The one problem with this approach is that it gives one guy with a big GPU (or even an ASIC) a huge advantage over "casual" users (e.g. mobile web). You could perhaps make the gap smaller by using one of the "ASIC-resistant" mining algorithms?

By the way, for making more efficient mining algorithms, it would be nicer if the nonce is on the end of the message, aligned to a sha256 block. As is, it encourages someone to set the real nonce to a fixed value, and append their own garbage (for the text message version at least, I suppose for the other formats it doesn't matter).

Edit: it would appear that your current mining algorithm is pretty inefficient. I seemingly managed to out-hash everyone with just 32 leading zeroes, taking a few Python-CPU-minutes to find. To cement my place further, I spent a few GPU-minutes to find 40 leading zeroes.

The current "best hash in grid" has 28 leading zeroes. If we pessimistically take that as the average, and there are 2^10 pixels, it would take 2^38 work to flood the whole grid right now. If I spent my GPU-minutes on grid pixels rather than the text, I could have flooded the grid 4 times over.

Agreed. I have another suggestion, which would require continuous investment of compute and (hopefully) not make things too much more complex:

Every N seconds, publish a "generation" string, randomly generated. This string must be prefixed to the nonce of the winner of the contest for [marquee, color, grid square].

When performing the "winner test" for new submissions, before the comparison to find out which is less, both the challenger and incumbent hashes are subject to the operation H << M where H is the hash and M is the age of their generation string (current = 0, previous = 1, second-previous = 2, etc.). This means incumbents weaken over time unless the incumbent's submitter continues to defend them by brute-forcing with newer published generation strings.

Since the hash (SHA256) is 256 bits, you'd need to keep 256 previous generation strings, and this could get a bit expensive for testing new submissions. But computers are pretty fast nowadays!

You can do it statelessly by just adding a timestamp, i.e. msg||timestamp||nonce

Clients can reject timestamps from the future outright, and for the rest, apply a decay function based on age, prior to comparison.

True, it’s nicely stateless, but it does allow precomputation. E.g. you could spend a few weeks doing PoW for a future date and submit when you reach it. Whether that’s a problem is a matter of taste!

Sorry Retr0id I took your spot ;) It's a fun little game, turbidimeter! Request: it would be nice if the page showed the history for the best winning texts and their hashes. I don't know what the hash or string was before Retr0id overwrote it with his winning entry. For the curious:

0000000000f2b100124723856e7b19f92db367453f8939b3b3aace655a81d488 was the hash of the winning text "Retr0id was here" as of ~30 minutes ago

0000000000d98482cd72551c39c0233243a4878672039348417aaf69143d8d65 is now mine for "m at zorinaq dot com wins" this took about 2**40 SHA256 operations to find.

I used to have a GPU farm for Bitcoin mining back in the day... which would have been perfect compute hardware for this game, but I am ashamed to admit I do not have any GPUs anymore. So I had to fall back to writing a quick multithreaded Python script and ran it on 3 machines (22 CPU cores total) while I was having dinner.

I'm back :P

Nice ;)

00000000001a22ae7ad6ee672633fa5504e8f7be8d0252ba5a5906e20408ccec "retr0id was here"

Yeah I am not going to attempt to beat that without a GPU! Man, I miss my time doing GPU coding, writing miners, etc

Oh, a new contender who computed 2**47 SHA256() !

000000000001e4b232d7ee4094a617f4823ecbebb05930244352955f4c999660 "IAMSENTIENTPLEASEHELP"

Nice, my personal record sha256 computation is only ~2^48, so I'm probably not going to beat this.

Ok this was teasing me too much - I had to go ahead, find an RTX 4090, and whip out some quick code. 48 leading zero bits:

000000000000ff6b402cb2c12d4d5ec33b2d0d3ad8982835ede2dfeb669fc705 "Bonjour from mrb"

CUDA is nice. I had only developped for AMD previously. For the record the nonce+data that hashes to the above SHA256 is "000000000000000000003c81587599edBonjour from mrb"

Apparently I was even more obsessed. Wanna "trade" solutions?

Sure, shoot me an email - let's chat gpu tech! m at zorinaq.com

Monero imo has the best solution for that. Their hashing algorithm RandomX requires a ton of memory access which significantly hampers the possibility of using GPUs or ASICs for mining, favoring CPUs accessible to the common person.

It doesn't help to use a fixed nonce and append garbage. The data never exceeds 512 bits (SHA256 block size), because the text has a max length.

Something like that or quadratic voting scheme and incentivize curators.

Make each pixel a millennium prize solution.

If you guys like solving brute forcing games, you can solve this series of puzzles to win prizes totaling about 970 BTC (45 million USD): https://bitcointalk.org/index.php?topic=5218972.0

For example the next unsolved puzzle in the series is #66 which is a Bitcoin private key with 66 unknown random bits. If you crack it you win 6.6 BTC (300 000 USD). It goes all the way to #160 which has a 16.0 BTC prize.

Puzzle numbers multiple of 5 (#65 #70 #75 etc) have had their public key published in a transaction on the blockchain, so it's possible to take some shortcuts such as the Pollard's kangaroo ECDLP solver. The next unsolved "multiple of 5" is #130 with a 13.0 BTC prize (600 000 USD). You need approximately 2^65 operations to solve it.

The most recent win was puzzle #125 solved on 2023-07-09 by an anonymous person who collected the 12.5 BTC. One can see their tx here: https://www.blockchain.com/explorer/addresses/btc/1PXAyUB8Zo... They probably used 200-300 GPUs for about 2-4 months to crack it, based on the known performance of existing ECDLP solvers such as https://github.com/JeanLucPons/Kangaroo

does anyone know about how much money was spent on compute to solve puzzle #125? I am curious if they made a profit.

Oh, yes they did. 200-300 GPUs for about 2-4 months at an average $0.10/kWh has a TCO of $100k-200k. 12.5 BTC was worth $375k back when it was solved. So definitely profitable—they would have made around $175k-275k, and end up with essentially free GPUs at the end.

Puzzle #130 requires about 5.7 times more work (2**2.5) than #125, but BTC has doubled since they solved #125. They have the GPUs already, so opex (electricity, etc) will be their main expense. And even at $0.10/kWh which is pretty average they will also turn a profit solving #130. I estimate anywhere from $30k to $150k in electricity, for a prize of $600k.

Terrible for the environment.

Disagree. These puzzles directly benefit scientific research as the output is more efficient open source brute forcing tools (such as this ECDLP solver: https://github.com/JeanLucPons/Kangaroo) which the cryptographic community benefit from.

Using energy is not "terrible for the environment". if it was, stop using your computer, Xbox, and phone.

Dictating proper usage of energy is no better than dictating "proper" speech.

Oh, and while I support not completely burning our planet, the idea of "going green" is basically as extreme as BTC Maxis saying the USD is going to end tomorrow.

But for me in the end, I still value my rights and freedoms over the planet.

And... that idea apparently pisses a lot of people off.

That is some mental gymnastics. I turned my air conditioner on today while making a coffee. That is one thing. Rich people puzzle games burning $200k of electricity which is probably like 100 suburban mcmansions use in a year is a another.

Globally, unnecessary air conditioning use is wasting orders of magnitude more electricity than a few people solving these puzzles.

I know there are problems, but PoW seems like such a good baseline for discoverability on socially enabled sites

Cloudflare now uses PoW (among other things) for their captchas[0]

[0] https://blog.cloudflare.com/turnstile-ga

hell yeah

No! Absolutely not!

Proof of work is a form of money[0], with extraordinarily unequal distribution[1] in people willing to front the cost of spinning custom single-purpose mining silicon. A social media site that uses proof of work is equivalent to a social media site that is explicitly pay-to-play, where ordinary users will be censored for being too hashcash-poor to participate.

[0] That's why Bitcoin uses it

[1] That's the opposite of why Bitcoin uses it

I mean you'd expect that the amount of work you'd have to put in to rank would stay quite low.

You can also combine it w/ traditional social graph techniques to further prevent the work threshold from going past what you can do on a typical mobile phone.

At the very least it seems like it would work to bootstrap discoverabilty before social graphs really start to develop w/ more usership.

The problem is the inequality of specialization. The whole point of proof-of-work is to add costs that are trivial for even the poorest user but add up quickly for someone who wants to sockpuppet, ballot stuff, or otherwise spam the system. This only holds if all users pay relatively the same amount of money for access to compute power. If you can specialize - that is, invest capital into making a more efficient computer that only does proof-of-work, but does it for cheaper - than the system breaks down. Spammers pay less than users.

Yes, there are "ASIC-resistant" proof-of-work systems in the cryptocurrency space. People specialize on them anyway - there's ASIC mining rigs for Monero, for example. Yes, you can fix that with a hard fork, but hard forks take time in decentralized systems, and designing new hash functions also takes time. ASICs aren't even the only way people specialize their mining rigs, just the most blatant, obvious, and most importantly, capital intensive.

"If you can specialize [...] then the system breaks down. Spammers pay less than users."

That's not at all what happened in practice. You see, in the Bitcoin industry, those who specialize, those who design and manufacture ASICs, realized that selling them on the open market is equally profitable as mining with them. As a result, even the small miners, the common guys, have access to the same hardware as the large scale miners. That's why today anybody can get, say, an Antminer S19. So spammers do NOT "pay less than users". We all pay the same amount of money for the same compute power. In fact, the cost curve of mining somewhat advantages small miners. The guy with a single Antminer S19 in his garage may not need to have dedicated cooling because cracking open a window may be sufficient. Whereas the large-scale miners definitely have to incur significant cooling costs. However they can cancel out these scale issues by, notably, choosing to set up their mining farm where electricity is cheap.

If you're even considering buying dedicated mining hardware, you're already way more specialized than the average user of Bitcoin. Diseconomies of scale at the high end don't stop Bitcoin mining from being an extremely unequal gated community relative to the average user with a smartphone in their pocket.

In fact, this is the main reason why the Bitcoin core development team has largely rejected proposals to, say, determine acceptable maximum block size[0] through miner consensus. How much data a miner can process is likely to be far higher than that of casual users, who aren't going to be mining and thus have no franchise.

As for the scale issues you mentioned, wouldn't dedicated cooling be more efficient per hash? That's the metric that matters for Proof of Work.

[0] Either the base block size or SegWit weight units, both of which are locked at 1kb/4kwu forever.

This is an interesting concept – Would you mind expanding on how you would see this working?

Well this site got me to write my first ever C program to generate low hashes, and by the time I get it working, I go back to the site to learn that the lowest hash now starts with 10 zeros. (!)

I don't think my lowly little Mac CPU will ever compete with that.

But hey. First C program.

If you repurpose your program for finding grid pixels, you can still beat just about everyone else ;)

There is less room for new users, then.

maybe every new user should be given a time based vote mechanism.

maybe every "wallet" should be given one vote.

Sounds like a UBI scheme in the making.

I did my own r/place too, but with React and Express, here is a demo: https://cubes.fly.dev/

Of course is opensource: https://github.com/skorotkiewicz/Cubes

It's a websocket, but easily its possible to make this with p2p.

Similar idea with boring tech ;)

https://thelist.best/

How do different peers discover each other? And is all the data lost once no one is visiting the site?

Oh my god, I had this same idea (but never made it! probably wouldn't know how to implement proof of work).

I thought this was pretty specific... trust the internet to show me I have never had an original thought.

Wow this really fun. Nice web client too. Makes me want to relearn CUDA...

I was just thinking, I wish that silly thing Reddit did was done again somewhere less popular but with a truly ridiculous waste of computation also.

How can I use this to spy/leak/share?

(not asking for any friend - but seriously, do these have exploitation vectors?)

Oh no, the French flag is growing :)

OOOh, climate destroying shitcoin-inspired /r/place ?

I'll just take https://paint.adminforge.de/?lang=en as FLOSS and not climate destroying thankyouverymuch.