[seanwilson]

> That highly depends on the hashing algorithm used. For Bitcoin this is SHA256, which is very well-suited for ASIC implementation. The algorithm of Ethereum was deliberately designed to be ASIC-resistant, but GPU-friendly, therefore GPUs (which are kind of a commodity) are the hardware of choice for Ethereum mining.

Is it possible to create ASIC resistant algorithms? Litecoin was meant to be resistant by using scrypt but there's ASICs out for that now I believe.

Could you not create a protocol that constantly changes its hashing algorithm to combat ASICs?

> The advantage of low electricity cost is of course something that cannot be eliminated without eliminating Proof of Work entirely.

Any views on what the ideal system would be? I've heard of using a combination of proof of stake and proof of work. Proof of stake will mean people with more money get more power and proof of work means people with lower electricity costs get more power so neither seems ideal. I think ideally each person in the world would get an equal vote in how the protocol progresses but it's not obvious how you could enforce that.

[tromp]

> Is it possible to create ASIC resistant algorithms? Litecoin was meant to be resistant by using scrypt but there's ASICs out for that now I believe.

Making the PoW require tons of memory to solve efficiently seems the best way to attain ASIC resistance. Monero's PoW requires only 8x more than scrypt's 128KB, but Ethereum requires over 1000x more than Monero's 2MB. None of these can be instantly verified though which is a desirable property of PoWs.

Modern asymmetric PoWs like Grin and aeternity's Cuckoo Cycle, and Zcash and Bitcoin Gold's Equihash combine large memory requirements (144MB-2.2GB) with instant verifiability.

[em3rgent0rdr]

could you not just add a ton of ram to an ASIC?

[tromp]

128MB is the current limit [1] for embedded DRAM

[1] https://en.wikipedia.org/wiki/EDRAM

[nathan_f77]

> Could you not create a protocol that constantly changes its hashing algorithm to combat ASICs?

It might be interesting to combines all of the popular hash functions in a sequence. You could probably mix in some non-cryptographic hash functions in the middle as long as you use secure functions at the beginning and end of the sequence. e.g. SHA256 => MD5 => MurmurHash => BLAKE-256

You could even write an algorithm that uses the previous block hash to determine the next order of the hash function sequence.

[moreless]

Wouldn't ASICs then just implement all of them and rotate execution?

[nathan_f77]

Yes. It was also a bad idea because it would be expensive to verify the proof. A good proof-of-work algorithm is very difficult to create, and very fast to verify.

After posting that comment, I discovered a far better proof-of-work called the Cuckoo Cycle:

* Blog post: http://cryptorials.io/beyond-hashcash-proof-work-theres-mini... * Whitepaper: https://eprint.iacr.org/2014/059.pdf

It's really a genius solution. You have to fill up 2GB of RAM with random bits in order to find a specific cycle in an enormous graph. This means that even even a very slow CPU would quickly saturate the DRAM memory bandwidth, and it doesn't matter if you use a CPU, GPU, FPGA, or even an ASIC.

This means that a mobile phone with 2GB of RAM can mine just as fast as any server with 2GB of RAM. If you want to increase your mining capacity, you'll have to buy a lot of RAM (or a lot of cheap mobile phones.)

Since it is constrained by memory bandwidth, you spend most of the time just waiting for bits to arrive. This means that it uses much less electricity than other PoWs. The proof is also instantly verifiable.

There are a few cryptocurrencies that are using the Cuckoo Cycle proof-of-work such as aeternity [1], and Mimblewimble / grin [2].

[1] https://aeternity.com/

[2] https://github.com/mimblewimble/grin