Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Altcoin Discussion
Topic OP
Tenebrix scaling questions
by
BubbleBoy
on 27/09/2011, 14:16:25 UTC
Without reading the source, I have to ask how can Tenebrix scale. I've actually thought about memory bound hash-cash myself for a Bitcoin-like system, and I dropped scrypt as unworkable.

In the field of memory hard pricing functions with which scrypt is related, there is the notion of a difference parameter or work ratio: the ratio between evaluating F() and F()^-1, how hard it is to do the proof of work versus the cost of evaluating the proof. For example for hash cash the ratio is exceptionally good: it takes a single hash to check for a huge amount of work, up to 2^128 work for a perfect 256 bit hash. Published memory bound functions achieve a quadratic factor for K in the 10-11 range so it takes one operation to evaluate 2^10 operations worth of work (ABADI et all). This feature is desirable because supposing there's a mail server that checks for spam, you want to force the spammers to do allot of work, and make the mail server do as little work as possible on checking proof of work stamps. Proof-of-work tokens should be easy to check, and hard to mint.

Back to scrypt, this memory hard function is not designed as an e-cash primitive,  but as a password derivation function: you set your password, the server does 1 second worth of work, and saves the hashed form. Each time you login the server does the same work for 1 second and checks the resulting hash against the database. Password derivation is designed to be irreversible, you can only compute F() at a high cost, and should have no chance at F()^-1 in a proper system. That is you have no way to extract the password from it's stored hash.

How does this affects Tenebrix ? Well, in order to use scrypt as a pricing function you can do it in two basic ways:
 - you make both the miners and those verifying their work compute a difficult variant of scrypt; each time a block is solved and advertised every node on the network must redo the work of the miner (in order to check it before broadcasting it as valid); this clearly does not scale, every node must have a processing power equal to the whole mining network
 - you make miners look for an iterated variant of hash-cash based on easy scrypt; it's easy to check a valid mined block however the easy scrypt primitive is no longer memory hard, and can probably be accelerated on a GPU. (I assume this is the solution chosen, since we are talking about hash rates in the K/sec/core)

So my first impression is that Tenebrix fails either at scaling or at being GPU-hostile, but maybe the designers can avert this impression by explaining how the security parameters were chosen so that the network can scale without failing pray to GPU optimized mining.