|
| 1 | +# Why does Filecoin mining work best on AMD? |
| 2 | +Currently, Filecoin's Proof of Replication (PoRep) prefers to be run on AMD |
| 3 | +processors. More accurately, it runs much much slower on Intel CPUs (it runs |
| 4 | +competitively fast on some ARM processors, like the ones in newer Samsung |
| 5 | +phones, but they lack the RAM to seal the larger sector sizes). The main reason |
| 6 | +that we see this benefit on AMD processors is due to their implementation of |
| 7 | +the SHA hardware instructions. Now, why do we use the SHA instruction? |
| 8 | + |
| 9 | +## PoRep security assumptions |
| 10 | +Our research team has two different models for the security of Proofs of |
| 11 | +Replication. These are the Latency Assumption, and the Cost Assumption. These |
| 12 | +assumptions are arguments for why an attacker cannot pull off a 'regeneration |
| 13 | +attack'. That is, the attacker cannot seal and commit random data (generated by |
| 14 | +a function), delete it, and then reseal it on the fly to respond to PoSt |
| 15 | +challenges, without actually storing the data for that time period. |
| 16 | + |
| 17 | +### Cost Assumptions |
| 18 | +The cost assumption states that the real money cost (hardware, electricity, |
| 19 | +etc) of generating a sector is higher than the real money cost of simply |
| 20 | +storing it on disks. NSE is a new PoRep our research team is working on that is |
| 21 | +based on the cost assumption, and is thus able to be very parallelizable (In |
| 22 | +comparison to schemes based on a latency assumption, as will be explained |
| 23 | +next). However, cost assumptions vary greatly with available and hypothetical |
| 24 | +hardware. For example, someone making an ASIC for NSE could break the cost |
| 25 | +assumption by lowering the cost of sealing too much. This is one of our main |
| 26 | +hesitations around shipping NSE. |
| 27 | + |
| 28 | +### Latency Assumptions |
| 29 | +A Proof of Replication that is secure under a latency assumption is secure |
| 30 | +because an attacker cannot regenerate the data in time. We use this assumption |
| 31 | +for SDR, where we assume that an attacker cannot regenerate enough of a sector |
| 32 | +fast enough to respond to a PoSt. The way we achieve this is through the use |
| 33 | +of depth-robust graphs. Without going into too much detail, depth-robust |
| 34 | +graphs guarantee a minimum number of serial operations to compute an encoding |
| 35 | +based on the graph. Each edge in the graph represents an operation we need to |
| 36 | +perform. We thus have a guarantee that someone has to perform some operation |
| 37 | +N times in a row in order to compute the encoding. That means that the |
| 38 | +computation of the encoding must take at least as long as N times the fastest |
| 39 | +someone can do that operation. |
| 40 | + |
| 41 | +Now, to make this secure, we need to choose an operation that can't be made |
| 42 | +much faster. There are many potential candidates here, depending on what |
| 43 | +hardware you want to require. We opted not to require ASICs in order to mine |
| 44 | +Filecoin, so that limits our choices severely. We have to look at what |
| 45 | +operations CPUs are really good at. One candidate was AES encryption, which |
| 46 | +also has hardware instructions. However, the difference between the performance |
| 47 | +of CPU AES instructions, and the hypothetical 'best' performance you get was |
| 48 | +still too great. This gap is generally called 'Amax', an attacker’s maximum |
| 49 | +advantage. The higher the Amax of an algorithm we choose, the more expensive |
| 50 | +the overall process has to become in order to bound how fast the attacker could |
| 51 | +do it. |
| 52 | +As we were doing our research, we noticed that AMD shipped their new processors |
| 53 | +with a builtin SHA function, and we looked into how fast someone could possibly |
| 54 | +compute a SHA hash. We found that AMD’s implementation is only around 3 times |
| 55 | +slower than anyone could reasonably do (given estimates by the hardware |
| 56 | +engineers at [Supranational](https://www.supranational.net/) ). This is |
| 57 | +incredibly impressive for something you can get in consumer hardware. With |
| 58 | +this, we were able to make SDR sealing reasonably performant for people with |
| 59 | +off-the-shelf hardware. |
| 60 | + |
| 61 | +## Super Optimized CPUs |
| 62 | + |
| 63 | +Given all of the above, with a latency assumption that we're basing our proofs |
| 64 | +on right now, you need a processor that can do iterated SHA hashes really fast. |
| 65 | +As mentioned earlier, this isn’t just AMD processors, but many ARM processors |
| 66 | +also have support for this. Hopefully, new Intel processors also follow suit. |
| 67 | +But for now, Filecoin works best on AMD processors. |
| 68 | + |
| 69 | + |
| 70 | + |
0 commit comments