EIP-ProgPoW: a Programmatic Proof-of-Work

I tend not to trust “free advice” about sociological attacks from someone with decent knowledge about how to do them, especially when they would benefit greatly from me taking that advice.

The security of the Ethereum chain is of high relevance to the entire community, and it is not a waste of time to understand the pros and cons of implementing a proposal.

Lastly, anyone who does not respect the findings of the audit for this proposal absolutely has an ulterior motive and should not be trusted to be telling the truth in further discussion.

@ fubuloubu , the results are likely suspect because the auditor lacks domain expertise and ECH is relying on one person rather than a team of experts like the methodology used by Least Authority in the software audit.

As an outsider, the entire hardware audit process seems rather secretive and nefarious compared to the open process used in the software audit.

The hardware auditor was selected early June but the name was not disclosed until July 26 was per the following medium post. https://medium.com/ethereum-cat-herders/progpow-audit-update-july-2019-ee17718550d The goals and methodology for the hardware audit have yet to be published or made available for community input.

Contrast the hardware auditor’s approach with the software audit. Clear goals and processes have been identified and published on both Least Authority’s Github and Medium post, along with having multiple people conduct the audit. https://medium.com/ethereum-cat-herders/progpow-audit-update-july-2019-ee17718550d

Which begs the question, why is the hardware process not transparent and why is the Ethereum community not leveraging the expertise of the broader hardware community? Why is there only 1 auditor for such a complex study?

I seriously doubt the one single person can conduct an audit which they are not a domain expert in. That’s like saying because I took economics in school that I can audit the effectiveness of Jerome Powell and the US Federal Reserve Bank’s monetary policy in depth and make recommendations to circumvent a potential Trump inflicted recession.

How does Bob know when something smells fishy and who is he going to consult? It’s not like Nvidia or AMD publish their register specs or will reveal the weakness in their architectures? Or that Bob has any idea on the future roadmap of Nvidia, AMD and Intel GPU’s. Or is the Ethereum community okay with a backward looking audit that only considers old GPU’s?

How is Bob going to prove or refute Linzhi’s Open Chip Design? It’s technically true that math blocks are easy to design but the cores will stall without an efficient cache architecture.

Will Bob know how to model the characteristics of ASIC’s designed for TSMC, GF, Samsung, SMIC, UMC, etc. IP and tools when his primary expertise is a MEMS (Micro-Electro-Mechanical Systems) process (ie. not standard process). Intel fab processes are unique and their foundries have not attracted many fabless semiconductor firms away from the likes of TSMC.

I disagree with the comment because (the collective) you don’t know what you don’t know. Intel and Microsoft are classic examples of companies using industry collaboration for technology migration, specification development and feasibility studies. With each version of DirectX, Microsoft would confer with AMD, Intel and Nvidia for months to understand the impact of each addition or change to the spec/release. While there was fierce competition amongst each company, Microsoft did their best to ensure a level playing field and understand the key issues around the the DX spec and PPA (Performance, Power, Area) impact on the ASIC.

How do one know the audit is clean (whatever clean means)? With Bob, you are relying on one person to understand GPU and ASIC architectures and 3rd party foundries. What are the checks and balances in the hardware audit to ensure that the conclusions are correct and what is the mechanism to dispute/resolve deficiencies or gaps?

The only thing difficult in selecting the hardware auditor is that the Ethereum Cat Herders didn’t seem to have a clear criteria on what was needed. For a list of GPU and ASIC experts, all ECH had to do was ask on a public forum or alternatively I could have introduced Charles to dozens of people from Intel, Nvidia or AMD or a variety of professors in this space.

There are hundreds of people who can do the work without an invested interest or conflict of interest. The best way to do that is to get multiple PoV (like Microsoft) and make an informed conclusion. Here is a list of GPU and ASIC experts from Academia that have the right credentials. And any one of us from Nvidia, AMD, Intel could have helped write the research funding grants for the Ethereum Foundation, be available to answer questions or potentially write Verilog code to synthesize certain functional blocks.

Tolga Soyata, Associate Professor, SUNY Albany
https://www.crcpress.com/authors/i18025-tolga-soyata/bio/

Tim Rogers, Associate Professor, Purdue Unversity
https://engineering.purdue.edu/tgrogers/

Tor Aamodt, Professor, University of British Columbia
https://www.ece.ubc.ca/~aamodt/projects/gpu-arch/

Chang Y. Choo, Professor, SJSU
http://www.sjsu.edu/people/chang.choo/

@fubuloubu

Absolutely breadthtaking, yes? The attack continues right under our eyes.

If the security of the Ethereum chain is so important, is it not worth a thorough audit with the right people with the right domain knowledge? Why even publish the audit if you’re not going to hear counterpoints or have the hardware community post their issues? Isn’t that how the open source community works? Or the process confined to software companies who don’t have a vested interest?

Here’s an example of a customer funded audit on an ePIC Blockchain ASIC conducted by DA Integrated (DAI). DAI is an ASIC design shop in Canada with 24 employees and over 500+ ASIC designs. https://www.da-integrated.com/projects

To view the audit, refer to this link. https://pixeldrain.com/l/o3hi6WtF#item=0

Notice that the auditors did not conduct an in-depth review of the architecture despite having some domain expertise. Even though ePIC had extensive docs (architecture, chip specs, simulations, timing analysis, multiple chip layouts, etc.), the auditors excluded a comprehensive architecture review citing their assessment would not be sufficient despite their domain expertise in memory controllers, 3D and accelerator cores (aka GPU).

So I’ll ask, why Bob and ECH is comfortable with a one man audit without domain expertise when DAI, with 24 ASIC designers, graphics expertise and works with all the independent semiconductor foundries, wasn’t comfortable providing a full architecture audit.

I welcome the audit if it will get to the truth using industry experts, as well as, sound methodology and thorough analysis. If the audit has major flaws, then it is not worthy of respect. The flaws may not materially affect the Ethereum community or it could be a disaster. We will never know if the process is not open and not comprehensive.

Let me close my long post with the following question … Would you be satisfied with the process and results of the software audit if one person, who was iOS developer (ie. not domain expert) did all the analysis AND the goals, methodology and constructs were not revealed until the report was done?

Yay! Relax Kristy, ha ha.

I think Bryant meant the free advice from me, not the one he took from you, Mr. Def, Mr. Else, and so on - for over a year.
That is very hard for anyone to go back and realize they have been played since the beginning.

BTW I would totally choose to ignore Epic Anything no matter what they said, because as we are saying from the beginning - who actually reads spam?

ProgPoW author Kristy-Leigh Minehan is CTO of Calvin Ayre and Craig Wright’s hosting company Core Scientific.
https://globenewswire.com/news-release/2019/08/07/1898434/0/en/Squire-Enters-Into-Development-Agreement-With-nChain.html
https://globenewswire.com/news-release/2019/07/25/1888023/0/en/Squire-Mining-Announces-Appointment-of-Kevin-Turner-to-Advisory-Board.html


https://www.corescientific.com/team

The CTO of Craig Wright’s hosting company is “improving” Ethereum? ha ha. yes. We can see that!

Discussion continued here: On the progpow audit

1 Like

A compilation of previous articles and discussions found here: https://archive.is/25685

2 Likes

Just wanted to say as a home miner I support #ProgPow !

I think Ravencoin has shown that ProgPoW is not only safe to implement but also achieves its goals of bringing mining back to the masses.

We were supposed to be different than bitcoin. Bitcoin is centralized in China.

since ProgPoW had a backdoor, I’m wondering if there is another Ethash replacement candidate algorithm

There was no backdoor - there a bug in Ethash.

1 Like

call it what you will, but its memory-hardness can be circumvented by the initiated. worse, it seems to have tainted by association any further effort to replace Ethash, which is still necessary

Backdoors are code intended for later exploitation. Please do not accuse the inventors of ProgPoW of doing that without substantial evidence. The bug you mention is long since fixed, is there a way to circumvent ProgPoW’s memory hardness that I am unaware of?

1 Like

It is crucial to the longevity, decentralization, and consequently valuation that we improve the security of the current PoW algorithm by moving to ProgPoW or even something better

I would be persuaded if it could be demonstrated that a seed wider than 64 bits would have favored one GPU architecture over another, and that was why the small seed size was chosen, or for some other defensible reason, considering that we’re talking about cryptography here and it’s common knowledge that 2^64 work is not a lot. I never cared that the majority of the creators were anonymous, but now I do think it’s a shame that this Class-A mishap won’t follow their names.

I’ve published a crypto algorithm myself (for purely academic purposes) and when it was shown to have less than the intended strength for keys larger than 128 bits, I didn’t do a quick fix and sweep the issue under the rug (even though I had already disclaimed its security from the beginning).

SHA-1 will always be broken, so will my algorithm, and so will ProgPoW. You can’t use the same name for an algorithm that produces different results. Especially after being in the wild for so long.

The way forward is to choose a new algorithm and deploy it in a reasonable amount of time, not to invoke Schneier’s Law or argue semantics about which rectangle-shaped openings are doors and which are holes.

I’m very much a software guy and not a hardware one (I’ve never mined), but I would be open to contributing to the effort to the extent I can, because I’d rather not just be a bitch online, like I am currently, expecting something for nothing.

I fear it is too late to develop an alternative to ProgPoW before ASICs have already come to dominate the network, let alone subject it to as much review as ProgPoW has seen.

If finding and fixing a bug is a reason not to ship software very little software would ever ship. Especially a bug that was not practical to exploit. But if you are convinced that ProgPoW is irretrievably broken please do convince the rest of us - I’m not sure whether you are arguing against the soundness of Ethash or the ProgPoW extension to Ethash.

2 Likes

I agree, something needs to be done in short order. Also there is now an EIP proposal to reduce mining rewards. Any reduction in rewards will only further increase the ASIC dominance of the network as they have a significant cost advantage to GPUs.

My point is that if the developers of SHA-1 years after its initial release into the wild tweaked it, published new test vectors, and insisted in calling it SHA-1, they would be laughed out of the room.

Aside from being unnecessarily confusing, it’s deliberately horrible marketing at a time when marketing is the single biggest impediment to Eth shipping a new algorithm. At the very least Ethereum should not refer to this modified algorithm as ProgPoW despite what its authors choose to call it, given its significant perceived baggage.

Or do what SHA-3 did with Keccak: make a trivial change to some constant making “Ethash 2.0” incompatible with New ProgPoW – fork a variant off and take ownership of it.

I’m not sure I follow you, @esaulpaugh, but the authors don’t currently plan to change the name of the proposed algorithm because a minor exploit was discovered and fixed. The proposal is not yet Final, so is subject to change.

EIP-1057 PR for review ahead of All Core Devs call. Incorporates Andrea Lanfranchi’s implementation of the Kik exploit fix.

The reference implementation is on @ifdefelse’s repo at

Maybe my math is wrong but using progpow epoch length of 30000 and 13 sec block time, only 2^64 / (30000 * 13) = 2^45 work per second is required to exploit the speedup. For reference, I believe that the bitcoin network’s total work per second recently peaked at around 2^67 (140 exahash) per second.

So it would require a mining pool with 0.00002% (1 / 2^22) the power of the bitcoin network to exploit.

For a very rough idea of the kind of resources we’re talking about, 0.00002% of bitcoin’s current market cap is about $50,000. And Moore’s Law is still in effect for this kind of parallel computing.

Is there a good reference for this exploit being minor?

EDIT: I’m not aware of the exploit requiring 2^64 storage, but at $15 a terabyte and let’s say 8 bytes per slot, that would cost about $2.2 billion, or 5% of Ethereum’s market cap or 0.015% of China’s 2019 GDP.