A brief history of the evolution of proof-of-work in cryptocurrencies. Part 2
I bring to your attention a translation of the article “ The Proof-of-the-Work in Cryptocurrencies: Brief History. Part 2 »Ray Patterson (Ray Patterson) from the site Bytecoin.org .
“A brief history of the evolution of proof-of-work in cryptocurrencies. Part 1 is here .
By the middle of the summer of 2013, more than a hundred altcoins had already been in service, and almost half had appeared in the last couple of months. Needless to say, almost all the “newbies” were litecoin forks and used scrypt? Another trend of the season was PPcoin's new-fashioned Proof-of-Stake, so the scrypt + PoS combination could be called the “standard beginner alcoiner set”.
')
Such a (quantitative) popularity of scrypt and the beginning of the exponential growth of the complexity of Bitcoin led to a simple thought: scrypt-ASIC'i will appear at the same moment, as soon as it becomes profitable. And although the giant November bubble - when Bitcoin reached $ 1,200 - was not even beginning to inflate, the search for a new PoW function began again.
How can I vary the standard hash function? For example… another standard hash function! Sifcoin was the first to propose the idea of consistently hashing with several popular functions, which were played by the finalists of the SHA3 contest: Blake, BMW, Groestl, JH, Keccak, Skein. The idea is quite simple: six fundamentally different algorithms are six different ASIC chips, that is (at first glance) a lot and expensive. In addition, if for some algorithm they find a back door (they do not necessarily break completely, but learn how to solve the problem “many zeros at the beginning” faster), then the whole scheme will still more or less stick.
The pioneers do not always get all the laurels: as a result, this six-hash algorithm gained popularity (and name) in the first Sifcoin fork, the Quark currency. Conclusion: do not give your products the prefix "CIF". Over time, Quarke had a dozen or two altcoins budding, one of which greatly surpassed the “father” in popularity: this is Darkcoin (now called DASH ). The new PoW in it was called X11 and differed, as you might guess, by the number of hash functions used. In principle, he did not give anything new (except the order of the rounds), and therefore the prevalence of X11 (approximately second place after scrypt) should be attributed rather to the success of DarkCoin itself, in which there were many other changes (in something sensible, in something Not really).
X11 appeared at the beginning of 2014 and at first worked exclusively on the CPU, which made everyone very happy. But in April, the complexity of DarkCoin jumped twice, which caused reasonable gazes in the appearance of the GPU-miner. Since no one confessed, a competition was announced for the open implementation of such software, money was raised - and within a month the hash rate had already increased by an order of magnitude on the new GPU miner. It turned out to be about 5 times more efficient than the CPU (scrypt - 10).
There are many variations on the X11 and Quark theme today; some even have their own unique and unique names: X14, X15 ... At the same time, everyone, in general, understands that the algorithm is not at all ASIC-resistant in the full sense of the word. To count 11 different hashes instead of one is, roughly speaking, to make a pipeline 11 times longer. In other words, the cost threshold for the development of a piece of iron all just moved back several times.
Thanks to various marketing techniques, individual SHA-3 finalists became popular in solo form. For example, Keccak itself, aka SHA-3 in person. Well, here everything is clear: “as SHA-2, only better!”. That is, there was no particular idea of opposing the ASICs, except that it takes at least a year to develop and start production. But on the other hand: we have a real fresh modern standard! Also, there was even a special coin Skeincon, which used, as you can see, the Skein algorithm (probably, fans of Bruce Schneier).
Evolution made a revolution, and the thoughts of cryptocurrency players again returned to the memory-bound algorithms. Take, for example, scrypt: a good algorithm, just picked up the bad parameters!
Most likely, some work of thought was nevertheless carried out, since cryptocurrency with just different, static parameters scrypt did not appear. But the idea with a dynamic memory capacity was already implemented in two versions at once:
Another, fundamentally different memory-bound PoW function was Momentum , implemented in BitShares. It is very simple:
As you can see, the main work falls on the collision search of the two hashes in step 2. It will be different, it’s necessary to find not 256 matching bits, but less, but this is also a difficult task. Say, if you need to find a match of the first 64 bits, it will require 2 ^ 64 hashing operations ... Or not?
A superhero comes to help us: the paradox of birthdays . Its essence is that the probability of finding a collision among a certain set quadratically increases with the number of elements (because the number of unique pairs among the set also grows). In practice, this gives us the following estimate: in order to find ANY 64-bit collision with a probability of 50%, you need to generate about 2 ^ 32 hashes (4 billion instead of 18 quintillion - such is the savings).
Why does this not work with “ordinary” PoW, because there, too, in fact, there is a search for collisions? The key word here is “any” collision. In Bitcoin, you need to find a match with a specific pattern: N is zero at the beginning, and in Momentum there must be N any first bits.
There is an obvious compromise “time” - “memory”. According to the creator, the algorithm should use about 2 GB of memory per stream, i.e. a regular computer can even perform several parallel searches. At the same time, the ASICs, the power of which is by no means remembered, can only look and envy (well, or be squared faster).
This approach has one drawback. All previous proof-of-work algorithms worked "instantly"; in the sense that they essentially implemented brute force, and each attempt took a fixed time and they all had the same schnass for success. Each tested hash is like a die roll with 2ˆ256 edges, and at any time you could “take another die” (start work on another block) and the odds would not change. What does this mean for a miner? This means that if he receives a new transaction, which he wants to include in the block, he will have to update the hashed structure (“take another cube”). It takes a fraction of a second, so it can be said that the losses are negligible. In the case of Momentum, things are not so simple. The next iteration of hashing and adding a new hash to the global 2GB table is more likely to succeed than the previous one! It is clear that then updating the block header and starting the construction of the table from scratch is highly unprofitable. If with each roll of the dice the chances of finding a solution all increase, then it’s more profitable NOT to take a new dice. That is, in the end, it is unprofitable for Miner Momentum to accept new transactions and “reset” its progress: and as a result, those transactions that were sent before the start of work with this block will fall into the block. For Bitokin, this would mean that the average transaction confirmation time would increase from 10 minutes to 20.
The one and only PoW function, which appeared in the summer of 2013, stands apart. Before turning to it, let's realize one problem in general with proof-of-work. At once I will make a reservation that this may well not seem to be a problem to someone (and even vice versa), i.e. it’s about what many people consider a problem.
All this work is useless! Nowhere, except inside the cryptocurrency, no one needs these hashes. You can, of course, print out and hang on the wall the smallest of the hashes found , but there is no practical use for them. We will not now go into the philosophical arguments about whether this work should be useful at all or not, but simply note the fact that to invent a PoW function that would be beneficial is a non-trivial task.
However, such was found. The developer of SunnyKing (he also invented [or, at least, the first to implement] the Proof-of-stake scheme) presented the following scheme to the public: the proof of the work done is the found chain of prime numbers satisfying some properties. More precisely, it must be a Cunningham sequence of the first or second kind, or a combination of them (so-called bi-twin primes ).
First about why this is useful. These prime numbers, of course, are not small (otherwise it would be quite easy to look for them): on the order of hundreds of digits in the decimal notation. However, this is still not enough for RSA encryption, but random numbers should be used there. Cunningham's chains are a rather curious mathematical structure, which (in theory) can lift the next curtain in number theory. In the end, until the advent of public-key cryptography, this whole area was considered only a “beautiful, useless science”, so any efforts, even if such an “olympiad” character, are considered useful.
Now, about how exactly you can associate primes with cryptocurrency blocks. Suppose our chain starts with a certain number P. The hash of the block header (in which the nonce field is iterated) is interpreted as an integer. And this number should be a divider P-1 or P + 1. The complexity of the network is the length of the required chain of primes (it ranges from 7 to 11). Here, in general, and the whole idea. Thus, it is impossible (that is, very difficult) to use a randomly found chain (or someone else’s, from another block) to prove the work on its title.
There are two drawbacks: first, we don’t know if there is a simpler way to solve the Primecoin problem (this is what this cryptocurrency is called). With hashes, everything is more or less clear: an attack to find the prototype of a cryptographic hash function is almost hopeless (at least, on this assumption all cryptographic pillars stand - and God forbid it will collapse!), Therefore, for the existing hash, the probability of choosing a block is zero. But to say the same thing about the Primecoin block (where all the P-1 or P + 1 multipliers are suitable for us) is already difficult.
Secondly, the complexity of mining. As already mentioned, it is proportional to the length of the chain. However, the length is an integer number and does not take into account the change in the fractional part. Thus, the change in complexity from 9.0 to 9.99 is completely imperceptible, but from 9.99 to 10 it will already have a dramatic effect on the total hash rate and the rate at which new blocks appear.
In addition, this function, obviously, uses only the CPU-power of the computer, no memory. For a long time, she didn’t have a GPU-miner, but when it appeared, it became clear that the Primecoin grail wasn’t any anti-ASIC. It is possible that this is why he remained in his niche with a couple of forks, and his PoW function did not become popular.
Finally, consider a completely different one branch of the phylogenetic tree PoW for cryptocurrency: CryptoNight and CuckooCycle , which began to develop in parallel with the rest immediately after the failure of scrypt, as a CPU-only algorithm.
CryptoNight is the name of the hash function in the CryptoNote code (don't get confused!), Which includes many other differences with Bitcoin (starting with the fact that it is not a fork at all - although now you will not surprise anyone). CryptoNote has no cryptocurrency per se, but there are several that are built on this technology: Bytecoin, Monero, DigitalNote, etc ... Each one has its own differences, but PoW has a common function.
CryptoNight uses the general idea of scrypt about "a large data table in which random queries are made." However, the creators noted the drawback associated with the linear compromise of "time" - "memory". In scrypt, the main (second) layer creates each new data block based on the previous one. Thus, if we store, for example, only every second block of N, then in 50% of cases we will have to recount it again. In total, there are also N such random references to the array, therefore, saving half the memory, we will calculate N + 1 / 2N = 150% of blocks, that is, only one and a half times more. Similarly, saving only every third block, we will not notice this in 33% of cases, in 33% - we will recalculate one extra block, in 33% - two extra blocks. That is all the work: N + 1 / 3N + 1/3 * 2N = 2N = 200%. Total, as it was calculated , saving only 1 / s of all data increases the total amount of work only (s-1) / 2 times (perhaps, by the way, this is exactly how scrypt-ASIC works).
In this regard, CryptoNight has three fundamental differences:
In addition, 64-bit operations (multiplication, addition) and AES encryption as a mixing function are used inside. This is a curtsey in the direction of modern processors with embedded instructions (and a stone in the garden of the GPU). The total memory required by CryptoNight is 2 MB, i.e. approximately the size of the L3 cache per core. Not to say that this is an unattainable height for ASIC, but still the cost price is quite high.
In general, CryptoNight can be described as a very efficient practical algorithm: there is a GPU miner for it, of course, but it only has a significant advantage over the old processors (32 bits or small cache). As far as can be judged, all its details are aimed precisely at the practical effectiveness of conventional computer (of which billions).
CuckooCycle is, one can say, the complete opposite. Firstly, it has a theoretical information base. Not in the sense that it was developed only in theory (at the moment there are no such cryptocurrencies), but in that its reliability is based on the complexity of solving the information-theoretic problem: the search for cycles in a bipartite graph. In principle, all modern public-key cryptography is designed the same way.
The main idea (if you don’t go into the graph theory itself) is the same as in Momentum - by using a certain amount of memory, we get the optimal algorithm for solving this problem. Computational operations are minimized, so most of the time it takes to access this memory. Moreover, verification of the solution, of course, is performed much faster.
The main question you can ask: is the described algorithm really optimal? Will there be some tricky CS article tomorrow with a different, more efficient solution that doesn't use a lot of memory? In principle, this is the main thing that distinguishes the CuckooCycle and CryptoNight.
“A brief history of the evolution of proof-of-work in cryptocurrencies. Part 1 is here .
Crossbreeding
By the middle of the summer of 2013, more than a hundred altcoins had already been in service, and almost half had appeared in the last couple of months. Needless to say, almost all the “newbies” were litecoin forks and used scrypt? Another trend of the season was PPcoin's new-fashioned Proof-of-Stake, so the scrypt + PoS combination could be called the “standard beginner alcoiner set”.
')
Such a (quantitative) popularity of scrypt and the beginning of the exponential growth of the complexity of Bitcoin led to a simple thought: scrypt-ASIC'i will appear at the same moment, as soon as it becomes profitable. And although the giant November bubble - when Bitcoin reached $ 1,200 - was not even beginning to inflate, the search for a new PoW function began again.
How can I vary the standard hash function? For example… another standard hash function! Sifcoin was the first to propose the idea of consistently hashing with several popular functions, which were played by the finalists of the SHA3 contest: Blake, BMW, Groestl, JH, Keccak, Skein. The idea is quite simple: six fundamentally different algorithms are six different ASIC chips, that is (at first glance) a lot and expensive. In addition, if for some algorithm they find a back door (they do not necessarily break completely, but learn how to solve the problem “many zeros at the beginning” faster), then the whole scheme will still more or less stick.
The pioneers do not always get all the laurels: as a result, this six-hash algorithm gained popularity (and name) in the first Sifcoin fork, the Quark currency. Conclusion: do not give your products the prefix "CIF". Over time, Quarke had a dozen or two altcoins budding, one of which greatly surpassed the “father” in popularity: this is Darkcoin (now called DASH ). The new PoW in it was called X11 and differed, as you might guess, by the number of hash functions used. In principle, he did not give anything new (except the order of the rounds), and therefore the prevalence of X11 (approximately second place after scrypt) should be attributed rather to the success of DarkCoin itself, in which there were many other changes (in something sensible, in something Not really).
X11 appeared at the beginning of 2014 and at first worked exclusively on the CPU, which made everyone very happy. But in April, the complexity of DarkCoin jumped twice, which caused reasonable gazes in the appearance of the GPU-miner. Since no one confessed, a competition was announced for the open implementation of such software, money was raised - and within a month the hash rate had already increased by an order of magnitude on the new GPU miner. It turned out to be about 5 times more efficient than the CPU (scrypt - 10).
There are many variations on the X11 and Quark theme today; some even have their own unique and unique names: X14, X15 ... At the same time, everyone, in general, understands that the algorithm is not at all ASIC-resistant in the full sense of the word. To count 11 different hashes instead of one is, roughly speaking, to make a pipeline 11 times longer. In other words, the cost threshold for the development of a piece of iron all just moved back several times.
Thanks to various marketing techniques, individual SHA-3 finalists became popular in solo form. For example, Keccak itself, aka SHA-3 in person. Well, here everything is clear: “as SHA-2, only better!”. That is, there was no particular idea of opposing the ASICs, except that it takes at least a year to develop and start production. But on the other hand: we have a real fresh modern standard! Also, there was even a special coin Skeincon, which used, as you can see, the Skein algorithm (probably, fans of Bruce Schneier).
Variety of species
Evolution made a revolution, and the thoughts of cryptocurrency players again returned to the memory-bound algorithms. Take, for example, scrypt: a good algorithm, just picked up the bad parameters!
Most likely, some work of thought was nevertheless carried out, since cryptocurrency with just different, static parameters scrypt did not appear. But the idea with a dynamic memory capacity was already implemented in two versions at once:
- Scrypt-n. Recall the three scrypt parameters that were selected in Tenebrix and other Litecoin: N = 1024, r = 1, p = 1. The latter is responsible for the possibility of parallelization; we do not need this. N and r increase the required amount of memory, and r also increases the number of calls to the Salsa20 mixing function, i.e. It has a higher coefficient “CPU / memory cost” than N. In this connection, it was decided to periodically increase N twice, forcing the algorithm to use just more memory. So, at launch, Vertcoin [9] requires 512Kb (N = 4096), in a year the appetites will increase to 1024Kb, etc. According to the creators, rewriting a GPU miner is nothing, but nobody will make a new ASIC every year.
- Scrypt-jane. The idea of increasing N is the same, but the process does not follow a specific schedule, but is governed by a pseudo-random formula, which is nonlinearly dependent on the current time. And although N increases monotonically (okay, okay, “does not decrease”), the periods between recalculations are rather a divergent series (6.3, 3.9, 3, 24, 12, 36 ...). In addition, scrypt-jane uses several mixing (Salsa20 / 8, ChaCha20 / 8 and Salsa6420 / 8) and hash functions (SHA2, BLAKE, Skein, Keccak) inside.
Another, fundamentally different memory-bound PoW function was Momentum , implemented in BitShares. It is very simple:
- Suppose we want to sign the data D. First we get H = Hash (D), where Hash () is some kind of cryptographic hash function
- Find the different values of A and B such that BirthdayHash (A + H) = BirthdayHash (B + H), where BirthdayHash () is a memory-bound function, like scrypt.
- Now, if Hash (H + A + B) <TargetDifficulty (read - it starts with n zeros), that's all, victory. Otherwise, return to step 2.
As you can see, the main work falls on the collision search of the two hashes in step 2. It will be different, it’s necessary to find not 256 matching bits, but less, but this is also a difficult task. Say, if you need to find a match of the first 64 bits, it will require 2 ^ 64 hashing operations ... Or not?
A superhero comes to help us: the paradox of birthdays . Its essence is that the probability of finding a collision among a certain set quadratically increases with the number of elements (because the number of unique pairs among the set also grows). In practice, this gives us the following estimate: in order to find ANY 64-bit collision with a probability of 50%, you need to generate about 2 ^ 32 hashes (4 billion instead of 18 quintillion - such is the savings).
Why does this not work with “ordinary” PoW, because there, too, in fact, there is a search for collisions? The key word here is “any” collision. In Bitcoin, you need to find a match with a specific pattern: N is zero at the beginning, and in Momentum there must be N any first bits.
There is an obvious compromise “time” - “memory”. According to the creator, the algorithm should use about 2 GB of memory per stream, i.e. a regular computer can even perform several parallel searches. At the same time, the ASICs, the power of which is by no means remembered, can only look and envy (well, or be squared faster).
This approach has one drawback. All previous proof-of-work algorithms worked "instantly"; in the sense that they essentially implemented brute force, and each attempt took a fixed time and they all had the same schnass for success. Each tested hash is like a die roll with 2ˆ256 edges, and at any time you could “take another die” (start work on another block) and the odds would not change. What does this mean for a miner? This means that if he receives a new transaction, which he wants to include in the block, he will have to update the hashed structure (“take another cube”). It takes a fraction of a second, so it can be said that the losses are negligible. In the case of Momentum, things are not so simple. The next iteration of hashing and adding a new hash to the global 2GB table is more likely to succeed than the previous one! It is clear that then updating the block header and starting the construction of the table from scratch is highly unprofitable. If with each roll of the dice the chances of finding a solution all increase, then it’s more profitable NOT to take a new dice. That is, in the end, it is unprofitable for Miner Momentum to accept new transactions and “reset” its progress: and as a result, those transactions that were sent before the start of work with this block will fall into the block. For Bitokin, this would mean that the average transaction confirmation time would increase from 10 minutes to 20.
Minerals
The one and only PoW function, which appeared in the summer of 2013, stands apart. Before turning to it, let's realize one problem in general with proof-of-work. At once I will make a reservation that this may well not seem to be a problem to someone (and even vice versa), i.e. it’s about what many people consider a problem.All this work is useless! Nowhere, except inside the cryptocurrency, no one needs these hashes. You can, of course, print out and hang on the wall the smallest of the hashes found , but there is no practical use for them. We will not now go into the philosophical arguments about whether this work should be useful at all or not, but simply note the fact that to invent a PoW function that would be beneficial is a non-trivial task.
However, such was found. The developer of SunnyKing (he also invented [or, at least, the first to implement] the Proof-of-stake scheme) presented the following scheme to the public: the proof of the work done is the found chain of prime numbers satisfying some properties. More precisely, it must be a Cunningham sequence of the first or second kind, or a combination of them (so-called bi-twin primes ).
First about why this is useful. These prime numbers, of course, are not small (otherwise it would be quite easy to look for them): on the order of hundreds of digits in the decimal notation. However, this is still not enough for RSA encryption, but random numbers should be used there. Cunningham's chains are a rather curious mathematical structure, which (in theory) can lift the next curtain in number theory. In the end, until the advent of public-key cryptography, this whole area was considered only a “beautiful, useless science”, so any efforts, even if such an “olympiad” character, are considered useful.
Now, about how exactly you can associate primes with cryptocurrency blocks. Suppose our chain starts with a certain number P. The hash of the block header (in which the nonce field is iterated) is interpreted as an integer. And this number should be a divider P-1 or P + 1. The complexity of the network is the length of the required chain of primes (it ranges from 7 to 11). Here, in general, and the whole idea. Thus, it is impossible (that is, very difficult) to use a randomly found chain (or someone else’s, from another block) to prove the work on its title.
There are two drawbacks: first, we don’t know if there is a simpler way to solve the Primecoin problem (this is what this cryptocurrency is called). With hashes, everything is more or less clear: an attack to find the prototype of a cryptographic hash function is almost hopeless (at least, on this assumption all cryptographic pillars stand - and God forbid it will collapse!), Therefore, for the existing hash, the probability of choosing a block is zero. But to say the same thing about the Primecoin block (where all the P-1 or P + 1 multipliers are suitable for us) is already difficult.
Secondly, the complexity of mining. As already mentioned, it is proportional to the length of the chain. However, the length is an integer number and does not take into account the change in the fractional part. Thus, the change in complexity from 9.0 to 9.99 is completely imperceptible, but from 9.99 to 10 it will already have a dramatic effect on the total hash rate and the rate at which new blocks appear.
In addition, this function, obviously, uses only the CPU-power of the computer, no memory. For a long time, she didn’t have a GPU-miner, but when it appeared, it became clear that the Primecoin grail wasn’t any anti-ASIC. It is possible that this is why he remained in his niche with a couple of forks, and his PoW function did not become popular.
PoWer Sapience
Finally, consider a completely different one branch of the phylogenetic tree PoW for cryptocurrency: CryptoNight and CuckooCycle , which began to develop in parallel with the rest immediately after the failure of scrypt, as a CPU-only algorithm.
CryptoNight is the name of the hash function in the CryptoNote code (don't get confused!), Which includes many other differences with Bitcoin (starting with the fact that it is not a fork at all - although now you will not surprise anyone). CryptoNote has no cryptocurrency per se, but there are several that are built on this technology: Bytecoin, Monero, DigitalNote, etc ... Each one has its own differences, but PoW has a common function.
CryptoNight uses the general idea of scrypt about "a large data table in which random queries are made." However, the creators noted the drawback associated with the linear compromise of "time" - "memory". In scrypt, the main (second) layer creates each new data block based on the previous one. Thus, if we store, for example, only every second block of N, then in 50% of cases we will have to recount it again. In total, there are also N such random references to the array, therefore, saving half the memory, we will calculate N + 1 / 2N = 150% of blocks, that is, only one and a half times more. Similarly, saving only every third block, we will not notice this in 33% of cases, in 33% - we will recalculate one extra block, in 33% - two extra blocks. That is all the work: N + 1 / 3N + 1/3 * 2N = 2N = 200%. Total, as it was calculated , saving only 1 / s of all data increases the total amount of work only (s-1) / 2 times (perhaps, by the way, this is exactly how scrypt-ASIC works).
In this regard, CryptoNight has three fundamental differences:
- The next block is calculated on the basis of ALL the previous ones. Thus, discarding, say, every second block will lead to the fact that in order to restore the pass, it will be necessary to count not one block, but all the previous ones.
- Appeals to the data array are not only reading, but also writing. So, it turns out, each element has a “second dimension” - time; and recounting becomes even more time consuming.
- Finally, the total number of calls to the array is much greater than the number of elements of the array itself (2 ^ 20 vs. 2 ^ 15), that is, the final array is transformed beyond recognition by the end of the cycle.
In addition, 64-bit operations (multiplication, addition) and AES encryption as a mixing function are used inside. This is a curtsey in the direction of modern processors with embedded instructions (and a stone in the garden of the GPU). The total memory required by CryptoNight is 2 MB, i.e. approximately the size of the L3 cache per core. Not to say that this is an unattainable height for ASIC, but still the cost price is quite high.
In general, CryptoNight can be described as a very efficient practical algorithm: there is a GPU miner for it, of course, but it only has a significant advantage over the old processors (32 bits or small cache). As far as can be judged, all its details are aimed precisely at the practical effectiveness of conventional computer (of which billions).
CuckooCycle is, one can say, the complete opposite. Firstly, it has a theoretical information base. Not in the sense that it was developed only in theory (at the moment there are no such cryptocurrencies), but in that its reliability is based on the complexity of solving the information-theoretic problem: the search for cycles in a bipartite graph. In principle, all modern public-key cryptography is designed the same way.
The main idea (if you don’t go into the graph theory itself) is the same as in Momentum - by using a certain amount of memory, we get the optimal algorithm for solving this problem. Computational operations are minimized, so most of the time it takes to access this memory. Moreover, verification of the solution, of course, is performed much faster.
The main question you can ask: is the described algorithm really optimal? Will there be some tricky CS article tomorrow with a different, more efficient solution that doesn't use a lot of memory? In principle, this is the main thing that distinguishes the CuckooCycle and CryptoNight.
Source: https://habr.com/ru/post/264067/
All Articles