Early ASIC Mitigation Hardfork #969
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,182 @@ | ||
| --- | ||
| eip: <to be assigned> | ||
| title: Poisoning the Well | ||
|
There was a problem hiding this comment. This isn't a descriptive title. Suggest "Modifications to ethash to invalidate dedicated hardware implementations". There was a problem hiding this comment. Perhaps "Modifications to ethash to invalidate existing dedicated hardware implementations" |
||
| author: David Stanfill <david@airsquirrels.com> | ||
| discussions-to: <email address> | ||
|
There was a problem hiding this comment. This should be a URL to somewhere people can discuss the EIP in general (this PR will only serve as a discussion venue so long as it's open, and we're moving towards merging PRs as soon as practical). I suggest opening a discussion thread on the Ethereum Magicicans forum, or an issue in the EIPs repository, and linking to it from here. |
||
| status: Draft | ||
| type: Standards Track | ||
| category Core | ||
|
There was a problem hiding this comment. You're missing a colon here. |
||
| created: 2018-04-03 | ||
| --- | ||
|
|
||
|
|
||
| ## Simple Summary | ||
|
|
||
| This EIP attempts to break ASIC miners specialized for the current ethash | ||
|
There was a problem hiding this comment. How? Suggest "This EIP modifies ethash in order to break ..." |
||
| mining algorithm. | ||
|
|
||
|
|
||
| ## Abstract | ||
|
|
||
| There are companies who currently have dedicated hardware based ethereum miners in | ||
| production, and may be actively mining. This EIP aims to "poison | ||
| the well" by modifying the block mining algorithm in a low risk manner that | ||
| may *"break"* these miners if they are in-fact built as traditional ASICs. | ||
|
|
||
|
|
||
| ## Motivation | ||
|
|
||
| ASIC based miners will have lower operational costs than GPU based miners which | ||
| will result in GPU based mining quickly becoming unprofitable. Given that | ||
| production of ASIC based miners has a high barrier to entry and few market players, | ||
| this will cause a trend towards centralization of mining power. | ||
|
There was a problem hiding this comment. I think the argument trying to be made here is along the lines of:
I would like to see some data to back this up if it is true. If ASICs are produced and sold to the general public then ASICs are not a problem as it doesn't lead to centralization. If ASICs are produced and then used (without being sold publicly) then ASICs can lead to centralization if they are a big enough improvement over GPUs (which are sold publicly). There was a problem hiding this comment. Many risk arguments exist around single supplier scenarios as well. Backdoors are possible, leading to future 51% attack risks. The data is a difficult ask, given that Bitmain mines in secret there is no way to know for certain. The only probable data is that the miner exists. The closest to data we could get would be from the results of the hardfork. I might suggest watching Monero’s hashrate this weekend as a possible canary in the coal mine. |
||
|
|
||
| This trend towards centralization has a negative effect on network security, | ||
| putting significant control of the network in the hands of only a few entities. | ||
|
|
||
| Ethash remains ASIC resistant, however ASIC manufacturer technology is advancing | ||
| and ethash may require further changes in order to remain resistant to unforeseen | ||
| design techniques. This EIP seeks explicitly to buy time during which newly developed | ||
| ASIC technology will face a barrier while more long term mechanisms to ensure | ||
| continued ASIC resistance can be explored. | ||
|
|
||
| ## Specification | ||
|
|
||
| If `block.number >= ASIC_MITIGATION_FORK_BLKNUM`, require that the ethash solution | ||
| sealing the block has been mined using `ethashV2`. | ||
|
|
||
| ## EthashV2 | ||
|
|
||
| `ethashV2` will be identical in specification to the current `ethash`(v1) algorithm, with | ||
| the exception of the implementation of `fnv`. | ||
|
|
||
| The new algorithm replaces the 5 current uses of `fnv` inside `hashimoto` with 5 | ||
| seperate instances defined as `fnvA`, `fnvB`, `fnvC`, `fnvD`, and `fnvE`, utilizing | ||
|
|
||
| `FNV_PRIME_A=0x10001a7` | ||
| `FNV_PRIME_B=0x10001ab` | ||
| `FNV_PRIME_C=0x10001cf` | ||
| `FNV_PRIME_D=0x10001e3` | ||
| `FNV_PRIME_E=0x10001f9` | ||
|
|
||
|
|
||
| `fnvA` replaces `fnv` in the DAG item selection step | ||
| `fnvB` replaces `fnv` in the DAG item mix step | ||
| `fnvC(fnvD(fnvE` replaces `fnv(fnv(fnv(` in the compress mix step | ||
|
|
||
| `fnv` as utilized in DAG-item creation should remain unchanged. | ||
|
|
||
| ## Node Changes (Optional Variant) | ||
|
There was a problem hiding this comment. What's the rationale behind adding this? There was a problem hiding this comment. In short, it is 6th isolated usage of FNV but there isn’t another ideal FNV constant other than the already selected constant. There was a problem hiding this comment. I'm asking about the "Node Changes (Optional Variant)". There was a problem hiding this comment. I believe I’m going to drop that from the EIP completely. I originally had thoughts that we needed to preserve the Algorithm in the RLP on the block chain as well as a computed Block header field for GetWork. @pipermerriam pointed out that the block.number check in VerifySeal and Mine is sufficient. |
||
|
|
||
| A new field of `EthashVersion` defined as an 8 bit unsigned enumeration is added to | ||
| the the block header. If this field is absent, its value is assumed to be equal to | ||
| zero. | ||
|
|
||
| The enumeration should be forward compatible and defined as: | ||
| `EthashUndefined = 0x00 | ||
| EthashVersion1 = 0x01 | ||
| EthashVersion2 = 0x02 | ||
| ... | ||
| EthashVersion255 = 0xFF` | ||
|
|
||
| When this field is present and set to 0x02, the `mine` and `VerifySeal` operations | ||
| utilize the `ethashV2` algorithm. If this field is set to any value other than 0x01, | ||
| 0x02, or 0x00 `VerifySeal` shall reject the block. | ||
|
|
||
| `VerifySeal` shall also fail verification in the event | ||
| `block.Number >= ASIC_MITIGATION_FORK_BLKNUM && block.EthashVersion < EthashVersion2` | ||
|
|
||
| ## Agent Changes (Optional Variant, stand alone or combined with Node Changes) | ||
|
|
||
| GetWork may optionally return the proposed blocks `EthashVersion` field. While a | ||
|
There was a problem hiding this comment. I would suggest making it an "algorithm" field, instead, with an algorithm name and version. If a new field is to be added, it makes sense to make it as versatile as possible. There was a problem hiding this comment. It can be an Algorithm field in the block, however GetWork returns unnamed values and parity already defines a 4th (block number). I would propose adding block number regardless, and defining algorithm as an optional 5th value of getwork. Would you like version as a 6th? Or algorithm as “ethash2”? There was a problem hiding this comment. Since different versions of the same algorithm can't be compatible, I don't think there's any point in having separate name and version fields - just a name field should be enough. There was a problem hiding this comment. I think FNV Prime change's are main change on this proposal. |
||
| miner or pool may infer the requirement for ethashV2 based on the computed | ||
| epoch of the provided seedHash, it may be beneficial to explicitly provide this | ||
| field so a miner does not require special configuration when mining on a chain | ||
| that chooses not to implement the ASIC_Mitigation hardfork. | ||
|
|
||
| Due to compatibility concerns with implementations that already add additional | ||
| parameters to GetWork, it may be desired to define a 33 Byte BlockHeader, where | ||
| the first octet represents the EthashVersion enumeration value required for the | ||
| block. If this octet is not present, it may be assumed to be zero. | ||
|
|
||
| ## Rationale | ||
|
|
||
| This EIP is aimed at breaking existing ASIC based miners via small changes to the | ||
| existing ethash algorithm. We hope to accomplish the following: | ||
|
|
||
| 1. Break existing ASIC based miners. | ||
| 2. Demonstrate a willingness to fork in the event of future ASIC miner production. | ||
|
|
||
| Goal #1 is something that we can only do probabalistically without detailed | ||
| knowledge of existing ASIC miner design. Our approach should balance the | ||
| inherent security risks involved with changing the mining algorithm with the | ||
| risk that the change we make does not break existing ASIC miners. This EIP | ||
| leans towards minimizing the security risks by making minimal changes to the | ||
| algorithm accepting the risk that the change may not break dedicated hardware | ||
| miners that utilize partially or fully configurable logic. | ||
|
|
||
| Furthermore, we do not wish to introduce significant algorithm changes that | ||
| may alter the power utilization or performance profile of existing GPU hardware. | ||
|
|
||
| The change of FNV constant is a minimal change that can be quickly | ||
| implemented across the various network node and miner implementations. | ||
|
|
||
| It is proposed that `ASIC_MITIGATION_FORK_BLKNUM` be no more than 5550000 (epoch 185), giving | ||
| around 30 days of notice to node and miner developers and a sufficient window | ||
| for formal analysis of the changes by experts. We must weigh this window against | ||
| the risk introduced by allowing ASICs that may exist to continue to propagate | ||
| on the network, as well as the risk of providing too much advanced warning to | ||
|
There was a problem hiding this comment. For us to need to rush this the following need to be true for a single entity:
I find it unlikely that any single entity meets all of these requirements, thus I do not see the need to rush this. There was a problem hiding this comment. where did these requirements come from??? There was a problem hiding this comment. Considering the change is fairly trivial and bitmain has been proven time and time again as a bad actor i see no reason to delay There was a problem hiding this comment. Forking is a complicated process and should not be taken lightly. It requires a massive amount of coordination. On top of that, changing the PoW algorithm requires implementation in multiple clients, which means multiple languages, along with testing, and cross-client testing. Along with all of this it needs to be audited by experts to ensure that it cannot be trivially gamed (this is easier for a small tweak than an entirely new algorithm). 30 days from EIP to fork is an extremely tight deadline and will require re-allocating many resources away from other tasks in order to take care of everything. Normally, time between EIP and fork is on the order of quarters to years. There was a problem hiding this comment. @cryptomined They come from reality. 😄 It is not free in either capital or time to take over Ethereum mining. With the current hash rate taking over is not something anyone is likely to do overnight. There was a problem hiding this comment. For the sake of argument, a cost analysis suggests bitmain could likely cross threshold to execute a 51% attack with about $300-400 MIllion in hardware. Analysts data suggests they do have that kind of capital available, and also arguably the manufacturing capability if all resources had been devoted to such an effort. I also find such an attack extremely, but they are one of very few entities that could. In these types of scenarios we have to consider every option where’s the risk of inaction, however small the chance, greatly outweighs the cost of action. I don’t believe a 51% attack is necessary to significantly damage Ethereum either. A single player visibly gaining a large stake can serve to drive down mining interest through discouraging actors as well as profitability below the level where most can afford to proceed based on power costs, leading to heavy geographic centralization. This may be inevitable on a long enough time scale, but the concern is POS isn’t ready to take the reigns yet. Finally, there is an argument to be made that rapidly executing this fork allows us to gather definitive data on the current concentration of dedicated hardware on the network and better assess this risk. Delaying too long (assuming the change would happen at all) opens a new lower cost scenario risk. There could be enough time for such an entity to replace their ASIC hashpower with programmable or commodity hardware hashpower long enough to convince the world they don’t exist. I’m not much for conspiracy theories but we have to consider all possibilities. I also must make my personal stance clear. I am against hardforking for the directly evident current risks, but there are unknown risks. Thus I believe if we should hardfork the cost needs to be lower than the worst case of the unknown risks. This pull request meets that criteria. There was a problem hiding this comment. oh it's just common sense then? i thought we needed data... well they have probably taken over 30%+ already.. maybe more. waiting too long will allow them to take over more than 50%.. is that worth the risk? There was a problem hiding this comment. @cryptomined if we are attempting to keep the discussion technical, Bitmain would have to have pre-produced 250,000+ E3 miners to take account for even 20% of the current difficulty, at costs of at least $100,000,000. If those gradually came online since December at even pacethey wouldn’t have even paid for their miners yet. The R&D alone certainly cost $10M + before mass production would even begin. I don’t think they have that level of production capacity while maintaining shipments of all their other miners. Infact, all their other miner shipments combined for that period barely reach that number. |
||
| ASIC developers. | ||
|
|
||
| It is further understood that this change will not prevent redesign of existing | ||
| dedicated hardware with new ASIC chips. The intention of this change is only | ||
| to disable currently active or mid-production hardware and provide time for | ||
| POS development as well as larger algorithim changes to be well analyzed by | ||
| experts. | ||
|
|
||
| The choice of FNV constants is made based on the formal specification at | ||
| https://tools.ietf.org/html/draft-eastlake-fnv-14#section-2.1 | ||
|
|
||
| Typical ASIC synthesis tools would optimize multiplication of a constant | ||
| in the FNV algorithm, reducing the area needed for the multiplier according | ||
| to the hamming weight of the constant. To reduce the chance of ASIC adaptation | ||
| through minor mask changes, we propose choosing new constants with a larger | ||
| hamming weight, however care should be taken not to choose constants with too | ||
| large of weight. | ||
|
|
||
| The current FNV prime, 0x1000193 has a hamming weight of 6. | ||
| `HammingWeight(0x10001a7) = 7;` | ||
| `HammingWeight(0x10001ab) = 7;` | ||
| `HammingWeight(0x10001cf) = 8;` | ||
| `HammingWeight(0x10001e3) = 7;` | ||
| `HammingWeight(0x10001ef) = 9; // Not chosen` | ||
| `HammingWeight(0x10001f9) = 8;` | ||
| `HammingWeight(0x10001fb) = 9; // Not chosen` | ||
|
|
||
| An exhaustive analysis was done regarding the dispersion of these constants as compared to 0x01000193. | ||
|
|
||
| It can be empirically confirmed that no more than 1 duplicates occur in the 32 bit word space with these constants. | ||
|
|
||
| It is worth noting that FNV is not a cryptographic hash, and it is not used as such in ethash. With | ||
| that said, a more invasive hash algorithm change could consider other options. One suggestion has been | ||
| MurmorHash3 (https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp) | ||
|
|
||
| ## Backwards Compatibility | ||
|
|
||
| This change implements a backwards incompatable change to proof of work based | ||
| block mining. All existing miners will be required to update to clients which | ||
| implement this new algorithm, and all nodes will require updates to accept | ||
| solutions from the new proof of work algorithm. | ||
|
|
||
| ## Test Cases | ||
|
|
||
| TODO: will need to generate test cases for `ethereum/tests` repository corresponding to the consensus | ||
| changes. | ||
|
|
||
| ## Implementation | ||
|
|
||
| TODO | ||
|
|
||
| ## Copyright | ||
|
|
||
| Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename this file to eip-969.md and assign it number 969 here.