Equihash-BTG: Our New PoW Algorithm

(originally published here: https://bitcoingold.org/equihash-btg/)

Summary:

Our current mining algorithm, Equihash, is used by many different coins without any personalization. It was originally developed by Zcash and based on the parameter set <200,9>. We are going to upgrade to Equihash with a the parameter set <144,5>, with some customization. We’ll call it “Equihash-BTG,” for now. This will keep our blockchain ASIC-resistant and add an immediate measure of safety from 51% attacks.

About Equihash

Equihash, which was first developed and used by Zcash, was designed from the outset to be an “ASIC-resistant” Proof of Work algorithm. The developers set out to accomplish this by making it a memory-hardalgorithm. (See the Biryukov and Khovratovich paper on Equihash.) What does this mean, how does it make mining ASIC-resistant?

A memory-hard algorithm is one which requires a lot of memory to be able to run. It simply won’t work on hardware that doesn’t have enough memory.

When making an ASIC — an Application-Specific Integrated Circuit — adding memory is very expensive, and the more memory you need, the more expensive it gets. With a high enough memory requirement, building a “single-chip solver” on an ASIC becomes so expensive that you could not hope to earn enough in mining to pay for the ASIC. It’s impossible to profit.

Equihash was engineered to make that to happen — it can be configured to need a lot of memory as a minimum requirement to run, and it needs several times that much to run efficiently. (If you use half the ideal amount of memory, it can be 1000 times slower.)

Exactly how much memory is required? That depends on a couple of parameters.

The current Equihash: <200,9>

Equihash is the name for the general algorithm, but the exact implementation depends on two parameters, < n, k >. Today’s common Equihash coins run on Equihash <200,9>, so n = 200 and k = 9. This setup is currently used interchangeably by Bitcoin Gold, Zcash, Zencash, and many other Equihash-based cryptos.

This <200,9> version of Equihash requires a minimum of 50 MB of memory but can run much faster with 144 MB of memory. This was not the most demanding (most memory-hard) version of Equihash considered at the time, but it appeared to be “good enough.” These memory requirements were previously sufficient to prevent building an ASIC, based on the comparison of ASIC cost to coin value a year or two ago. Since then, Zcash — which was worth $30 in Feb of 2017 — has grown to be worth over $250, and now there are multiple coins that can be mined with the same Equihash. Meanwhile, the cost of transistors in an ASIC has gone down.

With these changes, it became possible to build an ASIC that can work with just enough memory to profitably mine the current Equihash coins — and this is precisely what has come to pass. But this doesn’t mean that Equihash is defeated — just that Equihash <200,9>.

Equihash-BTG: <144,5>

We’ll be adopting different parameters, <144,5>, for Equihash-BTG. Although these numbers are smaller than <200,9>, it means the algorithm actually requires dramatically more memory to run — so much more that we believe ASICs will be impossibly unprofitable for quite some time. The <144,5> parameters require a minimum of 700 MB to run and use about 2.5 GB to run efficiently (that’s 17 times larger!) This should be too expensive to produce with an ASIC right now, while most graphics cards used by our miners already have that much memory or more.

We’ve seen the innards of the Z9 Equihash miner, and we’re no longer concerned that it might be able to mine Equihash-BTG effectively. We’ve tested the new algorithm with typical graphics cards and have confirmed that they can run the new algorithm with as little as 3GB of RAM (although it can be a bit tricky under Windows if trying to mine while still using the computer.)

The sheer amount of memory required for Equihash-BTG pretty much forces the use of DRAM, which calls for a dramatically different design than a single-chip solver for regular Equihash. Even if a specialty miner is developed for Equihash-BTG in the future, it will not have as dramatic an advantage over a GPU as the specialty Equihash <200,9> miners. This significantly decreases the threat ASICs can pose to our network. While we know that this parameter change is not a permanent fix — this one change won’t stop ASICs forever — we know it will solve the ASIC-resistance problem for now, and gives us time to consider other alternatives for the longer term, if necessary.

The new parameters in Equihash-BTG also provide a few other advantages over <200,9>, which you can read about in our more detailed Forum post about Equihash-BTG.

Enhanced Safety

The new algorithm doesn’t just protect us from ASIC miners — it moves us into a different “pool” of hashpower, which also gives us a measure of safety against the kind of 51% attacks against Exchanges that happened over three or four days this past May.

Why does the new algorithm make us safer? It has to do with the size of the pool of hashpower available as Equihash. The total supply of power is large because it’s currently used interchangeably by multiple coins, and some of those coins produce new coins quite liberally — they generate a lot of miner rewards, which attracts a lot of hashpower, making the total pool very big. Though the share of power available for rental may be a small fraction of the total power for all coins, it can be a large share compared to individual coins, such as Bitcoin Gold. When the power available to rent on demand is larger than the power mining our coin, our chain is potentially at risk of attack (if someone has the financial means to rent all of that hashpower while simultaneously having the resources to make an enormous double-spend attempt against an exchange.)

Because Equihash-BTG is different from the existing pool of regular Equihash power, we’ll effectively be in a separate pool of power. This means BTG will dominate the hashrate on this new PoW algorithm, which is “personalized” to BTG, adding a layer of incompatibility versus other coins that will be moving to the <144,5> parameter set, such as BTCZ (we’ve been collaborating with many other coin teams in the space.)

Timing and Future Updates

While we’re very close to being able to provide Release Candidate versions of all the software to the public, we still aren’t ready to commit to a specific fork date. We’ll begin releasing detailed information about progress with the code and timing to all of our partners in the coming days to assist them in preparations. Because this kind of Network Upgrade will be enacted via Hard Fork, we need to be sure our partners are prepared. (A Hard Fork does not mean there will be a new coin — it just means that the prior software won’t be compatible, so the Upgrade is not optional.) Our ecosystem includes dozens of partners, including mining pools, miners, the makers of mining software, blockchain explorers, wallet hardware and software providers, third-party merchant services, and over fifty exchanges! We’re doing our utmost to ensure that everyone in our community has the opportunity to prepare so that nobody is left behind when the time of the Upgrade comes.

Working towards a better future,
The Bitcoin Gold Organization
#1CPU1VOTE

References:

Additional reference for 3rd-party miner developers:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade