Equihash: An Overview & Guide of the Equihash Algorithm

Delton RhodesDecember 19, 2019

Equihash is a popular hashing algorithm used in various Proof of Work (PoW) blockchains, including Zcash and Komodo. At the time of writing, this hashing algorithm helps secure over $500 Million in assets among the top 10 Equihash-based coins by market capitalization.

In this article, we’ll look at why Equihash plays a vital role in the security of blockchain networks and examine its effectiveness at ASIC resistance. We’ll also explore various implementations and modifications of the original Equihash algorithm among prominent blockchain projects.

Equihash banner image

Why Is Equihash Important?

Understanding how Equihash has become a popular hashing algorithm requires an analysis of the issues that blockchain networks faced prior to its existence. The challenges mentioned below still exist for Equihash projects today. Nonetheless, the implementation of Equihash has helped mitigate the threats that continue to challenge other hashing algorithms.

Bitcoin (BTC) Network And Introduction of ASICs

When Bitcoin (BTC) launched in 2009, the first Bitcoin mining rigs used standard multi-core CPUs and produced BTC at a rate of 50 per block. CPUs were considered the best way to mine Bitcoin and various other Proof of Work (PoW) cryptocurrencies, most of which used the SHA-256 cryptographic hash function. 

In January 2013, this began to change when the first application-specific integrated circuit (ASIC) mining rigs hit the market. Because these machines were designed specifically for cryptocurrency mining, they were much faster than both CPUs and GPUs. They were also considerably more expensive, which meant that the Bitcoin network was gradually taken over by wealthier individuals and enterprise-level mining farms. This not only threatened the democratization of mining but also the control of the supply of BTC and other SHA-256 coins.

Centralization Scenarios

As Jimmy Song wrote in an April 2018 article, Bitcoin was (and still is) susceptible to two types of mining centralization: manufacturing centralization and hash power centralization.

Manufacturing centralization is prevalent, as Bitmain is the primary producer of ASIC mining rigs. Song points out that a forced reliance upon one company could lead to ripple effects on blockchain networks due to potential issues like backdoors, manufacturer defects, buying restrictions, and shipping delays, among other things.

Hash power centralization occurs when one company or group controls more than 50 percent of mining pools or mining rigs. It is possible that the centralization of hash power does not create network issues. However, as seen with numerous 51 percent attacks, serious problems can arise from the availability of powerful ASIC miners as well as coordinated attacks via hash power renting on cloud mining marketplaces.

Origins of Equihash

As the threat of mining centralization became more prevalent, cryptographers and developers started looking at possible alternatives to SHA-256 and other ASIC-friendly algorithms. Equihash is one of the hashing algorithms that blockchain networks began to adopt as a result of these efforts.

Equihash was first presented at the Network and Distributed System Security Symposium (NDSS) in February 2016. Prof. Alex Biryukov, head of the research group Cryptolux, and Dr. Dmitry Khovratovich, a researcher at Ethereum Foundation, released an academic paper titled, “Equihash: Asymmetric Proof-of-Work Based on the Generalized Birthday Problem” in 2017. In this paper, they proposed the Equihash algorithm as a solution for increasing ASIC resistance. 

Biryukov and Khovratovich developed Equihash to require a large amount of memory to generate a proof, a property referred to as ”memory-hardness”. The proofs can be verified nearly instantly. This scheme features tunable and steep time-space tradeoffs, which impose large computational penalties if less memory is used. 

Equihash works because it solves the Generalized Birthday Problem, which University of California Berkeley’s David Wagner examined in 2002. This had previously been a limiting factor for cryptographers working on the research and development of secure hashing algorithms. Most importantly, their solution was ready for practical deployment, and the academic paper they published even includes a reference implementation.

Prominent Projects That Use Equihash

Equihash was first implemented because of the desire to build ASIC-resistant blockchains. As shown in these examples, projects have responded differently to the continued rise of ASICs. Some of these projects’ teams are opposed to ASIC miners, others have decided to support ASIC miners, and others still remain neutral on the issue.

Zcash (ZEC)

Zcash launched on October 28, 2016, becoming the first blockchain project to implement Equihash. In May 2018, Bitmain announced the availability of the AntMiner Z9 mini, an Equihash-focused ASIC mining rig built primarily for Zcash. This new mining device brought all of the same concerns of centralization that Equihash sought to avoid.

Needless to say, the launch of this machine resulted in numerous discussions among the Zcash community about the future of ASIC resistance. Options included changing the protocol’s Equihash parameters, adopting a new type of PoW altogether, or even welcoming ASICs. Zooko Wilcox, the creator of Zcash, holds a neutral position on the issue of ASIC resistance. 

In the Q2 2018 Zcash Foundation Community Governance Panel Election, voters decided by a vote of 45 to 19 in favor of not making ASIC resistance a priority. According to a roundtable discussion in August 2019, Zcash creators and stewards Electronic Coin Company (ECC) said that the presence of a BCTV14 flaw meant developers had to choose between implementing Sapling (a protocol upgrade) or introducing new ASIC resistance measures. 

The team ultimately decided to go with the former option because working simultaneously on ASIC resistance would have required additional time and allocation of engineering resources. In summary, Zcash has yet to implement a solution to address newer, more powerful ASICs that have emerged in the past several years.

Hush Coin (HUSH)

Hush is a private cryptocurrency and instant messenger service built on zero-knowledge proof encryption. The Hush Coin project's primary product, the SilentDragon wallet and messaging app, is available for download for Android through Google Play and for other operating systems on their GitHub repo.

The Hush blockchain uses the Equihash algorithm and is an implementation of the Zerocash protocol, offering a high standard of privacy-preserving confidentiality of transaction metadata.

The development of Hush started in mid-2016 with the genesis block being mined in November 2016. The original name "Zdash” was eventually changed to Hush to emphasize the use of private communications.

In May 2019, Hush migrated to a Smart Chain built with Komodo'c technology. The migration immediately solved a vulnerability inherited from Zcash, reduced the size of the blockchain from 3.5 Gb to less than 5 Mb, and cut transaction speed from around ten minutes to around one minute. Learn more about Hush Coin here.

Bitcoin Gold (BTG)

In May 2018, Bitcoin Gold’s blockchain suffered from a double spend attack, with the hacker stealing around $18 million in BTG. The attacker controlled about 60 MSol/s of Equihash mining power at peak times and overwhelmed the 30 Msol/s of the Bitcoin Gold network. 

During the two days of the attack (May 17 and 18), the attacker accounted for only 10 percent of the total Equihash power of 600 MSol/s. Therefore, this action did not initially appear suspicious. Two possible explanations for the takeover include a coordinated attack by ASIC miners or an attack carried out with cloud mining power rented on Nicehash.

In June 2018, Bitcoin Gold changed its mining algorithm to Equihash-BTG, also known as Equihash (144,5) or Zhash. Before the attack, Bitcoin Gold’s Equihash algorithm was based on the <200,9> parameter set. 

The goal of this modification was (and still is) to prevent 51% attacks by improving ASIC resistance and making it much more difficult for ASICs to reach profitability compared to the <200,9> parameter set. The <144,5> parameter set requires a minimum of 700 MB to run and requires about 2.5 GB to run efficiently. This is 17 times larger than the requirement for <200,9>, meaning it requires dramatically more memory to run.

Aion (AION)

Aion uses Equihash2109, a modified version of the Equihash solver developed by John Tromp. The <210,9> parameter set balances the need to meet block times and doubles the amount of memory required by Zcash’s original solution. Following this release, future Aion blockchains will be based on two key consensus mechanisms: delegated Proof of Stake (dPoS) and proof of intelligence. 

Horizen (ZEN) 

Horizen, formerly known as ZenCash, experienced a 51% attack in June 2018, losing more than $500,000 USD in double spends. ZenCash rebranded to Horizen after the successful attack generated an onslaught of bad publicity. 

Horizen uses the original iteration of Equihash. According to an August 2018 blog post, the project does not plan to change the algorithm "unless there is a security issue that necessitates a change."

However, it is possible that ASIC resistance might be addressed by the community via Horizen’s governance model. The project team claims that the network has actually become more secure since ASICs started mining ZEN. 

Another concern among Horizen developers is that changing to another algorithm might bring increased security vulnerabilities during the transition period when miners switch to the new algorithm. Finally, the team has stated it’s currently more focused on other protocol upgrades.

Beam (BEAM)

Beam is actively working to resist ASICs and increase mining decentralization. The protocol uses the Equihash with a <150,5> parameter set and a customized data path. GPUs can efficiently mine BEAM, but the project recommends against using CPUs. 

Since its inception, Beam’s solution to ASIC resistance has been to routinely introduce hard forks (around every six months or so) that include slight algorithm modifications. This means that GPUs can more easily update to these adjustments. Meanwhile, ASICs are rendered useless. 

BeamHash II, which is the algorithm currently in use, has a faster hash rate and lower power consumption compared to its predecessor, BeamHash I. According to the project, verification of an Equihash <150,5> parameter set can typically be completed at a lower average cost than the verification of an Equihash <200,9> solution. In the worst-case scenario, the cost is equal. The modified step row pattern for BeamHash II is different from BeamHash I. However, other aspects of the algorithm remain unchanged.

How Effective Has Equihash Been At ASIC Resistance?

The answer to this question varies for each project. Factors like parameter implementations, frequency in algorithm changes, and overall popularity of each cryptocurrency among miners influence the efficacy of limiting ASIC dominance.

Research On Mining Profitability

In addition to various mining profitability calculators available online, which help determine profitability at the present moment, there is also research to help users understand how mining profitability has changed over time with the introduction of GPUs, CPUs, ASICs, and other hardware. 

Zcash researchers completed a study that displayed how Bitcoin and Litecoin mining went from relatively profitable via GPUs to unprofitable around September 2014. XMR, ETH, and ZEC remained profitable through the end of the report’s time frame. However, it is noteworthy to mention that the latest data available in this study is from mid-2017.

Equihash profitability comparison chart

Source: Detecting ASIC Miners In Zcash

New ASIC Miners Enter Market

In 2019, even more powerful Equihash ASIC miners hit the market. Thus, the battle between ASIC resistance versus non-resistance is still ongoing. 

In March 2019, Bitmain released Antminer Z11. This ASIC mining rig offers a hashing power of 135 KSol/s, three times more than the previously-released Antminer Z9. The Z11 has a power efficiency of 10.50 J/KSol, saving 60 percent on electricity costs compared to Antminer Z9.

Research On Equihash Limitations

There is also ongoing research that demonstrates how ASIC miners could take over Equihash-powered networks. 

In February 2019, Fudan University researchers Xiaofei Bai, Jian Gao, Chenglong Hu, and Liang Zhang released a paper explaining how to construct a parameter-independent adversary solver design which uses off-chip memory. They were able to demonstrate up to 10 times efficiency advantage for resourceful adversaries using ASICs. The design reduces computational workloads to a level that the core power usage goes below previously-known overheads, including memory, interconnects, and microcontrollers. 

Although this research shows the vulnerabilities of Proof of Work blockchains, in general, and Equihash ones specifically, it serves as an important starting point for projects seeking to increase mining decentralization and ASIC resistance. Jian Gao also presented these research findings at a talk during NDSS 2019.

How The Komodo Ecosystem Is Working on ASIC Resistance

Komodo uses the Equihash <200,9> parameter set for consensus. In addition, the Komodo Development Team has introduced a number of innovations to make the network more secure than other Equihash-powered blockchains. 

dPoW

Komodo’s delayed Proof of Work (dPoW) security mechanism utilizes 64 Notary Nodes that use a command in the Bitcoin script called OP_RETURN to complete notarizations. This adds an extra layer of network security, helping to prevent 51 percent attacks. 

APoW

Proof of Work blockchains are vulnerable to a rather obscure attack known as Difficulty Stranding. In this attack, a malicious miner joins a small PoW blockchain’s peer-to-peer network and greatly increases the network’s hash rate, suppose by no less than 300 percent. 

The miner stays on the network just long enough for the blockchain’s cryptocurrency mining difficulty to shoot up in accordance with the increase in hash rate. Then, the miner quickly abandons the network, leaving the difficulty at such a high level that the remaining nodes on the network must work for days or even weeks to find a single block, thus bringing the blockchain to a grinding halt.

Komodo developed minor modifications to traditional Proof of Work consensus rules that allow a network to quickly and naturally recover from a Difficulty Stranding Attack. These new consensus rules are known as Adaptive Proof of Work (APoW)

nSPV

Komodo is improving the ability for smaller devices to participate in network consensus. Komodo’s new nSPV technology enables block headers spanning only two dPoW notarizations to verify transactions. 

For the Equihash hashing algorithm, block headers are 1344 bytes (1.34 kb), almost 17 times larger than block headers on Bitcoin’s network. While most Equihash blockchains use SPV (simple payment verification) clients, these solutions still have limitations. This presents a data-bloat bottleneck which will eventually make it difficult for mobile devices to use Equihash blockchains, even in light mode.

In contrast, nSPV offers a truly practical solution for mobile devices. Superlight clients only need to download approximately 10-15 block headers per UTXO. In a worst case scenario, an nSPV client would need to download 25 to 30 block headers for one UTXO. This makes it hundreds or perhaps even 1,000 times more efficient than standard SPV clients, which always need to download every block header in the entire blockchain. 

PoS and PoW Consensus Modification

Finally, Komodo’s Antara Framework offers a customizable parameter that allows Smart Chain developers to choose the consensus rules that their chain uses. Developers can choose Proof of Work (PoW), Proof of Stake (PoS), or a hybrid consensus model that combines Proof of Stake (PoS) with Proof of Work (PoW).

VerusCoin (VRSC), a project in the Komodo ecosystem, has implemented VerusHash. This consensus algorithm is 50 percent PoS and 50 percent PoW. For its PoW solution, VerusCoin calculates a block hash by applying the VerusHash algorithm to a Verus block header (essentially a Zcash and Komodo compatible header), with a reserved space in place of the Equihash solution. This solution gives VRSC miners using x64 CPUs a chance to truly compete with those using GPUs, FPGAs, and ASICs.

This is just one example of what is possible for those who choose to build with Komodo’s technology. Through the Antara Framework, custom blockchain development is made simple and efficient. 

To get all the latest updates from Komodo, join the monthly email list. On the first Friday of every month, you'll receive a newsletter with information about all of the most important developments from the previous month. You can also join the Komodo Discord server to chat with other community members and the Komodo team.