Dagger issues

Hi all-

After a quick read, ISTM that Dagger will be subject to serious attacks from ASICS. The basic issue is that (if I'm reading the spec right), the lowest level DAG values are only computed once per block, as opposed to once per nonce. That means that mining doesn't require 512MB/thread at all; it requires 512MB of precomputed data with lots of read ports. This means that it would be subject to attack on a (rather large) ASIC that is willing to include such a beast. (Alternatively, a TMTO algorithm could read the 512MB sequentially, appending to various hash pieces as it goes.)

I don't see why a difficult-to-compute, easy-to-verify hash is any better than a symmetric hash where you have to start over for each nonce.

(As a more trivial issue, the Dagger wiki page seems to be confused as to how many lowest-level nodes are hashed together: the text says 8, but the pseudocode says 4.)

Comments

  • VitalikButerinVitalikButerin Administrator Posts: 84 admin
    > That means that mining doesn't require 512MB/thread at all; it requires 512MB of precomputed data with lots of read ports

    Charles had made the same criticism of Dagger two weeks ago. I added a patch: the precomputed data needs to be recomputed every 2^26 nonces. I'll look over the text and pseudocode though, thanks for the tip.
  • amlutoamluto Member Posts: 5
    Why 2^26?

    One approach to mining that will always work is to start from scratch on each try. This requires relatively little memory (a few hundred KB, IIRC from the description).

    Presumably the idea is that computing the whole DAG ( is intended to be much faster than that for mining to give computers an advantage over ASICs. That means that you compute 2^24 nodes and then, using those nodes, you can try to mine a block 2^26 times. Those 2^26 tries will correspond to either 16 or 32 (depending on which part of the spec is correct) reads from each node, on average. ISTM this is just asking for ASIC miners to skip storing the last few levels entirely.

    I still don't see the advantage to allowing more than one try per DAG computation.

    FWIW, there are some early PHC (password hashing competition) candidates that can fill ~50GB/sec on modern boxes, giving better ASIC resistance for rapidly-computable functions.
Sign In or Register to comment.