The Problem with Proof of Work

Proof-of-work had a goal. It was a simple one, really: prevent network centralization. The equation for this goal was a combination of cryptographic math, philosophy, psychology and resource costs inherent with hardware. But it missed a vital piece.

See, algorithms — proof-of-work algorithms, specifically — were never designed for hardware. They were designed by software engineers or mathematicians, most of whom had never gotten down in the dirt with silicon simulations. Ethash was a step in the right direction: binding the algorithm to a limiting factor of commodity hardware (the I/O bus). It was a step forward, but wasn’t the leap needed.

On the 1st of May, 2018, however, the final leap was made. It’s called Programmatic Proof-of-Work (ProgPoW, for short). ProgPoW supplements the existing memory hard approach by also utilizing unused parts of commodity hardware. It’s designed to target a critical part of the centralization problem: specialized hardware.

The Definition of Specialization

Everything you use today, from a CPU, to a GPU, to an ARM processor, or even an FPGA is a type of ASIC. Any algorithm that can run on an ASIC (be it a CPU, GPU or FPGA) can have a specialized design created for it.

Specialization comes from removing unnecessary parts of hardware — in GPUs, these are things like display outputs or floating point math. When you remove functionality, the metric you are trying to improve is efficiency.

Efficiency is what everything is measured by in proof-of-work; it can mean absolute performance, or performance per watt, or performance per dollar. It’s this metric that drives entities — be they companies or individuals — to invest time and money to create specialized hardware.

So therein lies the fallacy: ASIC resistance is a myth, because proof-of-work requires some form of ASIC to do the work.

When people talk about ASIC resistance, what they really mean is “centralization resistance”. That’s an important distinction to make, because the problem isn’t the hardware itself — it’s the companies and incentives behind it.

The Problem With Specialization

The major arguments for keeping specialized hardware around have always boiled down to some variation of the following:

  1. “Higher hashrate means more protection!” or,
  2. “Forcing people to buy ASICs means they’re invested in the network!” or,
  3. “Specialized hardware means protection from centralized attackers!”

The first argument is easy to dismantle: it doesn’t.

Problem Number 1: The Wrong Metric

Proof-of-work is fundamentally misunderstood — network security is not relative to network hashrate at all — it’s relative to the amount of energy spent. Hashrate? Just a counter for that energy. Making specialized hardware just means you’ve gamed the mining metric in a way that encourages everyone to buy more (and to consume the same amount of energy).

The Efficiency Dilemma (The New Yorker, 2010 Dec 20. Illustration by Joost Swarte)

Let’s slip into an analogy for a moment: if mining is like a car race, then security is your energy spent. The only object is to race: the faster you are, the more money you’ll get. Everyone’s been racing with a 4WD (the GPU) — it’s versatile and adaptive to any terrain, but just this week, the F1 (the ASIC) has been launched. It’s a little more expensive, but it’s faster and more energy efficient per mile. How could you pass that up?

The F1 seems like the obvious choice, and early adopters will undoubtedly come out ahead. But, what happens once everyone takes an F1 to the track? Everyone has now been incentivized to switch to these cars, and now everyone is racing at the same speed, spending the same amount of energy for the same amount of work. Nothing was gained. The only person that benefitted from this ‘upgrade’ of machinery was the manufacturer.

It’s important to understand this key concept before we go forward: there was no gain in this scenario. The rewards are still distributed relatively. The energy-to-work ratio is the same. The network isn’t anymore secure.

We spent a bunch of money and gained no security in the process. But we did gain some sick rims.

Problem Number 2: The Wrong Incentive

There’s an important difference between specialized hardware (ASICs) and programmable hardware (GPUs, and CPUs). With programmable hardware, you can choose to play a game, or model the human brain, or find aliens, or mine your favourite shitcoin; on specialized hardware, you’re stuck protecting its only existence: mining rewards.

Some people feel this flexibility is a vulnerability, because it shows disloyalty to the network; miners must be stuck with dead-end hardware to ensure they have a vested interest to defend the decentralization and health of the network. This argument — the skin-in-the-game argument — has a vital part of logic missing: miners protecting their rewards have nothing to do with the decentralization (or health) of the network.

Bitcoin is the best example of an ecosystem with dysfunctional incentives. The largest player with skin-in-the-game, Bitmain, has exerted a dramatic amount of effort to maximize their advantages: from delaying transactions by mining empty blocks, to creating backdoors in Antbleed, to biasing miners against evolution in the SegWit ASICBoost scandal. Bitmain is a corporation, and that means it has a duty: to maximize returns for investors. They’re chasing their incentives, and that incentive is to make money.

That’s the natural state for any specialized, ASIC-bound proof-of-work. Skin-in-the-game becomes a malignant tumor for the network, rather than an antibody. It’s easy to understand why: people who have sunk costs defend its value. Promoting specialized hardware that’s locked into a dead-end route means growing an entire value chain that’s desperately focused on finding a reason for this hardware to exist.

In the end, proof-of-work is just a security mechanism to protect something of value. The decentralized network is the value, and that should be the focus of defense. Creating incentives for the security mechanism to dominate the network growth is just, well, letting the tail wag the dog.

This entire paragraph was written just so we’d have an excuse to use a Corgi picture.

Problem Number 3: The Wrong Defense

Fans of specialized hardware like to point to “51% attacks by centralized parties” as justification of why specialized hardware is needed. The argument goes something like this: if no faster or bigger collection of hardware existed, then no centralized party could mount such an attack without enormous cost.

There’s three problems with that line of reasoning, though:

  1. Centralized parties are naturally created by the custom hardware ecosystem;
  2. What actually constitutes an attack is a matter of perspective;
  3. “Attacks” from a centralized party may not be obvious or obviously destructive (and actually, it doesn’t even take 51%).

First, specialized hardware only provides protection from external attack only if it is the best hardware for only one network. This means the first manufacturer of custom hardware naturally has full control of the hashrate: if any one else made similar hardware, then the specialized hardware doesn’t protect anything.

Even it this hardware were made available for sale in an attempt at decentralization, only a select few with disposable funds would buy-in for specialized hardware on a new coin, so a limited number of individuals will collect a majority of the hardware. Decentralization from day one is highly implausible, if not improbable, with specialized hardware.

From here, protecting the value of the specialized hardware is easiest when the community is centralized and vertically integrated. Centralization and integration improve the economies of scale and allow precise control over profit margin. Economies of scale in manufacturing drive markets toward a single dominant producer or a cartel of top producers (see the memory or oil markets). Similarly, economies of scale reinforce the miners could afford to buy-in early for new specialized hardware. So, ecosystems built around specialized hardware not only start centralized, but by necessity, stay centralized — for everyone involved.

Next, the argument that specialized hardware protects us against attack is meaningless when the network is under constant attack from within. Said differently, if the system is already centralized, the king is the one collecting the taxes. The king doesn’t view high taxes as an attack, but the serfs might beg to differ.

Above, we discussed how incentives that should help protect the network actually motivate the participants to act against the network — by favouring short term rewards, over long term growth. Once a network is established and stable, hardware makers and miners are more motivated in protecting their hardware value rather than promoting development and evolution. From their perspective, they are providing protection — for themselves.

Attacks on the network don’t even have to be something as dramatic as a double-spend. By impeding the network (see the empty-block example above), these miners and hardware manufacturers become the attackers by extracting value to the detriment of the network. Worse, their attack on the coin is constant and pervasive — a cancerous element that extends even to blogs and forums outside of the blockchain, where they spread misinformation and fearmonger to hide their motives and damage they do.

When you have a mature network (like Bitcoin) the network effects help to prevent loss of money when attacking the network and extracting value. Without “technically” breaking the rules, bad actors can tax the network for more money than normal mining rewards owed to them for processing transactions.

Once you have a broadly accepted coin, people have to live with this abusive rent-seeking behavior. This is the same reason that traditional banks and credit card companies continue to thrive, even though there are many different competing flavors. Specialized ASIC makers and the miners who buy specialized hardware have guided the evolution of Bitcoin into a version of the traditional banking system, where they now hold all the keys.

And honey, you should see them in a crown.

Specialized Attacks — Casper and Censorship

Some coins, like Ethereum, seek to use a hybrid PoS/PoW approach. Unfortunately, the PoW part can become the weakness. While Casper the Friendly Ghost may be immune to most forms of attack, Casper the Friendly Finality Gadget isn’t. In its existing state, there’s a painless way to attack the PoW portion of Ethereum: censorship attacks.

Most of these attacks are covered in Max Fang’s brilliant slides from BPASE 2018; the attack we’ll be focusing on here is blacklisting via punitive forking, a censorship attack. If you’re not familiar with game theory and network attacks, take a quick peek. Go ahead. We’ll wait.

The perfect time for a tea break, actually.

Oh. Back already? Great. Now let’s get down to how specialized hardware can attack our Friendly Finality Gadget.

Censorship attacks are where miners choose not to include transactions with certain properties — such as specific to and from addresses, or fees below a certain threshold. The attack is performed by selfish mining: a method where an attacker creates blocks, and build a private chain without telling others. Once the attacker’s chain is longer than the others, they proclaim it to the world. The public miners building on what they perceived to be the longest chain will automatically adopt theirs.

Those blocks the attacker mined are filled with dummy transactions — real transactions that move money between addresses under the attacker’s control. Because these transactions only exist in the blocks of the private chain that the attacker mined, any fees paid for the transaction also only exist in the private chain. The dummy transactions and fees aren’t real until the the public chain adopts the attacker’s chain at the truth. The attacker doesn’t lose any money from any of the higher fees on the fake transactions because they are the party on both sides. However, once they drive fees up regular users will be forced to pay the higher fees to use the network once the attacker makes their private chain public.

Let’s put some numbers in here to make things a little more interesting: today, it takes less than 1.7 Billion USD to get 51% of the network hashrate (assuming a 276 TH/s network, and 360 USD for 30MH/s per GPU + setup costs).

Casper will introduce an 80% reward reduction, which will bring the cost of the attack down as low as 340 Million USD (1.7B USD * 20%) if the network shrinks proportionally. In terms of hardware, that’s less than 945,000 GPUs. That number shrinks to 730,000 GPUs (270M USD) if based on today’s ETH price of 570 USD/ETH, and a typical 9-month breakeven time. With specialized hardware, the cost to own 51% of Casper’s PoW can be as low as 100M USD.

That’s it, really. PoS reduces rewards. Specialized hardware has a higher margin and will be more competitive for longer than GPUs as these rewards decrease. As GPUs drop off due to loss of profitability, centralization will accrue around specialized hardware creators. Once this happens they can use attacks like the one described above to induce a higher transaction cost (cost of doing business) that users will accept as necessary because they have adopted the system and won’t want to move off of it… and who happens to own a bunch of specialized hardware?

Specialized Defenses

You’ve heard a little bit about specialized hardware, and how it’s grossly misunderstood — you’ve also seen one of the most pressing attack vectors. Well alright then, you say — how do we fix it?

Some would suggest algorithm stacking — found in coins such as RavenCoin, where the algorithms are repeatedly chained in randomized orders. However, Baikal has proven with their hardware (specifically the BK-X) that a bit of silicon area for each algorithm is all that is needed (and a sequencer, to distribute the order). Others would suggest defensive hard forks, but the sequencer allows the specialized hardware to adapt to the changes (not unlike an FPGA).

It’s important to understand that as long as algorithms are not designed for hardware, specialized hardware will exist and will allow centralized entities to abuse the efficiency gap for their own economic advantage.

The Specialized Solution

At the start of this article, we talked about the definition of ASICs — how it’s wrong, and how specialization is achieved. It’s important to understand that every algorithm that exists today has an optimal ‘design’ in hardware that can’t effectively be surpassed. For Bitcoin, that’s a SHA-256 ASIC. For ProgPoW? It’s a GPU.

And that’s all that ProgPoW is: an ASIC-based algorithm, except the ASIC it is tuned for is the widest available commodity hardware: GPUs. Every major CPU comes with a GPU, but the reverse isn’t true. More importantly, the incentives of the hardware makers (AMD, NVIDIA, and Intel) aren’t aligned with a coin’s development or a coin’s market cap — they’re aligned with preserving their main market: graphics, artificial intelligence, and computational workloads. That’s the key to decentralized mining — leverage existing markets which are bigger and already decentralized. When your hardware isn’t specialized, the hardware starts, and stays, distributed.

Designing for a GPU ASIC is a simple-yet-balanced recipe: one part saturation, and one part evolution. Optimizing for saturation means utilizing all parts of a GPU card that are traditionally unused in other cryptocurrency algorithms — things like the register file, or math core, or the L1 cache. This forces specialized hardware to emulate a full GPU, not just the memory interface or some fixed math and logic. Our second part is optimizing for evolution — utilizing the advantage of a GPU (reprogrammability) to adapt the math in infinite and unpredictable patterns.

Of course, there’s other reprogrammable hardware, too. The latest craze in the mining scene has been FPGAs — while they are programmable in a sense, it’s prohibitively expensive for the same efficiency on ProgPoW. For the compute half of ProgPoW, the math in the inner loop must interact with a large register file, and a large cache: your configuration routing is dominated and made horribly inefficient. It’s like trying use an FPGA to emulate the custom ASIC built for the task: a GPU in this case.

Reprogrammable hardware is absolutely the core of the question of how best to decentralize proof-of-work mining (and protect it) — but it’s a balancing act of carefully administered parameters: too specialized, and you’ll find people who protect the hardware, but not the network; too generalized, and you’ll find hardware that is hard to design algorithms for, hard to optimize, and hard to protect from botnets. The GPU just happens to strike the perfect balance.

Are there speedups to be gained in a specialized implementation? Energy wise, no. However, it’s possible to shave off the idle parts of a GPU (things like the graphics pipeline, and the floating point math) to save around 20% of the silicon cost. Good thing is that this doesn’t matter in a full card design: Of the (average) 300 USD for a graphics card, 50 USD is for the silicon (the ASIC), 100 USD for the memory, and 50 USD for the PCB (with 100 USD for markup, because, hey, folks, we’re running a business here). Shaving off that idle silicon saves about 5% of the total cost — or 3% of the MSRP. Since it also saves no power, there are no real efficiency gains.

So, what does it all mean?

Proof-of-work is a tool — a tool for network security. Tools can be helpful, or they can be harmful: it’s just a matter incentives for those wielding the tools. Once you understand how economic incentives help or harm cryptocurrency networks, it’s easy to see how best to keep things truly decentralized. By leveraging an existing, larger distributed infrastructure, you can be sure that the proof-of-work hardware stays decentralized from the beginning, and becomes a tool for security, rather than shackles that bind a network to its will.

Bet on ProgPoW — for a better hash, tomorrow.