Monday, January 20, 2014

Scrypt ASICs, Alternate Proof of Work Algorithms, etc.

I wanted to quickly touch on a couple of topics in the cryptocurrency world, and perhaps it's best to start with a short discussion of ASICs. Litecoin and the scrypt Proof of Work (PoW) algorithm were created in part as a way to avoid concentrating the hashing power and control of any cryptocurrency into the hands of a few (relatively speaking) people. When everyone was using CPUs to mine Bitcoins (SHA256 PoW), it was a "fair" game -- anyone with a PC could participate. Then BTC started to gain some fame back in late 2010/early 2011 and some clever programmers decided to try and use GPUs to run the SHA256 hashing algorithm, and they had some good success. Where a high-end CPU might get 15-20MHash/sec, a high-end GPU could run the calculations about 20X faster, and suddenly people were in a rush to buy GPUs so they could grab more of the Bitcoin pie.

Even GPUs are still less efficient than a processor designed specifically to run SHA256, however, and the inevitable next step was to work on FPGAs (Field Programmable Gate Arrays) and ASICs (Application Specific Integrated Circuit). FPGAs are basically a quick and dirty way to do a custom chip, with the caveat being that they'll never be as fast as a custom design -- they don't clock as high, because the gate arrays can't switch as fast. FPGAs could run about as fast as a high-end GPU back in 2011, but they cost almost twice as much -- and they used about 1/10 as much power. Custom ASICs on the other hand would take a lot more time to develop, and they would require a significant investment in terms of R&D, layout, fabrication, packaging, etc.

Eventually we started to see ASICs designed for SHA256 become widely available in early 2013, and the result has been an exponential increase in hashing power. Today, a good ASIC miner will perform around 1000GHash/sec and draw around 850W of power -- about 400X as efficient as trying to mine BTC with a GPU! The problem is that supply of ASICs hasn't kept up with demand, so there are relatively few companies/people with ASICs controlling the Bitcoin network. Worst-case, we could end up with one company controlling over 50% of the network, in which case they could basically steal BTC by forging transactions. I don't think we're likely to see that happen -- there's too much money invested into BTC at this point, and any company getting even 25% of the total hash rate will likely stop expanding so as not to spook other investors. But it still means that this "currency for the people" has ended up in the control of a relatively small number of hands, which is not what it was supposed to do.

So then we have scrypt, which is an alternate Proof of Work that can't be mined with ASICs designed for SHA256. With the success of Bitcoin and now Litecoin, however, there is plenty of interest in being the first company to deliver a scrypt ASIC. Probably the most well-known is Alpha Technologies, who are currently targeting a release date of mid-July for a 25MHash/sec scrypt ASIC that will draw less than 600W (and potentially less than 300W). To put that in perspective, it's the equivalent of 30 Radeon R9 290X GPUs but draws as much power as two such GPUs -- or roughly 15X as efficient as using a GPU. That's not quite as big of a gap as we're seeing with SHA256, since scrypt was intentionally designed to make the creation of ASICs more difficulty, but it's still a healthy advantage.

The big catch is the cost, of course. The Viper 25MHash miner has a price of £5450, or around $9000 USD. Even at the currently inflated prices on GPUs, $9000 could purchase around six complete mining rigs, each with three R9 280X GPUs, for a total hashing power of around 13MHash/sec. That's about half the performance, but you could begin hashing within a week compared to waiting six months, and six months is a very long time in the cryptocurrency world. I went in on half of a Viper with a friend, and we'll see if that works out, but I suspect it will be a while yet before that investment pays off. It will certainly be interesting to see what sort of ASIC arms race comes in the scrypt world, regardless, as Alpha Technologies is actually jumping straight to 28nm process technology whereas the SHA256 ASICs started at 110nm, so we may not actually see quite the explosion in hashing rate that Bitcoin saw.

So this brings us to the alternative Proof of Work algorithms. I really liked the idea of Quark, but it was basically insta-mined so that if you didn't hop on board in the first month or two, you were "too late" to really make a decent profit. This is why I started mining Frozen, but while I have mined a fairly sizable sum of FZ and have definitely come out with a decent profit, Frozen has many of the same issues as Quark. It wasn't insta-mined, but it will be mostly mined out in just six months, which is -- in my opinion -- stupid. The security of any cryptocurrency depends on enough people mining it to keep it from being taken over, so if everyone stops mining because there's no more coins being made after just six months, security drops to basically nothing.

At the same time, I also still like the ideal of PoW algorithms that are ASIC-resistant (I'm not sure anything can be "ASIC-proof"), so things like Primecoin are cool, but again the ROI for XPM is basically dead at this point. If scrypt is going to enter the realm of the ASIC-coins in six months, what's the Next Big Thing (tm)? Well, scrypt-jane is one possibility. It's essentially scrypt with a variable n-factor, which apparently makes it even more difficult to target with a custom ASIC. There are several alt-coins now using scrypt-jane, but the latest to catch my eye is Microcoin (MRC), which is using a "fair launch" approach.

The short summary is that MRC started with 10000 blocks that had a combined value of just 1 MRC; this was used to establish a baseline difficulty for the network. From there, the next 300,000 blocks will scale up in rewards from 10,000 MRC to 160,000 MRC and then back down to 10,000 MRC. That means the peak block reward will come in the next 15-45 days, so unfortunately while the launch is "fair", we're still going to mine most of the MRC in just four months. Gah! But I've pointed at least one GPU at MinersBest to see how things develop; MRC should also hit a new exchange (red flags much?) tomorrow, at which point we'll get some idea of the value of the coin. With a target of 100 billion total coins, I suspect a fair long-term valuation of MRC is going to be around 0.0000021 BTC per MRC, and short-term it will probably be less than half that amount.

Vertcoin (VTC) is another option, which also adjusts the n-Factor using an "adaptive n-Factor" approach that's different than scrypt-jane. Other than the change in PoW, it's the same reward setup as LTC, so 50 VTC block rewards every 2.5 minutes with 84 million total coins. It's a newer coin as well, having started just this past month, and it's already listed on CoinedUp. Being listed this early isn't always a good thing, but the valuation right now is 0.00016 BTC per VTC. Considering that in total there are 28800 VTC being mined daily, that means the trade value is 4.6 BTC available per day. The network hash rate is around 183MHash/sec, and GPUs are about half as fast with the new PoW as with standard scrypt, so that means 400KHash/sec from an R9 290 would be reasonable, or 333KHash/sec from R9 280X. If we take the latter, three R9 280X should produce ~1MHash, resulting in a reward of around 0.025 BTC per day. If you were to mine LTC instead of VTC, your current daily rewards with ~2MHash/sec would only be 0.0145 BTC, making VTC about 70% more profitable than LTC mining -- not bad! With 3x7950 however, I'm only getting about 40% better than LTC mining (hash rates of around 240KHash per GPU instead of 620KHash on scrypt), so I'm not quite able to match Middlecoin's current returns.

Anyway, what I'd really like to see is more alt-coins that forget about the fast-mining hype and crazy block rewards (or silly memes, i.e. DOGE) and instead go for a long-haul approach. Take the Quark PoW -- or scrypt-jane, or some other variant -- and use scaling similar to BTC/LTC so that in two years, people are still seeing 50 coin block rewards, and in ten years you could still get 12.5 coin block rewards and have a reason to continue mining. I think the fear is that slower mining makes your coin and/or PoW algorithm a bigger target for ASICs, but faster mining just means your coin will die in six months or however long it takes to empty the coffers. QRK is still kicking, though, even with a much lower block reward, so maybe there will be enough interest to keep more coins going. I'm not convinced, unfortunately, which means long-term the best bets are still BTC and LTC.

15 comments:

  1. Great to see your stance and interest to see the long term cryptocurrency Jarred.

    ReplyDelete
  2. Interesting. First time I've heard of scrypt-jane...

    ReplyDelete
  3. Hey jarred, could you may post the optimal settings for mining vtc with 290x? Would much appreciate. Thank you.

    ReplyDelete
    Replies
    1. VTC mining tends to be a bit more finicky than normal scrypt mining, so the following may not work (or may work with lots of HW errors); you'll probably need to tune things:

      "thread-concurrency" : "27001",
      "gpu-engine" : "900",
      "gpu-fan" : "30-95",
      "gpu-memclock" : "1500",
      "gpu-powertune" : "20",

      I also had some luck on 7950/7970 hardware with two GPU-threads and lower TC, so you could try that.

      Delete
    2. Ok, i'll try that. Thanks mate.

      Delete
  4. Hey Jarred, I have another question regarding to Alpha Technologies ASIC Scrypt miner. Will you be able to mine all Scryptcoins such as LTC and VTC with this Miner? I thaught they would be ASIC resistant in a certain way? Which makes them more stable and sustainable than SHA-256 Coins?
    Am I missing something?
    Thanks for the interesting article.

    ReplyDelete
    Replies
    1. The Alpha Technologies ASIC will only work on standard scrypt (LTC, DOGE, DMD, MOON, etc.) but will not work on modified scrypt (scrypt-jane, VTC, etc.) This is why other PoW algorithms are being created -- to thwart the use of ASICs. We'll see if that lasts, but remember that "ASIC-resistant" is not the same as "ASIC-proof".

      Delete
    2. Ok, thanks for the infos Jarred.

      Delete
  5. hi Jarred, have you find some sweetspot for VTC on R9 290 ? We maximum reach 330kh/s with few hw errors.
    tnx for your blog and your help !

    ReplyDelete
    Replies
    1. I'm getting 440kh/s constant, only few rejects maybe 1% reaching: WU: ~400kh/s

      Using follwing Setting on my 2x 290x with customized cgminer.3.7.2

      ,
      "intensity" : "20",
      "vectors" : "1",
      "worksize" : "256",
      "kernel" : "scrypt",
      "lookup-gap" : "2",
      "thread-concurrency" : "24727",
      "shaders" : "0",
      "gpu-engine" : "925",
      "gpu-fan" : "90;80",
      "gpu-memclock" : "1475",
      "gpu-memdiff" : "0",
      "gpu-powertune" : "50",
      "gpu-vddc" : "1.100",
      "temp-cutoff" : "100",
      "temp-overheat" : "95",
      "temp-target" : "80",
      "api-mcast-port" : "4028",
      "api-port" : "4028",
      "expiry" : "120",
      "failover-only" : true,
      "gpu-dyninterval" : "7",
      "gpu-platform" : "0",
      "gpu-threads" : "1",
      "hotplug" : "5",
      "log" : "5",
      "no-pool-disable" : true,
      "queue" : "1",
      "scan-time" : "60",
      "scrypt" : true,
      "temp-hysteresis" : "3",
      "shares" : "0",
      "kernel-path" : "/usr/local/bin"
      }

      Delete
  6. All these scrypt variants have a big problem in that verification of the PoW is a highly nontrivial computation and only gets worse as memory is increased. It would be much better to pick a PoW
    with trivially verifiable proof, scalable memory requirements, and no parallelizability.

    ReplyDelete
    Replies
    1. Well, "no parallellizability" was too much to hope for, as it turns out to be at least moderately parallelizable, but Cuckoo Cycle does satisfy the other properties. From the README at https://github.com/tromp/cuckoo

      Mining is generally considered to be inherently power hungry but it need not be. It’s a consequence of making the proof of work computationally intensive. If computation is minimized in favor of random access to gigabytes of memory (incurring long latencies), then mining will require large investments in RAM but relatively little power.

      Cuckoo Cycle represents a breakthrough in three important ways:

      1) it performs only one very cheap siphash computation for about 3.3 random accesses to memory,

      2) its memory requirement can be set arbitrarily and doesn't allow for any time-memory trade-off.

      3) verification of the proof of work is instant, requiring 2 sha256 and 42 siphash computations.

      Runtime in Cuckoo Cycle is completely dominated by memory latency. It promotes the use of commodity general-purpose hardware over custom designed single-purpose hardware.

      Other features:

      4) proofs take the form of a length 42 cycle in the Cuckoo graph.

      5) it has a natural notion of (base) difficulty, namely the number of edges in the graph; above about 60% of size, a 42-cycle is almost guaranteed, but below 50% the probability starts to fall sharply.

      6) running time for the current implementation on high end x86 is under 24s/GB single-threaded, and under 3s/GB for 12 threads.

      7) making cuckoo use a significant fraction of the typical memory of a botnet computer will send it into swap-hell, and likely alert its owner.

      Delete
    2. Hi tromp,

      Are you the developer of the Cuckoo Cycle? Are there any coins coming out that will use this? If so, please keep me apprised.

      Delete