[Here are most of my current thoughts about mining in one giant brain-dump, as prompted by dbfusion’s post.]
Dear dbfusion:
Thank you for the civil but heartfelt message.
I know that a lot of Zcashers are feeling strong feelings about this—I think some people feel betrayed, disheartened, etc. I really do not want the people of our community to feel like that.
However, I am not yet convinced that declaring that we’ll change the PoW to fight ASICs is the right thing to do. I really appreciate that the Monero devs+community have done it, because it gives us a chance to learn from their experience about how it works.
But I’m not yet convinced that it would best serve our mission of empowering everyone with economic freedom and opportunity. I’m not sure yet, but I suspect that it could lead to unintended consequences of making the network more vulnerable to attacks or failures, and I suspect that it could hinder the development and deployment of more important things such as our current priority: “Shielded Addresses For Everyone!”, and worst of all I suspect that it could lead to worse centralization of the critical question of “Who gets all the new coins?”.
That is: people on this thread (which I’ve read only a small part of) mostly seem to agree with each other that changing the PoW would preserve or increase the value of Zcash mining to micro-miners like you, but I’m not sure of that. What if changing the PoW would fail to prevent or would even accelerate the process of giant, professional mining operations scaling up, increasing the difficulty, and squeezing out micro-miners?
This guy Derek Hsue recently wrote an article about Zcash Governance. I don’t agree with everything in it but it was well-written and thought-provoking. One thing he said was that the difference between Monero’s governance and Zcash’s is that Monero’s culture is community-oriented and ideological, in contrast to Zcash’s being corporate and scientific. I don’t entirely agree. I think he wasn’t really exposed to the Zcash community much when he wrote that, and he didn’t realize how large, active, ideologically committed, and independent the Zcash community actually is.
But the bit about ideology versus science really stuck with me, because it kind of “hit home” about my own personality. I’m definitely, at heart, a scientist, engineer, and hacker, not a CEO, community leader, or politician. (I’m trying to learn the latter skills as fast as possible in the service of this mission. :-))
To me, this question of changing the PoW algorithm is a science question.
There is an objectively right answer—or at least an objectively better answer—but we just don’t know what it is. Maybe—hopefully—we’ll be able to learn what it is by experiment, observation (including observation of other coins like Bitcoin, Ethereum, Monero, and Siacoin), and analysis.
But to me, it is never the right thing to enact a policy based on good intentions, sentiment, or ideology unless you can determine that the consequences would be good. I feel like what the Monero devs+community are doing is that: going with good intentions, sentiment, and ideology. I’m glad they do things their way, because then that means we can do things a different way and collectively humanity will explore more alternatives.
Now about the scientific/technical/strategic details:
A very important point that a lot of people overlook is that mining decentralization is a critical safety factor for protecting users from censorship when the transactions are in cleartext (a la Bitcoin and Ethereum) or when they are protected by fragile cryptographic mechanisms (a la Monero). But, if the transactions are protected by strong cryptography (a la Zcash), then that protects the users from being censored or surveilled by the miners, and mining decentralization is no longer necessary to prevent censorship/surveillance. It is still important for two other reasons: double-spend-attacks coordinated between the spender and the miners, and most importantly of all “Who gets all the new coins?”. But it is important to realize that we can protect users against censorship and surveillance much more effectively by deploying Shielded Addresses For Everyone than by having a decentralized set of miners. Out of the other two considerations, I don’t consider “miners-collude-in-a-double-spend-attack” to be a plausible threat at this time, but it could become so in the future, and ASIC-mining is a better defense against this attack than commodity-mining. And I consider “Who gets all the free coins?” to be a major, critical issue, and to be the reason why this thread is so big and active.
Let me just re-iterate that: there are three different potentially-important issues.
-
Censorship and surveillance, which can be leveraged to exert control over the whole system. I think this issue is critically important. I think the best solution is strong cryptographic protections that make censorship and surveillance impossible, using math.
-
Double-spend attacks/51% attacks in collusion with miners. I currently don’t consider this to be a significant threat for a high-value coin like Zcash, but it could become important in the future. (It has been used in practice against smaller coins in the past.) I think ASIC mining would help with this, by making it so that the miners have an unrecoverable investment. If an ASIC-miner colluded with a spender to double-spend-attack anyone, this would risk tanking the price of the coin, and their mining capital investment could lose value precipitously. This is why I say that ASIC miners have better incentive-alignment than commodity miners.
But, I don’t know if this “unrecoverable capital investment” incentive-alignment is the best possible defense against this attack. A better defense might be a simple social contract that “We all agree that if you waited for 10 block confirmations before treating the transaction is valid, and then there was a 11-block rollback that double-spent that transaction away from you, then we’ve got your back — we’re all going to stop the whole network, chainfork the blockchain and reject the new longer chain which double-spent the money away from you.”.
I’m not sure that would work (but I’ve studied the various arguments that people make that this would be impossible or wrong and found them unconvincing). Also there might be other technological defenses against double-spend attacks that we could add in the future.
- “Who gets all the new coins?” I consider this to be very important currently. Zcash is the fourth most important cryptocurrency in the entire world in terms of how much money the new issuance is worth! (Go to https://onchainfx.com/v/UsZtA6 and sort by “New Issuance”.)
This means two things: 1. the incentive for a company like Bitmain to gain a substantial portion of this is high (about twice as high as the incentive to gain an equivalent portion of Monero mining, for example, but only about one sixth as much as the incentive to gain an equivalent portion of Ethereum mining). 2. the value we could generate by distributing these newly generated coins far and wide to a variety of people in small amounts is great!
I’m not at all satisfied by the prospect that specialized, scalable, vertically-integrated miners are going to gain a greater and greater proportion of this vast amount of money (even though I have always predicted that it was inevitable. I told Gavin Andresen and Greg Maxwell about 5 years ago that it was inevitable and they didn’t agree, and I was right. The fact that ZcashCo’s early announcements made people think that I was committed to preventing it indefinitely was a sad mistake on my part, because I never thought that it was possible or even necessarily desirable to prevent indefinitely). So I would very much like to figure out how to stave off that kind of centralization of the distribution of the mining rewards for as long as possible. I just don’t know if there is an effective, worthwhile way to do that.
One last note (and thank you if you read all the way down to here 
), I was recently reminded of the Myriad-Mining approach of having multiple PoW algorithms with separate and independent difficulty factors. (Thanks to the Singapore University of Social Sciences for inviting me to teach a course there in which this came up, and then thanks to new ZcashCo employee Charlie O’Keefe for bringing it up and pointing out some of its virtues.)
That approach might sort of offer, not the best of both worlds, but “half of the best of one world, plus half of the best of the other world”. This is great because a 51%-attacker has to get 10 blocks in a row, so if every block has a 50% chance of going to a PoW-alg-1 miner or to a PoW-alg-2 miner, then this is a substantial impediment to 51% attack. As far as the “who gets the coins?” issue, it would mean the miners of PoW-alg-1 collectively split half the coins, and the miners of PoW-alg-2 collectively split the other half. (Or actually they would each get 40%, currently, since 20% is going to the Founder’s Reward.)
In the past — including during the initial design of Zcash version 1 — I rejected the Myriad-Mining hack as being too complicated and not valuable enough, but after these recent developments and conversations, I’m thinking that the complication-vs-value ratio has changed. In particular, I realized that if you were going to change the PoW alg, and you wanted to do a gradual cut-over from PoW-alg-1 to PoW-alg-2 (instead of a “flag day” where at a certain blockheight PoW-alg-1 becomes in valid and PoW-alg-2 becomes required), then what you would have to do is to implement the Myriad-Mining approach and then add a forcing function that ramps up the difficulty on PoW-alg-1 over time. So, if you’re already going to swallow all of that complication, then maybe you could just stop before you implement the “ramp up the difficulty to force PoW-alg-1 out” part, and then you have Myriad-Mining.
Bottom-line: we probably don’t agree on all of the facts, even, much less on what are the best strategies, but we mostly agree on values. I won’t think any less of you if you switch to mining Monero, or Ethereum, or whatever (even though I value and appreciate you mining Zcash, and I want more of the Zcash Mining Reward to go to micro-miners like you). We’ll work this out together.