(pt. 2) ECIP-1049: Why Ethereum Classic should Adopt Keccak256 for its Proof of Work Algorithm.
Since publishing ECIP-1049 (here) as a response to the 51% attack I have received quite a bit of input and questions. I have also opened up a pull request to multi-geth to create Astor (here), an Ethereum testnet that will use Keccak256 as its proof of work method. If you agree with this article, or just want to learn more about how consensus works in Ethereum, I would appreciate any help. My goal is to have the testnet running by January 2020. Read first article in series (here)
Question (courtesy of Phyro): “Why does the amount of hashes matter to secure the network, shouldn’t it be energy expended?”
Answer: This is a great question, and really goes to the heart of the ECIP-1049 proposal, and why moving away from Ethash to Keccak256 will help secure Ethereum Classic. First of all, the expenditure of energy in a proof-of-work system is the most important factor for decentralization. Because energy is distributed all throughout the world, and energy is necessary to mine a proof of work coin, it follows that mining is distributed all throughout the world. This is especially true in Bitcoin mining, where miners set up in a variety of locations — the biggest being hydro-electric rich areas in the Northwestern United States and Southern China. Other popular areas to mine are particularly cool climate with cheap power like Russia, Canada, Norway, and Iceland.
It’s fairly clear that if power is the limiting factor for mining, the system will be distributed globally. However, an important topic of debate is whether or not ASICs cause the system to be fragile because centralized chip makers can control most of the hashpower. This may have been true in the early days of Bitcoin, but it is false today. With a number of companies ranging from Innosilicon and Bitmain (China), to GMO (Japan), Bitfury (Europe and USA) all vying to create the most efficient miners possible. Keep in mind this is for an entirely new chip industry that didn’t exist even 10 years ago. Compare this to the fact that the only major graphics card manufacturers are AMD and Nvidia (publicly traded companies both based in USA)
This competitive liquidity exists in Bitcoin, because Bitcoin uses SHA256, a very standardized and efficient algorithm that is easy to produce ASICs for. Because it is so easy to produce ASICs, there are many companies that can do this. It decentralizes manufacturing. This is good, we want the deciding factor of mining profitability to be access to cheap power only.
Miners measure the effectiveness of their miners using a simple metric: W/Gh (watts of energy / gigahashes per second) — this is the only number that matters to miners, like MPG (miles per gallon) matters with fuel efficiency. We can see the increase in efficiency starting from the first SHA256 miners in 2013 (source)
Butterfly Labs Jalapeno (from 2013) does 4 W/GH
Antminer S3 (from 2014) does 1.3 W/GH (3.1x better)
Antminer S7 (from 2015) does .25 W/GH (5.2x better)
Antminer S9 (from 2016) does 0.098 W/GH (2.5x better)
Innosilicon T2 Terminator (from 2018) does 0.083 W/GH (1.18x better)
Innosilicon T3 Terminator (from 2019) does 0.049 W/Gh (1.69x better)
The lower the W/Gh number, the better because it means you can do more hashes with expending less energy. As you can see, every new year devices get more efficient. While Bitcoin ASICs are so new (less than 7 years) we can already start to see the same pattern that emerged in integrated circuits — Moore’s Law which says the number of transistors on chips doubles every 2 years. In crypto, we will see a “Nakamoto’s Law” — Bitcoin miner efficiency doubles every two years. The fact we have maintained Moore’s law since the 1970s is an amazing achievement of modern electrical engineering and economics.
The issue with “ASIC-resistant” algorithms is that they introduce a new complication to the proof of work equation — which is access to ASIC miners. If one company or country successfully creates ASICs for an ASIC-resistant algorithm before anybody else can, it means they can control the network with very minimal power expenditure. In fact, a government could easily overpower a network with very minimal energy spent, if they can manufacture a few ASICs when nobody else has them. I am worried about algorithms like Ethash and Progpow because if there is a flaw in them, it can make it easy for an attacker to silently control the network for years with very minimal power expenditure. Keccak256, the algorithm I am proposing in ECIP-1049 on the other hand is very similar to Bitcoin’s SHA256, and amazingly, with exponentially higher performance. In fact, the only reason Satoshi didn’t use Keccak256 AKA SHA3 was that it was only SHA certified as safe in 2015, almost 6 years after the Bitcoin blockchain began, and around when Ethereum launched. Satoshi was a gentleman, and gentlemen know not to create a new hashing algorithm for a software project. Make no mistake: Keccak256, the product of decades of research, is state of the art crytpographic technology that we can leverage to protect our young network.
Now why does this steady increase in efficiency matter for mining? Well it’s important because it means it’s very difficult for a new ASIC manufacturer to jump ahead and make an ASIC that is 10x, or 100x, or 1000x faster than anybody else. Imagine how dangerous it would be if an attacker that can mine with 10,000x the efficiency of everybody else! With very few computers and little energy, the attacker can easily overpower the rest of the network. So these ASIC-resistant algorithms are so dangerous because — if they fail (see XMR, LTC, ZEC, ETH, etc.) and an ASIC is produced, it can be so much stronger than the rest of the network. This is why Keccak256 is such a good algorithm because it is very efficient and will have a highly liquid mining market. In the Keccak implementation document they show you the exact architecture to produce an ASIC yourself, and we know that the market for mining equipment will be able to follow this open standard and manufacturers can compete against each other to produce the best product. This means miners and pools have access to better mining equipment. A transparent market with clear standards is always better than an opaque market with asymmetric information. It’s clear to me that what worked for Bitcoin, SHA256, will work for Ethereum Classic: Let’s switch to Keccak256!
Keccak implementation document: https://keccak.team/files/Keccak-implementation-3.2.pdf
Paper profiling different hashing algorithms on an FPGA: http://www.ecrypt.eu.org/hash2011/proceedings/hash2011_07.pdf