Conversation
danieljperry
changed the title
|
This CHIP from Dr. Nick has been assigned CHIP-48 and is now a |
- Added farmer definition - Replaced older "Chain Link" terms with "Quality Link" - Clarified R pointer bit-drop attack
|
The term |
|
Regarding the naming of plot strength, while the term itself is probably fine, here are some of the suggestions, humorous and not, from discord:
|
|
This CHIP is now in |
|
Could you please include in the supporting documents for this CHIP a cost model for attacking PoS2 with AES ASICs? I understand the barrier imposed to GPU-based rental attacks, but that seems to incompletely capture the attack surface. Edit: To clarify my question, I don't think there is any threat there, but I think it's important to recognize the hypotheticals to rule them out. |
I'll pass this request on to Dr. Nick. |
CPU's with hardware support for AESENC are, as far as I understand, already AES ASIC's (hence the 10x speed-up over software implementation). If GPU's also had in-built AESENC hardware support this could speed up hash rate, and likely turn the gpu compute-bound hash into memory bound in the worst-case. I could add an attack estimation based on the AES hashing portion becoming memory bound on the GPU as an ASIC attack. Trying to guess what a potential ASIC fully built for plotting/attacking could be estimated by inputting expected hash rate and memory bandwidth for the ASIC, but I would not know what those performance differences vs a 5090 could be or the cost to build it per unit. |
A general purpose computing device is by definition not an ASIC. The Chia team commissioned a VDF ASIC. It seems like you should have the knowledge base in-house to at least get an estimate of performance and cost. From the research I've done, it looks like AES ASICs may be 50 to 100 times faster than even extension-enhanced CPUs. Edit: the optimization progression in all PoW chains was: CPU, GPU, FPGA, ASIC. The pattern has been repeated many times. |
Added detailed analysis on chaining hash rates and attacker incentives, including tables comparing performance metrics for different compute models and chain sizes.
Used better significant digits for ease of reading
|
@trgarrett I'm borrowing this from Sonnet 4.6 but I've reviewed it and it is correct: AES ASIC vs On-Chip AES: Feasibility of Material Speed ImprovementThis is a fun question that gets at some deep hardware realities. The short answer is: extremely difficult to improve meaningfully, and essentially impossible at the same voltage/process node. Why On-Chip AES Is Already Nearly OptimalModern x86 (AES-NI), ARM (AES extensions in ARMv8), and Apple Silicon all implement AES-128/256 in dedicated silicon. The key characteristics:
What an ASIC Could Theoretically Do
The Fundamental Bottleneck: The AES S-BoxThe irreducible core is the GF(2⁸) multiplicative inverse for SubBytes. In silicon, the best implementations use a tower field decomposition (GF(2⁴) over GF(2²) over GF(2)) which reduces the critical path to roughly:
At 3-5nm nodes, that's already sub-200ps. You're not going to get orders of magnitude out of this — maybe 20-30% with exotic cell libraries and aggressive Vt tuning, which is well within what CPU vendors already do on their AES units. Bottom LineFor AES specifically, the CPU vendors have essentially closed the gap. An AES ASIC at the same process node would offer:
The only realistic niche is in constrained IoT/embedded contexts where you want AES with minimal power and area, not speed — and even there, ARM's TrustZone Cortex-M cores with hardware AES are already extremely efficient. The economics are brutal: by the time you tape out an AES ASIC, Intel or Apple has shipped another generation that makes the delta irrelevant. |
6 participants
We propose a new Proof of Space protocol for the Chia blockchain that addresses weaknesses in energy efficiency, rental attack resistance, and plot format stability.