mining"

I also recommend rewording to say, "and may be actively mining with that hardware". EIPs are not the place for speculation, and the only "facts" we have are that there is one company actively selling pre-orders for an EthHash ASIC.

[MicahZoltu]

"Poison" should be lower case.

[MicahZoltu]

Recommend rewording this to:

modifying the proof of work algorithm in a manner that may break existing ASICs.

Once again, EIPs are not the place for speculation, and until we know exactly how ASICs are functioning we cannot assert with any confidence whether or not a particular change will break anything. For all we know, the ASICs being sold are just second hand GPUs mounted together in a box.

[cryptomined]

not at 800$ buddy.. we know for certain they are not GPUs mounted together in a box!

[MicahZoltu]

Production of GPUs also has a high barrier to entry. The provided argument does not effectively explain why ASICs are bad and GPUs are good. Recommend refining this to provide a more clear argument for why ASICs will lead to centralization.

[cryptomined]

" more clear argument for why ASICs will lead to centralization" in every instance that an ASIC has been produced, it has led to a greater degree of centralization. no need to create an argument on something that is common sense these days... this is not pre-bitcoin ASIC days

[MicahZoltu]

Data showing that the introduction of ASICs into a crypto-currency has increased centralization is a reasonable argument. However, that needs to be shown with data not "just common sense" and that needs to be explicitly stated. What is here now is simply incorrect.

[cryptomined]

what kind of data?

"“Jihan does have a lot of control for now, and much of that is simply due to mining centralization. As Bitmain is so vertically integrated, from selling ASICs, to operating mining farms, to running mining pools, he can prevent network upgrade and attempt to hijack the Bitcoin brand with things like Bitcoin Cash," Mow said."

https://cointelegraph.com/news/bitmains-mining-monopoly-compromises-bitcoins-decentralized-nature

[MicahZoltu]

Data showing a statistically significant correlation and causation between introduction of ASICs into a crypto-currency and an increase in centralization. I have seen a lot of correlation claims, but none backed up by data that gives a reasonable argument for causation other than "it feels right". When it comes to reality, there are often things that feel correct but turn out not to be.

Keep in mind that miners do not have a meaningful vote in which direction a hard fork goes. Economic participants make the decisions as to which fork survives and thrives, it only takes a single miner (until PoS, when it takes 0 miners) in alignment with economic participants to keep a fork alive.

[MicahZoltu]

Ethereum's PoW algorithm was designed to be ASIC resistant and it is ASIC resistant. It has not failed in achieving its stated goals in any way. Recommend removing that line as it isn't relevant to whether we alter the algorithm now.

[MicahZoltu]

It is incorrect to interpret brigading on GitHub issues as "strong support". Ethereum currently doesn't have a mechanism for determining actual support of an issue outside of the forking process. Recommend removing the claims of "strong support" as they are not verifiable and may not actually be correct.

[AirSquirrels]

Agree, proposing "Ethash remains ASIC resistant, however ASIC manufacturer technology is advancing and ethash may require further changes in order to remain resistant to unforeseen
design techniques. This EIP seeks explicitly to buy time during which newly developed
ASIC technology will face a barrier while more long term mechanisms to ensure
continued ASIC resistance can be explored."

[MicahZoltu]

For us to need to rush this the following need to be true for a single entity:

1. It has the capital necessary to take over 50% of mining.
2. It is capable of manufacturing an ASIC itself (without leaking design).
3. It has the manufacturing infrastructure available to manufacture enough ASICs to take over 50% of Ethereum hashing power (a little less technically since as it takes over margins will go down forcing some people out).
4. They have the manufacturing infrastructure from (3) at such scale that they can rapidly build and deploy this.
5. They are willing to invest all of that capital into Ethereum mining with the knowledge that Ethereum is eventually moving to PoS and their hardware will eventually become worthless.

I find it unlikely that any single entity meets all of these requirements, thus I do not see the need to rush this.

[cryptomined]

where did these requirements come from???

[pilsy]

Considering the change is fairly trivial and bitmain has been proven time and time again as a bad actor i see no reason to delay

[MicahZoltu]

Forking is a complicated process and should not be taken lightly. It requires a massive amount of coordination. On top of that, changing the PoW algorithm requires implementation in multiple clients, which means multiple languages, along with testing, and cross-client testing. Along with all of this it needs to be audited by experts to ensure that it cannot be trivially gamed (this is easier for a small tweak than an entirely new algorithm).

30 days from EIP to fork is an extremely tight deadline and will require re-allocating many resources away from other tasks in order to take care of everything. Normally, time between EIP and fork is on the order of quarters to years.

[MicahZoltu]

@cryptomined They come from reality. 😄 It is not free in either capital or time to take over Ethereum mining. With the current hash rate taking over is not something anyone is likely to do overnight.

[AirSquirrels]

For the sake of argument, a cost analysis suggests bitmain could likely cross threshold to execute a 51% attack with about $300-400 MIllion in hardware. Analysts data suggests they do have that kind of capital available, and also arguably the manufacturing capability if all resources had been devoted to such an effort. I also find such an attack extremely, but they are one of very few entities that could. In these types of scenarios we have to consider every option where’s the risk of inaction, however small the chance, greatly outweighs the cost of action.

I don’t believe a 51% attack is necessary to significantly damage Ethereum either. A single player visibly gaining a large stake can serve to drive down mining interest through discouraging actors as well as profitability below the level where most can afford to proceed based on power costs, leading to heavy geographic centralization. This may be inevitable on a long enough time scale, but the concern is POS isn’t ready to take the reigns yet.

Finally, there is an argument to be made that rapidly executing this fork allows us to gather definitive data on the current concentration of dedicated hardware on the network and better assess this risk. Delaying too long (assuming the change would happen at all) opens a new lower cost scenario risk. There could be enough time for such an entity to replace their ASIC hashpower with programmable or commodity hardware hashpower long enough to convince the world they don’t exist. I’m not much for conspiracy theories but we have to consider all possibilities.

I also must make my personal stance clear. I am against hardforking for the directly evident current risks, but there are unknown risks. Thus I believe if we should hardfork the cost needs to be lower than the worst case of the unknown risks. This pull request meets that criteria.

[cryptomined]

oh it's just common sense then? i thought we needed data... well they have probably taken over 30%+ already.. maybe more. waiting too long will allow them to take over more than 50%.. is that worth the risk?

[pilsy]

@AirSquirrels nailed it.

[AirSquirrels]

@cryptomined if we are attempting to keep the discussion technical, Bitmain would have to have pre-produced 250,000+ E3 miners to take account for even 20% of the current difficulty, at costs of at least $100,000,000. If those gradually came online since December at even pacethey wouldn’t have even paid for their miners yet. The R&D alone certainly cost $10M + before mass production would even begin. I don’t think they have that level of production capacity while maintaining shipments of all their other miners. Infact, all their other miner shipments combined for that period barely reach that number.

[MicahZoltu]

I think the argument trying to be made here is along the lines of:

ASIC miner production is likely to be done by the people doing the mining, unlike GPU production which is done primarily by resellers who do not use the GPUs (in mass quantities) themselves.

I would like to see some data to back this up if it is true. If ASICs are produced and sold to the general public then ASICs are not a problem as it doesn't lead to centralization. If ASICs are produced and then used (without being sold publicly) then ASICs can lead to centralization if they are a big enough improvement over GPUs (which are sold publicly).

[AirSquirrels]

Many risk arguments exist around single supplier scenarios as well. Backdoors are possible, leading to future 51% attack risks.

The data is a difficult ask, given that Bitmain mines in secret there is no way to know for certain. The only probable data is that the miner exists. The closest to data we could get would be from the results of the hardfork. I might suggest watching Monero’s hashrate this weekend as a possible canary in the coal mine.

[Arachnid]

This isn't a descriptive title. Suggest "Modifications to ethash to invalidate dedicated hardware implementations".

[jamesray1]

Perhaps "Modifications to ethash to invalidate existing dedicated hardware implementations"

[Arachnid]

Please rename this file to eip-969.md and assign it number 969 here.

[Arachnid]

This should be a URL to somewhere people can discuss the EIP in general (this PR will only serve as a discussion venue so long as it's open, and we're moving towards merging PRs as soon as practical).

I suggest opening a discussion thread on the Ethereum Magicicans forum, or an issue in the EIPs repository, and linking to it from here.

[Arachnid]

You're missing a colon here.

[Arachnid]

How? Suggest "This EIP modifies ethash in order to break ..."

[Arachnid]

I would suggest making it an "algorithm" field, instead, with an algorithm name and version. If a new field is to be added, it makes sense to make it as versatile as possible.

[AirSquirrels]

It can be an Algorithm field in the block, however GetWork returns unnamed values and parity already defines a 4th (block number). I would propose adding block number regardless, and defining algorithm as an optional 5th value of getwork. Would you like version as a 6th? Or algorithm as “ethash2”?

[Arachnid]

Since different versions of the same algorithm can't be compatible, I don't think there's any point in having separate name and version fields - just a name field should be enough.

[trustfarm-dev]

I think FNV Prime change's are main change on this proposal.
It is simple, if FPGA based miners will easily catch-up.
I think more different ways of MIX algorithm change's make more time, Registance to ASIC vendors.

[Arachnid]

What's the rationale behind adding this?

[AirSquirrels]

In short, it is 6th isolated usage of FNV but there isn’t another ideal FNV constant other than the already selected constant.

[Arachnid]

I'm asking about the "Node Changes (Optional Variant)".

[AirSquirrels]

I believe I’m going to drop that from the EIP completely. I originally had thoughts that we needed to preserve the Algorithm in the RLP on the block chain as well as a computed Block header field for GetWork. @pipermerriam pointed out that the block.number check in VerifySeal and Mine is sufficient.

[jamesray1]

incompatable -> incompatible

[AirSquirrels]

This is what I get for using vi without spell checker. Grammar fixes incoming.

[jamesray1]

I suggest "Modifications to ethash to invalidate existing dedicated hardware implementations"

[jamesray1]

seperate -> separate

[jamesray1]

Could you also give more information, e.g. as per #958 (comment)?

[AirSquirrels]

Can you clarify the more information from #958? A lot of 958 discussion is now deleted.

[Arachnid]

I didn't delete any useful discussion on #958, just "Me too" type comments. @jamesray1 is linking to a particular comment there.

[jamesray1]

Sorry, can you introduce GetWork more clearly?

[jamesray1]

as suggested in... The algorithm...

[jamesray1]

probabalistically -> probabilistically

[jamesray1]

algorithm, while accepting

[jamesray1]

Other suggestions have also been:

Ari points out that there are off-the-shelf solutions such as Argon2, Equihash of Zcash fame, and Balloon Hashing.
https://twitter.com/el33th4xor/status/981292363627810818

[jamesray1]

has been [MurmorHash3](https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp).

[jamesray1]

I think the next step is to seek commentary from experts in this subject matter on ASIC-resistant, memory-hard hash functions and ASIC resistant PoW algorithms, specifically on how likely it is that this proposed change will render the Bitmain E3 miner ineffective.

https://twitter.com/JamesCRay01/status/981553711871770626
P-H-C/phc-winner-argon2#249

[Arachnid]

Please advise when you're happy to merge this; we're trying to move to a model where we merge drafts quickly and direct discussion on them to a permanent location.

[jamesray1]

Yes I'm happy to merge this as a draft.

[AirSquirrels]

I’m happy to have this merged as well

[pipermerriam]

Big thanks to @MicahZoltu @jamesray1 and @Arachnid for your review and help moving this through the process.

[jamesray1]

Yes, thanks Micah and Nick, and a big thank you to you too Piper for facilitating this, and to Dan for writing this!

[jamesray1]

Should we lock the discussion on this now?

[jamesray1]

Looking at http://eips.ethereum.org/EIPS/eip-969 it seems that the URL is not automatically rendered as a clickable URL. So may you please change this to purchase [here](https://shop.bitmain.com/product/detail?pid=00020180403174908564M8dMJKtz06B7).

[pipermerriam]

I don't think this needs to be a clickable URL, and I think it's actually better if it isn't.

[jamesray1]

Haha, for this Bitmain shop link one, fair enough.

[jamesray1]

[Other suggestions have been made](https://twitter.com/el33th4xor/status/981292363627810818). [Argon2](https://github.com/P-H-C/phc-winner-argon2), [Equihash](https://blog.z.cash/why-equihash/) of Zcash fame, and [Balloon Hashing](https://crypto.stanford.edu/balloon/).

[AirSquirrels]

AirSquirrels@2a53059

This PR has already been merged, so I'm not sure if I should create a new PR for the edits?

[Arachnid]

Yes, you need to create a new PR. It'll be automatically merged by the bot as soon as you submit it and the build passes.

[jamesray1]

I actually think that using https://github.com/tromp/cuckoo is very much worth considering / further analysis instead of this, as the implementation is only 42 lines, and the readme makes striking claims.

[CryptoBlockchainTechnologies]

I had given a suggestion the otherday of using Equihash algorithm. I have since reconsidered and I think you guys are on the best track....to make a small change in the existing Ethash algorithm. The reason for my change of heart is I am worried Bitmain already has ASICs designed for EVERY published GPU algorithm. They are simply waiting for the price of coins mined with those algorithms to go high enough for them to mass produce, mine, sell coins, then sell miners once their production is ramped. You guys are going in the best direction. Do not trust any published algorithm. Finally, I am not sure if this is possible and if it is might be very controversial. For the long term solution you should consider developing a hybrid algorithm and not releasing the code. This should buy Ethereum enough time to roll into full POS without wasting more time on this again.

[rufus210]

Cuckoo is likely not ASIC-resistant. Weaknesses pointed out 4 years ago have never been addressed:
https://da-data.blogspot.com/2014/03/a-public-review-of-cuckoo-cycle.html

[jamesray1]

@rufus210, thanks for that link! It seems like a reasonable critique. I left a comment asking for review of this proposal here.

[AirSquirrels]

@jamesray1 I also wanted to mention that while Cuckoo has had striking claims, there is a known optimization to the the initial interesting routes pruning step. I believe that's similar to the analysis @rufus210 posted. I'm looking for the link I read in my notes.

[vbuterin]

I would say it would be better to change the fnv not just for mix aggregation, but also for random selection (ie. in p = fnv(i ^ s[0], mix[i % w]) % (n // mixhashes) * mixhashes in the python code here). It may also be worth changing the number of ACCESSES.

[AliAshrafD]

@vbuterin what's the catch for this sort of tweaks? Is there any evidence to support you guys' (implied) assumption that it is all about som combinational circuit somewhere to be neutralized by some random tweaks to the algorithm? I have argued against such a naive perception in my comments above and I'm absolutely sure that blind algorithm changes won't help a bit. Alternatively, I have more comprehensive analysis and counter measures for the attack to present, if there is a commitment to resist, from the news I'm not convinced it is the case tho.

[AirSquirrels]

@AliAshrafD we have been discussing explicitly disabling existing hard ASICs in these changes, not more in-depth changes to prevent future chip design or mitigate theoretical programmable logic.

Can you provide your evidence for being “absolutely sure” it won’t help? Information I have does strongly suggest the current batch is not based on programmable or configurable chips. We are not trying to work on guesses or assumptions here.

[AirSquirrels]

@vbuterin I had also included the random selection FNV, infact I had reserved the strongest constant for that purpose as it is the most sensitive area. Did you have rationale other than changing another factor for increasing number of accesses? My view was that increasing accesses would affect both GPU and ASIC logic similarly, given that it would only increase memory bandwidth.

I had offlined the suggestion that we could switch the Keccak hash to the final SHA3 as well. If the full Keccak/SHA3 pipeline is in hardware changing the message delineation byte (the sole change from Keccak to SHA3) would render hardware SHA3 disabled even on an otherwise programmable chip. On the other hand if only the individual Keccak Round is accelerated this would be easily changed in software.

[AliAshrafD]

@AirSquirrels I am strongly convinced that E3 is programmable because:
1- Bitmain claims it can tolerate algorithm changes and is selling hardware with this promise
2- The J/H index reminds me of a gpu rig while I expect at least 100 times or so better ratio by an ASIC attack
3- In its official announcement on the web site, Bitmain does not claim E3 to be ASIC, it never mentions any ASIC chip (even code named).

So, I have to declare E3 not to be an ASIC attack, it is definitely a shared memory attack in architectural specifications of the hashing board, simply because it is the only vulnerability for Ethash that opens doors for specialized hardwares (not necessarily circuits printed on chips) attacking the network.

Finally and most importantly, it doesn't matter you find my analysis persuasive enough or not!

A hard fork is a hard fork, isn't it? People should upgrade and it is a 'hard' process to go through, no matter how deep is the fork and what it actually is about.

As a programmer I never do a trade off between the risk of side effects and the risk of missing the purpose. My priority is always the purpose because I have full control over my code and can do it in a reliable, clean way and for the god sake, we have testnet and a thousand eyes watching and reviewing every single line of our code.

Forgetting about side effects, what other factor may discourage us to take care of the shared memory attack vulnerability? I have a very interesting idea with minimum potential for side effects. we can include this EIP's tweaks as well (i,e, I will preserve Ethash mostly) doing this we can mitigate both attack scenarios.

[Arachnid]

1- Bitmain claims it can tolerate algorithm changes and is selling hardware with this promise

Where do they claim that? The product page even says:

. There are financial risks associated with mining cryptocurrencies. These risks can be related to changes in exchange rate of the cryptocurrency or to changes in the algorithm that is used to mine the cryptocurrency. Please deliberate well before making a purchase because we will not accept any requests for refund for orders of this batch.

2- The J/H index reminds me of a gpu rig while I expect at least 100 times or so better ratio by an ASIC attack

How?

So, I have to declare E3 not to be an ASIC attack, it is definitely a shared memory attack

What is a "shared memory attack"?

[AirSquirrels]

@AliAshrafD I certainly appreciate all your information and discussion, however I do continue to find a lot of speculation and not evidence based points in your response.

1. Can you cite this claim? I can not see this in any of Bitmain’s documentation. On the contrary, their listing explicitly warns purchasers that there are risks that could affect the purchase, including algorithm changes.

2. This line makes me ask what level of analysis you have done on ethash? ethash is a memory hard algorithm, and the power budget is associated with memory access. This power does not change significantly for ASICs, as they are also required to have memory access. The power savings are entirely from performing the bookend KeccakHashing in hardware, and that is a small amount of savings overall.

3. I have many sources in the supply chain that have indicated otherwise. I understand this is also speculation, or at least unconfirmed, however there is a strong indication that the E3 uses an ethash specific non-programmable ASIC in 28nm. The alternative is the use of their Sophon IP, which is still too expensive at those performance numbers. We also can not be sure till physical hardware is in hand, and at that point we still may not be sure unless someone analysis the chip with a scanning electron microscope. What we do know is this is Bitmains own chip. The have previously sold Gx miners with GPUs and have advertised those as multi-algorithm.

4. You have mentioned several times a shared memory attack architecture but this type of attack is infeasible at 180MH. You can not get extra bandwidth out of memory chips by sharing them, and the DAG is sufficienctly large that the likelihood of two ethash pipelines needing the same element at the same time does not begin to appear until you have around 20 million such pipelines, each of which needs around 200 bytes of state itself.. As such, even a massive shared memory controller with access to 1 TB/s HBMesque memory will only achieve 128 GH and would require quite a bus to facilitate amongst many worker chips. While the Titan V and Vegas fail to saturate their HBM bandwidth due to insufficent ethash pipeline depth to obscure latency, they only fall short by a small percentage. Such HBM bandwidth is also quite expensive compare to commodity memory chips - It is far cheaper to just build individual mining units consisting of a core ASIC/controller and dedicated memory. This is how the E3 is built, with simply a large number of 10MH or so cores, which do not require anything exotic outside of dedicated silicon. There is no reason Bitmain should spend more on parts when they do not need to.

[AliAshrafD]

@Arachnid , @AirSquirrels Bitmain is a sophisticated player, and it is a high stake game. Right?
They have not announced officially (in their site) anything about ASIC, yet you are playing ASIC game with them.
I deliberately made the argument about E3 being reprogrammable on behalf of Bitmain because this is what they have 'induced' to buyers by means of rumors and unofficial campaigns just like what they have induced to you about E3 being ASIC.
The latter induction is just as reliable as the first one. I confirm the first (as it is just what a greedy company does when it comes to sales, they can't help it) and reject the latter (as it serves well their purpose to hide behind dusts and fog).
Also, It is worth mentioning that this EIP has officially accepted the 'programmability' of E3 as a definite possibility, and a drawback to the proposal hasn't it?

As of my efficiency argument: @AirSquirrels's perception eventually leads to a general purpose ASIC-like 'thing' that fetches memory to its registers and does some operations (probably using a mega opcode instruction set like _doHashimoto) supported by specialized circuits for the algorithm ...
Then what? It is just the inner instructions of the main loop that are somehow implemented as a single giant opcode but this loop should be supervised by a controller which enjoys conditional jumps and logical and mathematical operators to find next memory address to be fetched and .... oops! It is a GPU! OEM branded for instance.,.
My assumption? It is just a legacy gpu, nothing more. No need for any fancy enhancement by means of a specialized, custom made gpu at all. Bitmain is just using a bunch of cheap gpu chips. This is it!

Regarding my analysis of this attack to be of a shared memory class, I have already described the big picture for a possible schema based on a critical argument:
"The current situation with DRAM bandwidth utilization with gpus is not that much of a bottleneck you guys suggest."
And yet, we are talking about a 2-3 times cost effectiveness...
A modern gpu installed on a graphical card can hold thousands of cores accessing the same DRAM without saturating the bus, huge advances have been made in the field and it is why we are experiencing higher and higher hashrates for a single gpu (Titan V can go up to 80 MH/S, stable) .
Now suppose we got 2 boards with an state of the art 4 GB DRAM bank and a specialized buss controller capable of feeding memory access for a modern 6000 cores gpu running Ethash (totally feasible) installed on each board. we can now instead of a super expensive GPU with that much of cores will buy (or build) 12 cheap gpus each with only 1000 cores on die(<$15 imo) . With taking care of some synchronization problems, we can feed all those gpus and run the algorithm with 12000 cores! I guess a 200 MH/S hashrate is absolutely practical for such a confguration and yet the cost won't break $800 barrier! (less than $200 for gpus and less than $600 for both boards with RAMs and other stuff).

I admit that I have to describe more. The problem is with my time zone and me being kinda exhausted right now, will be back on this tomorrow, my apologies.

[AirSquirrels]

@AliAshrafD Again I appreciate all your insight. I believe Bitmain designed and initially produced the E3 at a time when they were far less worried that ETH would intentionally fork or change the algorithm. That suggestion has only come about loudly recently.

I don't have much time to respond to all your speculation, however you made a statement regarding a "State of the art 4GB DRAM bank" achieving 200 MH/s. Most modern graphics cards can saturate their memory buses, but not with ETHash due to random access pattern and linear dependency chaining. In reality you only need a handful of pipelines to achieve 200 MH/s if you have the memory bandwidth.

200 MH/s requires an absolute bare minimum of 1.56 Terabytes/s of DRAM access no matter how you slice it, a bit more in reality due to pre-charge, access time, etc. The worlds best possible imaginary controller can not change that. Certainly you can build many cheap instruction or macro-op based GPU cores (why bother? fixed pipeline ASIC cores are cheaper to design and build and faster/lower power to run. If you use instruction processing ops, your competitor will beat you in power efficiency).

You would still need a very modern chip to wire into your DRAM. For 1.6 Terabytes a second with GDDR6 @ 18Gbps you need 728 pins, or ~ 23-24 chips without ECC. GDDR6 is not shipping yet in volume, so double those numbers for GDDR5 - 1456 pins. The memory controller to interface to 48 chips like that is the bulk of the complexity of a modern GPU, not the shader engines. You should then need to interface all your cheap chips to that memory controller with a similar high-bandwidth low-latency interconnect. Modern SERDES at PCIe 4.0 levels is 16 Gbps and would require 66 transceiver lanes of this from each of your "cheap" GPUs to the memory controller to achieve the needed 133 GB/s (1.6TB/s divided by your 12 GPUs). You now have 1456 pins of GDDR5 memory just for the data lines, plus 264 pins for your LVDS TX/RX pairs for the SERDES to EACH of your 12 GPUs. I count 3168 pins of SERDES + 1456 pins of Memory Controller to memory interface. I haven't even included memory address lines or power pins. A package of that size essentially doesn't exist. There is also no evidence Bitmain has GDDR5 IP (Their Sophon could certainly benefit from it, yet it is all DDR4 based).

Everything you are describing is feasible in a theoretical world, but is far from the most power, price, or effort efficient way to accomplish Bitmain's performance numbers. It fails the Occam's razor test.

Compare 18 relatively simple ASIC chips, each with 32 x16 DDR3 1Gb chips hanging off of them. Quad-Channel DDR3, 4GB per core, with 512 data lines and a perfectly reasonable number of pins. Assign a cheap part at 1600 MT/s per pin (or run the numbers for 2133MT/s if you'd like) = 100 GB/s for each of the 18 cores, achieving up to 12.5 MH theoretical per core. 225 MH. Allow for random access in-efficiencies and you get 180MH as advertised, with 576 DDR3 chips as rumored multiple times. Easily $0.50/chip of old proven tech at volume on contract, and with a relatively simple control chip. This is significantly cheaper and easier than your proposed shared memory custom GPU machine.

[AliAshrafD]

@AirSquirrels Appreciate your patience and dedication of your time. I'n not much of a system architect and have no privilege to judge your analysis properly. Just some insights:

As of your critics regarding my hypothetical shared memory architecture:
1- You are criticizing a 12 gpu per one shared memory bank architecture while my proposal is about 2x6 gpu modules. improving my model to 3x4 or 4x3 versions would exponentially help reducing complexities you are highlighting while raising the costs linearly in the safe thresholds (it will be highly appreciated if you would reconsider your analysis and share the results).
2- The reasoning behind my proposal is economically related to the facts about the current state of shortage in the RAM chips due to the recent gpus' increase in demand (gpu craze).

As of your hypothetical ASIC alternative:
1- I'm strongly suspicious about the availability of 576 DDR3 per device for a bulk production and sales strategy of that device.

2- 576 RAM banks+ ASICs+controller+ ... doesn't look a cost effective solution to me.

3- I doubt that tASIC chips on that volume are accessible too.

4- I don't believe a multi billion dollars company commits such a huge mistake against an almost centralized community (in terms of 'spiritual' governance) such as Ethereum to build an ASIC vulnerable to little tweaks in the algo through easily manageable hard forks. A community that has been united once for an incident as small as the DAO hack. They have risk analysis task forces obviously and your alternative puts a lot of investments (in ASIC design phase) in danger.

And one more thing:
I think one of my most important arguments has been overlooked: A hard fork is a hard fork why not simply fixing both threats, once forever? Let's forget about side effect superstitions and do our job, just suppose there exists a smart solution to mitigate a shared memory attack against Ethash.

[3esmit]

Hey ethereans, would be possible to make the paramenters of ethash change each epoch? And maybe not just this, but change the "hashing circuit" each epoch, making ASIC need to become "generic", so not more ASIC.

[muiaao]

First of all thank you all talented guys for the great ethereum project. Since I am not a programmer nor system architect I can not really critisize any tech details above, but I have something on my mind to share. English is not my first language please forgive me.

A. Ethash algo is memory intensive but technically $/H(price per hash) or J/H(electric power per hash) improvement is possible and very likely to have happened already.
B. An uptodate gaming gpu shall always be able to hash effectively.

Suppose both points are correct. Then,

Any Asic/FPGA or other type of devices shall land between Point A and Point B. Manufacturer of such deive has follwowing options.

Scenario 1. mass production and keep mining for max profit.
Scenario 2. mass production and sell for any profit.

Scenario 1 is close to monero before Apr6th V7 fork while Scenario 2 is comparatable to a new GPU vendor, say Intel, selling their GPU, or just nVidia selling 11xx serious and thus harmless. Again real world situation is in somewhere in between , a Scenario 1.* .

It is obvious that A1 is the worst case for ETH and B2 is nothing to be worried about and hard fork is entirelly unnecessary.

Now lets have a closer look.

Suppose bitmain is unable to get A too faraway from B, and ethash algo did its job, being asic resistant, perfectly. Their product is barely better than a RX570, lets say. We can find out that mass production is profitable because they can always acheive profit level of AMD and nVidia at least by resell it. Their mineing machines always sell well. And they do mass produce them. Bitmain is the largest crypto IC buyer of TSMC(even globally, matter of fact) and larger than nVidia or AMD.

Bitmain is known to runs their own farm, and they "test" run their product at least. In the monero case they run it for mothes without any intention to retail untill Apr 6th v7 fork is announced. It also makes economic sense to be as close to Scenario 1 as possible and resort to resell only when the mashines are becoming obsolete.

I don't know how people feel like it but in my mind it takes me 1 minute to realise that eth is facing this

---

|--- A ---B---|
|-1-A1--B1--|
|-2-A2--B2--|

---

matrix. Bitmain will keep making their machines untill retail price GPU is not at all profitable for mining. They will mine eth with $0.04 power price till everyone else has powered off. It is their business to make crypto-chip and mine. It is all fit and profitable that they shall do this. GPU miners are, at this very moment, swithing to Cryptonight V7 or other algos. Bitmain will not stop entill GPU eth mining is totally dead and that is the best case, A1.5 .

Even ethash algo is asic resistant or 100% asic-proof, eth is still becoming asic-ed wthiout a hard fork.