Mega-pool Cockblocking Strategies #28

Open
by wowario opened 1 year ago · 18 comments
wowario commented 1 year ago (Migrated from github.com)
Owner

What could we do, if anything, to mitigate the dominance large pools?

Some idea floating around...

  • Lock coinbase transactions for 100 years
  • Miners sign block templates with private keys
  • Hashing the whole blockchain
  • get rid of tx_extra
  • limit extra nonce size
What could we do, if anything, to mitigate the dominance large pools? Some idea floating around... - Lock coinbase transactions for 100 years - Miners sign block templates with private keys - Hashing the whole blockchain - get rid of tx_extra - limit extra nonce size
jwinterm commented 1 year ago (Migrated from github.com)
Owner

And if we do any or all of these should we tone down randomx parameters to make verification easier on mobile or just switch to sha3?

And if we do any or all of these should we tone down randomx parameters to make verification easier on mobile or just switch to sha3?
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

I don't know how mining works, but all lgtm.

Making RandomX lighter in practice might be good enough for mobile. But it also makes switching away from it harder. I doubt anyone can change it ever.

So depending on what your vision is about the end game, it can be a pro or con.

I don't know how mining works, but all lgtm. Making RandomX lighter in practice might be good enough for mobile. But it also makes switching away from it harder. I doubt anyone can change it ever. So depending on what your vision is about the end game, it can be a pro or con.
SChernykh commented 1 year ago (Migrated from github.com)
Owner

Miners sign block templates with private keys

This is the only meaningful way to do this. But how exactly can it disable pools? If block template is signed before the nonce is searched (everything but the nonce is signed) then pool can just send signed templates to miners. If the template is signed after the solving nonce has been found, it can just be done at a pool side. So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work.

> Miners sign block templates with private keys This is the only meaningful way to do this. But how exactly can it disable pools? If block template is signed before the nonce is searched (everything but the nonce is signed) then pool can just send signed templates to miners. If the template is signed after the solving nonce has been found, it can just be done at a pool side. So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work.
00-matt commented 1 year ago (Migrated from github.com)
Owner

limit extra nonce size

Couldn't a pool just mess with the timestamp or transaction ordering (if we don't enforce an ordering for txes) in that case?

> limit extra nonce size Couldn't a pool just mess with the timestamp or transaction ordering (if we don't enforce an ordering for txes) in that case?
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

I used to think profit switching pools were not too bad, but maybe I'm wrong.

Profit switching pools require someone to keep mining the blockchain when they don't, particularly when mining isn't profitable.

So solo miners and dedicated pools are actually feeding the profit of profit switching pools, at the expensive of their own losses. And if they stop mining at a loss, the chain is ded.

Guess I support making profit switching pools infeasible, at least for chain security.

I used to think profit switching pools were not too bad, but maybe I'm wrong. Profit switching pools require someone to keep mining the blockchain when they don't, particularly when mining isn't profitable. So solo miners and dedicated pools are actually feeding the profit of profit switching pools, at the expensive of their own losses. And if they stop mining at a loss, the chain is ded. Guess I support making profit switching pools infeasible, at least for chain security.
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

There are no FPGA / ASIC profit switching pools right? So I guess SHA-3 is also an option?

There are no FPGA / ASIC profit switching pools right? So I guess SHA-3 is also an option?
00-matt commented 1 year ago (Migrated from github.com)
Owner

FPGA / ASIC / CPU / GPU has nothing to do with profit switching

FPGA / ASIC / CPU / GPU has nothing to do with profit switching
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

Do you know any profit switching pools that are targeting FPGA / ASIC ?

Do you know any profit switching pools that are targeting FPGA / ASIC ?
00-matt commented 1 year ago (Migrated from github.com)
Owner

ViaBTC does for sha256d coins, and multipool.us for scrypt, sha256d and x11.

ViaBTC does for sha256d coins, and multipool.us for scrypt, sha256d and x11.
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

Thanks, well, that sucks.

Thanks, well, that sucks.
tevador commented 1 year ago (Migrated from github.com)
Owner

So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work.

I like this idea. Miners would have to:

  1. Select a nonce value.
  2. Sign the block header using the secret spend key from the coinbase transaction.
  3. Append the signature to the block header.
  4. Calculate a RandomX hash of the long block header.
  5. Check if the hash is below the target. If not, go back to step 1.

This would not significantly impact hashrates because an Ed25519 signature takes <10 <50 µs, while a RandomX hash takes 1000-2000 µs.

When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance, which might incentivize the development of specialized circuits for fast digital signatures.

> So template signing must be a part of PoW then? For example, sign the template after nonce is applied, but calculate the final hash for everything including the signature. Yeah, that could work. I like this idea. Miners would have to: 1. Select a nonce value. 2. Sign the block header using the secret spend key from the coinbase transaction. 3. Append the signature to the block header. 4. Calculate a RandomX hash of the long block header. 5. Check if the hash is below the target. If not, go back to step 1. This would not significantly impact hashrates because an Ed25519 signature takes ~~<10~~ <50 µs, while a RandomX hash takes 1000-2000 µs. When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance, which might incentivize the development of specialized circuits for fast digital signatures.
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

@tevador:

When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance

Does this mean an ASIC will have to compute something more than just a hash, will that make ASIC design harder?

@tevador: > When used on an ASIC-friendly blockchain that uses a fast hash function, the mining speed would be bottlenecked by signing performance Does this mean an ASIC will have to compute something more than just a hash, will that make ASIC design harder?
fuwa0529 commented 1 year ago (Migrated from github.com)
Owner

Is it possible to replace 3. 4. with:

Calculate a RandomX hash of the signature ?

Is it possible to replace 3. 4. with: Calculate a RandomX hash of the signature ?
tevador commented 1 year ago (Migrated from github.com)
Owner

Calculate a RandomX hash of the signature ?

Yes, since the signature includes a hash of the block header. This would decrease the amount of data to hash from 140 to 64 bytes and save 1 run of the Blake2b compression function.

> Calculate a RandomX hash of the signature ? Yes, since the signature includes a hash of the block header. This would decrease the amount of data to hash from 140 to 64 bytes and save 1 run of the Blake2b compression function.
MoneroOcean commented 1 year ago (Migrated from github.com)
Owner

image

![image](https://user-images.githubusercontent.com/33983510/82744095-dbcb2e00-9d28-11ea-9236-8df157f67166.png)
Thunderosa commented 1 year ago (Migrated from github.com)
Owner

Just limit pools to 1 block each. Make them promise.

Just limit pools to 1 block each. Make them promise.
jwinterm commented 1 year ago (Migrated from github.com)
Owner

Does mining to a multisig address change the calculus in any of this?

Edit: Nevermind, that wouldn't work if miners need to sign every hash.

Does mining to a multisig address change the calculus in any of this? Edit: Nevermind, that wouldn't work if miners need to sign every hash.
tevador commented 1 year ago (Migrated from github.com)
Owner

Multisig wouldn't work and additionally, the coinbase tx would have to either be limited to 1 output or require one signature per output key (this would require some variable-size structure in the block header).

Multisig wouldn't work and additionally, the coinbase tx would have to either be limited to 1 output or require one signature per output key (this would require some variable-size structure in the block header).
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.