Coinbase: ASIC-friendly PoW coins are more secure, and ASIC resistance will only lead to mining centralization

Recently, the digital asset trading platform Coinbase has changed the confirmation requirements for Bitcoin (BTC), Litecoin (LTC), Zcash (ZEC) and Ethereum Classic (ETC). Among them, the confirmation requirements for BTC, ZEC and ETC have all been reduced, while only the confirmation requirement for LTC has been increased. The specific changes are shown in the following table:

So what caused this change?

According to the explanation given by Coinbase, this involves the security issue of PoW coins. The security level of each PoW coin is different. The security of currencies such as Bitcoin has been improved, so the number of confirmations can be reduced. On the contrary, currencies with reduced security require an increase in the number of confirmations.

In this regard, Coinbase security engineer Mark Nesbitt also wrote an article explaining the impact of ASIC on the security of cryptocurrency networks.

The following is the translation:

Introduction: Proof of Work (PoW)

All cryptocurrencies define an ownership state in the currency network, and in order for the cryptocurrency to be usable, there must be a way to update this ownership state. In most existing cryptographic algorithms, the ownership state is defined by a canonical history of all transactions that have ever occurred, which is stored by the network nodes in a data structure called a blockchain. In order to update the ownership state, there must be a way to add the most recent transaction to the transaction history stored in the blockchain.

Different cryptocurrencies add new content to their blockchains in different ways. In cryptocurrencies that use the Proof of Work (PoW) consensus algorithm, the expansion of the blockchain is carried out through a process called mining. Miners bundle newly announced transactions together into data structures called blocks, which are added to the blockchain.

Miners attempt to add a block by solving a proof-of-work puzzle unique to the proposed block. If the miner is able to find a solution to the puzzle, the miner will announce the block and its solution to the rest of the network. The rest of the network will recognize the valid proof-of-work solution and consider the proposed block as the latest addition to the blockchain. Note that miners do not need permission to produce a block, a fact that allows miners to enter and exit the network at will.

In order to determine the canonical transaction history when miners may produce multiple valid transaction histories (i.e. different valid blocks or even valid chains), in PoW cryptocurrencies, we define the blockchain with the most cumulative work as the canonical transaction history. This consensus rule introduces a fundamental property to PoW cryptocurrencies: any participant who can outperform the rest of the network by finding more proof-of-work solutions can unilaterally generate a valid transaction history, and the rest of the network will adopt that history as the canonical transaction history. (Note: This does not mean that this participant has unlimited power on the network)

The article makes two claims about the security of PoW cryptocurrencies.

Statement 1: Specific hardware for a particular coin is primarily used for mining, which is a security feature

If the primary application for the hardware loses value, the hardware owner loses the value of their investment .

Hardware owners are incentivized to think about the long-term success of their hardware’s primary application, and the longer their equipment lasts, the more money they can invest in the long-term success of their hardware’s primary application. At the time of writing, Bitcoin ASIC miners are beginning to see their lifespans extend significantly as new models become more efficient.

This idea is related to the principle of dedicated costs.

The large number of off-site computing power pools poses a threat to the security of the currency .

Coins without active computing power have a high risk of 51% attack.

This is particularly important to consider given the above debate about the incentives of hardware owners in terms of applications for their hardware. If hardware owners have other applications outside of mining where they can monetize their hardware investment, the negative impact of disrupting a coin’s blockchain is diluted.

Changing the algorithm to "anti-ASIC" would simply allow the entire world's vast general computing resources to participate in mining at will, potentially destroying the cryptocurrency. For this reason, coins that implement "anti-ASIC" algorithms are empirically very vulnerable to 51% attacks. Well-known examples of ASIC-resistant coins that have been successfully 51% attacked include BTG, VTC, and XVG.

So far, there has not been a single case where a coin that supports ASIC hardware has been successfully attacked with a 51% double spend.

Case Study: 51% Attack on Bitcoin Gold (BTG)

In May 2018, Bitcoin Gold (BTG) suffered multiple 51% attacks, resulting in double spending of millions of dollars worth of coins. After this attack, BTG developers announced that they would change BTG’s PoW algorithm to Equihash-BTG:

“Because Equihash-BTG is incompatible with the existing regular Equihash hashrate pool, we will be in a separate proof-of-work pool, which means BTG will dominate the hashrate of this new PoW algorithm, which is “personalized” for BTG, adding a layer of incompatibility with other coins that move to the <144,5> parameter set (such as BTCZ)”

This is a very interesting statement. The BTG developers acknowledge the importance of hashrate dominance, but they draw the wrong conclusion: it is important to control the hashing algorithm, rather than focusing on the hardware that produces the hashrate. Unless the hardware that produces the hashrate is primarily used to mine coins, nothing about the hashrate is "personalized" to BTG. Miners with generic hardware for other currencies can change the mining algorithm at will, allowing the hardware to mine BTG without new input.

Assertion 1 Summary:

The only way a PoW coin can materially reduce the risk of a 51% attack is if it becomes a primary use case for the relevant mining hardware. Coins mined on widely available general-purpose hardware (such as CPUs and GPUs) lack this major security feature.

Assertion 2: Using ASIC-friendly algorithms will improve manufacturing and ownership diversity

No algorithm is ASIC-proof, they are just ASIC-resistant .

For any particular computing problem, hardware that is specialized to solve that problem will always be more efficient than general-purpose hardware. In addition to the advantage of writing application-level logic directly into the circuit, specialized hardware does not need to bear the other requirements of general-purpose hardware, such as security isolation, clock interrupts, context switching, and other tasks required to support multiple applications. Therefore, no PoW algorithm is ASIC-proof, they can only be ASIC-resistant.

Empirically, ASIC-resistant algorithms have not been successful in preventing the development of ASICs. Prominent examples include scrypt (LTC), equihash (ZEC, BTG), ethhash (ETH), and cryptonite (XMR).

ASIC-resistant algorithms effectively make it more difficult to build an effective ASIC miner. The natural consequence of this is that chip manufacturers need to invest more money and expertise before they can produce an effective ASIC.

Therefore, ASIC-resistant algorithms only increase the barriers to entry into the ASIC market. This leads to a trend towards centralization of mining hardware manufacturing, which is actually contrary to the original intention of ASIC-resistant algorithms!

Instead, the goal should be to choose an algorithm that is both cheap and easy to manufacture ASICs for. This would result in ASICs being effectively a commodity that requires no specialized knowledge or moat. This would lead to a greater diversity of manufacturers, more easily encouraging diversity in owner/operators, and ultimately more likely to lead to decentralization of the mining network.

When developers choose an algorithm that is ASIC-resistant, they provide a competitive moat to chip developers who will eventually build ASIC hardware for their algorithm.

Case Study: Monero’s Regular Algorithm Adjustments

The Monero development team has implicitly acknowledged the fact that an algorithm cannot be ASIC-proof, only ASIC-resistant. They seem to have realized that trying to develop a silver bullet ASIC-proof algorithm designed to permanently block the development of ASICs would not be effective. Instead, they decided to tweak Monero's PoW algorithm every 6 months with the goal of disincentivizing the creation of specialized hardware by quickly making it obsolete.

This strategy underestimates the ability of talented hardware designers to quickly develop new chips. It is almost certain that a highly skilled chip designer would be able to master a development process that can be used to target the strategies of the Monero developers. This would force a small group of closely guarded Monero developers to attempt a high-stakes, highly confidential cat-and-mouse game to hide their algorithmic plans, which provides a huge financial incentive for any member of this group to violate this circle of trust and leak information to the chip manufacturer. The criticality of the group's decisions and the extreme trust in it are not good characteristics for a permissionless world currency, and arguably create a centralization risk that is more serious than the centralization risk of miners.

The limitations of this strategy are already apparent, and predictably, we have seen the successful emergence of ASICs on all three versions of the XMR network algorithm.

Ambition is only important to the extent that it is achievable.

Most arguments in favor of ASIC resistance come with the phrase: “ensuring that the network is not controlled by a few.”

This is naturally an excellent goal, and it is essential to ensuring that digital currencies deliver on their promise.

But in reality, all the good intentions in the world are completely irrelevant when an action taken with good intentions does more harm than good. Ironically, coins that implement ASIC-resistant algorithms will eventually become centralized and controlled by larger miners.

Assertion 2 Summary:

The only thing an ASIC-resistant algorithm accomplishes is to raise the cost and expertise required to create an effective ASIC. This in turn means that any PoW coin of significant value will eventually be mined by ASICs, which in turn leads to a high degree of centralization in mining, as successful ASIC manufacturers will have a very strong competitive moat.

Summarize

Cryptocurrencies cannot provide a completely egalitarian system, nor can they eliminate all power structures or advantages provided by additional resources. But they do represent a huge improvement over the current opaque, manual, and error-prone financial system. It is vital to vigorously defend your principles when trying to change the world, but it is equally important not to let the illusion of a perfect system become the enemy of an achievable good system.

As digital assets mature, participants must ask themselves whether this industry will be preserved by hobbyists running old laptops at home, or whether it will be, like almost every other important endeavor in human history, advanced at scale by large self-interested groups investing vast resources. Every specialized industry that scales uses specialized equipment, and it is naive to think that cryptocurrency mining should be any different.