Safe merged-mining and the Bitcoin’s Karma

MiningIn this post I will depart shortly from my classical technical viewpoint and enter the quicksands of opinions. But I’ll come back, don’t worry. The idea of the proof-of-work powered block-chain, while powerful, has lead us to a situation where many people sees Bitcoin mining as a wasteful and vicious activity. Articles against Bitcoin mining can be read here, here and here. Articles in favor of Bitcoin mining can be found here.

But even if economists discover that Bitcoin mining is more efficient and less wasteful than state money printing, and even if nothing better could be done, people may still perceive mining as something that should be avoided. In a few years we may have Greenpeace groups protesting a the doors of every Bitcoin related company, claiming that we’re hurting the ecosystem. And still, nobody has come with a better idea to replace a plain old PoW. A Proof-of-Stage / Proof-of-work or consensus hybrid  system, while being more power efficient, pose additional threats and goes against the fully distributed paradigm. In most incarnations, it requires all coins to be pre-mined. So we’re stacked with PoW, and that’s the Bitcoin’s Karma.

New cool alt-coins that choose ASIC-unfriendly PoWs

Many cryptocurrencies appeared after Bitcoin and I think some of these coins have something new to offer to the world (my favorite examples are NimbleCoin, Ethereum and QixCoin). I obviously dislike plain Bitcoin clones, but that is not the subject of this post. Almost all of these new interesting alt-coins began using ASIC or GPU unfriendly mining functions for proof-of-work, such as scrypt, Cuckoo cycle, Dagger, partial hash collisions, RandMemoHash and SplashHash. From the ecology perspective, one claim often presented is that by using PC idle cycles instead of running still another data processor, no energy is wasted. This is untrue, since current microprocessors automatically enter power reduced states when idle. So, now we know that PoW mining could eventually become an environmental problem, and it’s currently a marketing problem. Then why not minimize the damage? Since it’s clear that we’re going to have a PoW block-chain in this world, let’s make Bitcoin PoW  the only one. If we create a clear standard for merged-mining, every new alt-coin could make use of Bitcoin to secure transactions.

Bitcoin Merged-Mining

Using Bitcoin merged mining you can re-use the work spend on finding a proof-of-work for the Bitcoin chain to find a PoW for the alt-coin chain. Then you have two totally separate block chains that are unrelated in any way (the Bitcoin chain and the alt-coin chain) that can be mined together. When a miner mines a Bitcoin block, the header of the block contains the Mekle-root, which refers to the transactions included in the block. By storing a hash of a the header of the alt-coin block in a Bitcoin transaction stored in a predefined place in the Merkle-tree it’s possible to uniquely associate the PoW of the Bitcoin header to the alt-coin header.

There are to possible ways to implement merged-mining. The standard way (used in NameCoin) is that the Bitcoin header is inserted into another block-chain (the NameCoin chain). This chain can have another difficulty and another block rate. The other way, sometimes called a side-chain, is when the Bitcoin chain contains the alt-coin chain (as it was proposed in This implementation brings a lot of technical problems in order to cope with Bitcoin blocks that hold invalid or missing alt-coin blocks (either by mistake or to attack the alt-coin). So we’ll only analyze the standard merged-minig approach.

The problem with standard merged-mining is that it’s possible for a Bitcoin pool to destroy a merged-mined alt-coin with pump-and-dump and 51% attacks. This has occurred at least one time in the past. I propose a protocol to allow merged-mining with some safety protections.

Distributed Merge-Miner Registration

Bitcoin miners willing to do merged-mining must first register an identity in the alt-coin cryptosystem, and pay for it. This is done by creating a transaction carrying a modified Bitcoin header,  where the fields on the first 64 bytes are replaced by a single Bitcoin address (or ECDSA public key or hash of an ECDSA public key) filled with zeros and the remaining 16 bytes can be anything. This header needs to have proof-of-work similar to 1/n of the current difficulty of the Bitcoin network. This transaction is included as any other in the block-chain. Suppose that we choose n=1, then producing the header has a cost of at least 16K USD, since by investing ASIC time in it the creator is loosing the reward of a Bitcoin block. After an identity has been registered, the registered miner can merge-mine as many blocks as he wants. This initial payment serves as an investment in the coin. The network can automatically monitor the block rate of each merged-miner (using a sliding-window average for example) and detect if the miner has stopped producing blocks. In the case the network hash rate drops suddenly, the network can automatically detect whose blocks are missing and revoke the identity record of the offending miner. Also the network could detect if two blocks of the same height are produced by the same miner and revoke the identity record. This is done by including in a transaction both headers. It’s also possible that merged-miners be asked to provide a real identity to an alt-coin foundation, then the foundation signs the identity registration transaction, and the network only accepts identity registrations signed by the alt-coin foundation private key. Note that normal alt-coin miners may or may not need to go through any registration process. Normal miners block are identifiable because they do not have an associated Bitcoin meta-header.

Registration could be programmed to be unnecessary after some time of after the network hash rate achieves a certain threshold. For example, the network could require miners registration during the first M blocks (e.g. equal to 4 months) to prevent early attacks, and allow free mining after that. Also the registration fee (in terms of the divisor n) could be a function of the merged-miner hashing power over the current network hashing power, or be limited to a pertain percentage of the current hashing power (e.g. no more than 40%). Then the network will discard blocks solved by a certain merged miner that have surpassed his registered quota, measured in a certain time window.

By implementing some of these protections into the alt-coin design, safe merged-ming can be allowed.

, , ,

  1. #1 by John Tromp on March 7, 2014 - 7:57 pm

    “The claim is that by using PC idle cycles”

    Where do you get that? The point of memory intensive PoWs is that the amount of
    power-hungry computational circuitry (die area) in an optimal implementation is limited
    by the bandwidth/latency of the memory that must accompany it.
    This limit gets more pronounced is the amount of memory needed goes up,
    especially as that amount no longer fits on a single chip (currently about 1GB),
    and also as the memory accesses become more randomized.

    • #2 by SDLerner on March 7, 2014 - 10:40 pm

      Of course sequential memory hard PoW functions aim is to prevent obtaining a significant advantage when implementing them on ASIC. But this post is not about the impact of SHA mining vs scrypt mining on the centralization of mining power. This post is about the ecology of having another block-chain consuming great amounts of power. There were thousands of discussions on bitcointalk about mining centralization, but a lot less, if any, about the ecology impact of expanding the alt-coin ecosystem. That’s what this post is about.
      Nevertheless I’ve decided to amend the original post to clarify this. Thank you.

  2. #3 by John Tromp on March 7, 2014 - 11:48 pm

    Your amendment leaves in place the sentence

    “one claim often presented is that by using PC idle cycles instead of running still another data processor, no energy is wasted.”

    that I object to. Where do you see this claim presented? I’ve only seen claims that less energy is wasted by adding memory into the equation.

    “Then why not minimize the damage? Since it’s clear that we’re going to have a PoW block-chain in this world, let’s make Bitcoin PoW the only one.”

    I agree that fewer block-chains is better, but by proposing a zero-memory PoW as the only one, you’re only reducing, not minimizing the damage.

    • #4 by SDLerner on March 8, 2014 - 2:16 am

      I’m not an expert in ASIC design, but I know that changing memory states requires power. DRAM memory requires refreshing. Refreshing requires writing each bit periodically. Sequential memory hard functions require WRITING memory constantly, so memory bits get changed as often as the inputs in SHA logic gates. Why should a sequential memory hard function consume less power than a low memory function? Only this could change if a new kind of memory is invented which requires no power to switch states: but then we would probably be able to create practical reversible computers, and who knows then…

      • #5 by John Tromp on March 8, 2014 - 3:00 am

        At first sight, memory is pretty low power since you rarely see cooling fans focussed on memory chips. But let’s run some numbers:

        An 8GB DIMM uses about 2.5W and costs on the order of $100. High-end bitcoin ASIC rigs are typically 2000W for $5000.
        If you spend the same $5000 on 40 DIMMs and CPUs (or hypothetical cuckoo asics) to match investment, then they’d use 100W, at least an order of magnitude less.
        Note that in cuckoo’s case, the (cpus or hypothetical asics) don’t use much power as they’re mostly waiting on memory latency.

      • #6 by SDLerner on March 8, 2014 - 4:50 am

        The cost of investment in buying today’s off-the-shelf hardware does not dominate the ROI of the miner on the long run. People tend to innovate. Current off-the-shelf Bitcoin mining ASICs were a few years ago something people dreamed of.


        1. SRAM is static while DRAM is dynamic
        2. SRAM is faster compared to DRAM
        3. SRAM consumes less power than DRAM
        4. SRAM uses more transistors per bit of memory compared to DRAM
        5. SRAM is more expensive than DRAM
        6. Cheaper DRAM is used in main memory while SRAM is commonly used in cache memory

        If we had off-the-shelf 8Gb SRAM modules, then people investing in mining for long periods would buy SRAM based memory for their mining boards, to outperform DRAM based miners. The SRAM based coocko miners would consume the same power as the SRAM based SHA-miners and will cost much more because of the extra memory.
        In fact, by proposing memory-hard mining one is creating an incentive for manufacturing large SRAM based memories, in a similar way SHA-256 mining creates an incentive for manufacturing hashing ASICs.

  3. #7 by John Tromp on March 8, 2014 - 5:23 am

    The relevant facts are:

    1) the cost difference between SRAM and DRAM is much larger than the performance difference.
    2) when used intensively, SRAM consumes at least as much power as DRAM.

    Thus, cuckoo mining rigs will be using DRAM rather than SRAM.

    • #8 by SDLerner on March 8, 2014 - 6:22 am

      I think you’re totally right about DRAM/SRAM. You’ve convinced me.

      Nevertheless, since Bitcoin miners won’t disappear from earth because of the appearance of RAM-dominated mining (as too many alt-coins in existence prove it) then the best we can expect from the ecologic perspective is global merged mining on SHA-256. Global merged mining on coocko hashing would imply enormous changes to Bitcoin infrastructure to accommodate the fork, and I don’t see this happening in the near future.

      • #9 by John Tromp on March 8, 2014 - 3:54 pm

        Agreed. It is quite unrealistic to expect bitcoin’s dominance to fade in the next decade. And we haven’t reached “Peak Hash” yet (as in peak oil).
        Do you have some idea how the combined power consumption of all alt-coins compares to that of bitcoin? How much would you gain percentage wise if they all adopted bitcoin merged mining?

        The problem with altcoins is that they’re driven by fashion more than technology. And neither SHA256 nor 10-minute block intervals are fashionable. So we’re more likely to see merged mining in the scrypt world. Did you see this recent article on the subject:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: