v. 1.1
Herein the new POW algorithm proposal for Karbo is explained.
One of the cornerstones of CryptoNote protocol, and Karbo as well, was "egalitarian proof of work" that was broken by the invention of ASICs for CryptoNight POW algorithm, which is default for the CryptoNote. The Karbo cryptocurrency sill uses CryptoNight in spite ASICs were developed for it and the majority of CryptoNote based coins that were using it migrated to its variants with modifications of different magnitudes under the leadership of Monero (and mostly Monero CryptoNight variants were used).
The reason for this was to retain as much decentralization of mining as possible, because it is commonly believed that accumulating of the majority of the hashrate under the control of few ASIC manufacturers is not safe for coins.
Another reason for the change of the algorithm to the unique one for smaller coins was to escape the possibility of renting the hashrate on rental services of which the most known is Nicehash.
Sharing the algorithm with large coin is dangerous for the smaller one as there is high risk of 51%-attacks using rented hashrate or the risk of incursions of profit switching miners which causes difficulty and block times fluctuations.
At Karbo we came to the conclusion that small tweaks of the hashing algorithm are not sufficient, which was confirmed by the series of hardforks of Monero to escape ASICs and newly developed FPGAs for their variant. We think that as soon as it becomes economically profitable, ASICs are developed for any algorithm. There are but few algorithms that are considered ASIC-resistant.
Therefore we were lingering with such change, and have not switched to any CryptoNight variant developed by Monero or other CryptoNote coins until we develop more sophisticated algorithm of our own that will be not only ASIC resistant but also preferably will favor solo only mining, which is truly decentralized, without pools and will be also botnet-resistant.
The goals of new algorithm are:
- stimulate full nodes
- stimulate solo mining and thus decentralization of mining
- discourage pooled mining
- prevent ASIC/FPGA and preferably GPU mining if possible
- prevent botnets
- use own unique algorithm to increase the security against hashrate attacks
- disable merged mining
In order to achieve our goals we decided to use blockchain data in hashing to create non-outsourceable algorithm.
Now hashing is a closed algorithm, that is, we have nonce
which is changed and an incoming static data. The idea is to include in the calculation of the final hash a factor which destroys such a closed system.
Specific implementation is to include in algorithm the data from a blocks, the heights of which are defined as an intermediate result of a preparatory hash. That is, for the next hash with another nonce
these intermediate blocks will be completely different. Thus, without an access to the blockchain hashing is not possible.
The hashing in proposed algorithm works as follows:
- A
block
is hashed by fast Keccak hashing function to get the preliminaryhash_1
. - The resulting
hash_1
is used to retrieve 32 blocks at corresponding heights from the blockchain. - A
block
is then hashed together with 32 retrieved blocks by the Argon2 hashing algorithm usinghash_1
as salt.
The block
here stands for block hashing blob binary array which consists of block header, which in turn contains, among others, so called nonce
.
The mining process in Proof-of-Work uses nonce
(a 32 bit arbitrary random number) that is used together with the block data as input for hashing function. Essentially miner is brute forcing all possible nonces
in order to find a hash than satisfies the target difficulty.
Because changing the nonce
also changes the preparatory hash_1
, a different set of 32 blocks is required for every nonce
to be retrieved from the blockchain. Thanks to this:
- the performance is limited to the speed of I/O operations
- every miner needs an access to the blockchain (i.e. only full nodes will be mining)
- sending from the pool server or requesting block data from open nodes is impractical overhead due to network latency and transfer speed/bandwidth limitations.
As a result, we believe that pooled/hosted mining is more problematic with this method, that it provides the botnet resistance and that it disables merged mining.
We do not specially target CPU-only mining and do intend to prevent GPUs entirely, although with Argon2 we achieve some limiting of GPU's prevalence over CPU.
We assume that I/O limitations will constrain the speed of ASIC and FPGA miners, should such be developed.
There is no SPV nodes for CryptoNote protocol so the full blockchain access requirement for the block verification is not considered as downside.
These benefits come at cost of synchronization speed - the node has to be synchronized block by block in ascending order as previous blocks are required to verify each new block but this is current mode of Karbo synchronization.
There is a concern of 'lightweight' miner possibility that is parsing and storing only block headers required for mining in needed format. However, the advantage of such miner is questionable.