What is MTP (Merkle Tree Proof) and why is it an ideal Proof of Work algorithm?

Zcoin is working to be the first cryptocurrency to implement MTP as a proof of work algorithm and work is ongoing. As the foundation of a coin's security with also fundamental implications as to distribution and also verification speed, implementation of MTP is very high on our list of priorities. Implementation of MTP is also expected to bring down wallet initialization times due to its fast verification as compared to the current stop gap Lyra2 implementation.

The MTP algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing. These are the same researchers who came up with Equihash that is currently used in ZCash.

Egalitarian Computing

MTP was created as a way to remedy the disparity between ordinary users and adversaries/cheaters where the latter could use botnets, GPU, FPGA and ASICS to gain a significant advantage and mount a cheaper attack. The basic concept is that it should establish the same price/cost for a single computation unit on all platforms meaning that there is no single device that should gain a significant advantage over another for the same price hence promoting egalitarian computing. With egalitarian computing, attackers would need to spend the same amount as ordinary users for equivalent 'hashing' power. This means attackers would tend to have to use the same hardware as ordinary users, automated large-scale attacks become no longer possible. This combined with the fact hashing in MTP is highly memory intensive, users affected by trojans to participate in botnets, would experience noticeable performance degradation and therefore more likely to suspect something is amiss.

Massive centralization can be seen with many existing proof of work algorithms such as SHA256 (Bitcoin), Scrypt (Litecoin, Dogecoin) and X11 (Dash) where hashing power is centralized in ASIC farms and normal users are not incentivised to participate in the security of the network. Even in newer schemes such as Ethash which is used in Ethereum, although it is deliberately designed to be GPU friendly, we feel that it is overly favored with GPUs being more than a hundred times more efficient than CPU, again favoring specialization to GPU farms. Even Equihash despite it being memory hard, is not sequentially memory hard, meaning it can be mostly parallelized that may favor ASIC development.

This doesn't mean that we discourage GPU mining but it means that it is foreseen that even with GPUs mining, CPU mining would still remain viable.

Fast and lightweight Verification

Besides its egalitarian properties, MTP although is computationally and memory intensive to find the solution, once found, its solution can be quickly and efficiently verified without requiring a lot of memory. This is important since by keeping verification quick, this makes the network more resistant to DoS attacks that target verifiers. It also allows lightweight hardware such as smartphones to perform verification which is not possible on many other hard memory hard algorithms. This verification speed of MTP in tests appears to be very fast (faster than Equihash).

Source: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_biryukov.pdf

There may also be a possibility that as MTP uses merkle-trees, merkle-tree optimizations may be possible though this is an area we are researching into.

Progress Free

A mining algorithm should be 'progress-free' meaning that mining must be a stochastic process where there is always a non-zero chance that the solution is found and being independent of any previous events. This prevents centralization and mitigates network delays.

Therefore a mining algorithm with an 'initialization phase' is not truly progress-free since the chances of finding a solution when initializing is zero. This is one of the main reasons why Biryukov and Khovratovich decided to develop MTP despite already developing Equihash since Equihash still requires a long initialization phase that certifies the memory allocation and is therefore not 'progress-free'.

It is believed that the shorter an initialization phase, the more decentralized mining can be since everyone starts from an even playing field and economies of scale or network location plays much less a role in mining efficiency.