1 A Standalone FPGA-based Miner for Lyra2REv2 Cryptocurrencies Jean-Franc¸ois Tetuˆ ∗, Louis-Charles Trudeau∗, Michiel Van Beirendonck∗, Alexios Balatsoukas-Stimming, Member, IEEE, and Pascal Giard, Senior Member, IEEE Abstract—Lyra2REv2 is a hashing algorithm that consists of a resource was used to construct them before they get accepted chain of individual hashing algorithms, and it is used as a proof- into the chain. For example, the employed function can be of-work function in several cryptocurrencies. The most crucial limited by the available processing power, the available mem- and exotic hashing algorithm in the Lyra2REv2 chain is a specific instance of the general Lyra2 algorithm. This work presents ory, or the network bandwidth and latency. Cryptocurrencies the first hardware implementation of the specific instance of typically use functions that are limited by the available pro- Lyra2 that is used in Lyra2REv2. Several properties of the cessing power, the most common approach being that random aforementioned algorithm are exploited in order to optimize the numbers are appended to a block until its cryptographic hash design. In addition, an FPGA-based hardware implementation of meets a certain condition (e.g., some of its most-significant a standalone miner for Lyra2REv2 on a Xilinx Multi-Processor System on Chip is presented. The proposed Lyra2REv2 miner is bits are equal to 0). The chain with the most cumulative PoW shown to be significantly more energy efficient than both a GPU is accepted as the correct one, so that an attacker must control and a commercially available FPGA-based miner. Finally, we also more than half of the active processing power on the network explain how the simplified Lyra2 and Lyra2REv2 architectures to perform a double-spend attack. This is unlikely to happen can be modified with minimal effort to also support the recent in practice if the processing power is large enough and is Lyra2REv3 chained hashing algorithm. owned by non-colluding entities. Processing nodes that help Index Terms—Lyra2, Lyra2REv2, Lyra2REv3, hardware to compute the hashes of new blocks are called miners, and miner, FPGA miner, MPSoC miner, cryptocurrency are rewarded with a fraction of the cryptocurrency when a new block is accepted into the blockchain. I. INTRODUCTION The first cryptocurrency, i.e., Bitcoin [2], was initially mined ECENTLY, there has been a surge in the popularity of using desktop CPUs. Then, GPUs were used to significantly R cryptocurrencies, which are digital currencies that enable increase the hashing speed. Eventually, GPU mining was out- transactions through a decentralized consensus mechanism. paced by FPGA miners, which were in turn surpassed by ASIC Most cryptocurrencies are based on a blockchain, which is an miners. Nowadays, the majority of the computing power on the ever-growing list of transactions that are grouped in blocks. Bitcoin network is found in large ASIC farms, each operated Individual blocks in the chain are linked together using a by a single entity, which makes the decentralized nature of cryptographic hash of the previous block, which ensures resis- Bitcoin debatable. To solve this issue, new PoW algorithms tance against modifications, and every transaction is digitally have been proposed that aim to be ASIC-resistant. ASIC signed, typically by using public-key cryptography. Various resistance is achieved by using hashing algorithms that are mechanisms are used in order to deter denial-of-service attacks highly serial, memory-intensive, and parameterizable so that a and, in particular, double-spending attacks where the same manufactured ASIC can easily be made obsolete by changing digital coin is used in multiple concurrent transactions. Many some of the parameters. Since the cost of manufacturing new ASICs whenever some parameters change is prohibitive, arXiv:1905.08792v2 [cs.CR] 29 Jan 2020 popular cryptocurrencies, incuding Bitcoin [2], use a proof-of- work (PoW) mechanism, which was first proposed in [3] to GPU mining of ASIC-resistant cryptocurrencies is generally combat the problem of junk mail. The proof-of-stake (PoS) and much more low-risk and cost-effective. A prime example of proof-of-burn (PoB) mechanisms are other notable proposals. an ASIC-resistant hashing algorithm is Lyra2REv2 (and its The PoW system requires that new blocks provide proof recently introduced Lyra2REv3 modification), which is used that a function that requires a significant amount of a limited by MonaCoin [4], Verge [5], Vertcoin [6], and some smaller cryptocurrencies. The chained structures of Lyra2REv2 and ∗Equally contributing authors presented in alphabetical order. Lyra2REv3 are shown in Fig. 1 and Fig. 2, respectively. J.-F. Tetuˆ and L.-C. Trudeau were with and P. Giard is with the LaCIME, The BLAKE [7], Keccak [8], Skein [9], Blue Midnight Wish Ecole´ de technologie superieure´ (ETS), Montreal, QC, Canada (e-mails: [email protected], [email protected], [email protected]). (BMW) [10], and CubeHash [11] hashing algorithms are well- M. Van Beirendonck is with imec-COSIC KU Leuven, Leuven, Belgium known and have been studied heavily, both from theoretical (e-mail: [email protected]). and hardware-implementation perspectives (e.g., [12]–[15]), A. Balatsoukas-Stimming is with the Telecommunications Circuits Lab- oratory, Ecole´ polytechnique fed´ erale´ de Lausanne (EPFL), Lausanne, VD, as they were all candidates in the SHA-3 competition. On Switzerland and with the Department of Electrical Engineering, Eind- the other hand, to the best of our knowledge, apart from hoven University of Technology, Eindhoven, The Netherlands (e-mail: our own previous work [1], no hardware implementation of [email protected]). Parts of this work were presented at the 2019 IEEE International Sympo- the simplified Lyra2 and Lyra2MOD versions of Lyra2 [16], sium on Circuits and Systems in Sapporo, Japan [1]. [17] as used in the Lyra2REv2 and Lyra2REv3 algorithms, 2 BLAKE-256 Keccak-256 CubeHash-256 BLAKE-256 Lyra2MOD Lyra2 CubeHash-256 BMW-256 CubeHash-256 Skein-256 BMW-256 Lyra2MOD Fig. 1. The Lyra2REv2 chained hashing algorithm. Fig. 2. The Lyra2REv3 chained hashing algorithm. respectively, have been reported in the literature. One potential issue with ASIC-resistant cryptocurrencies TABLE I CONTENTS OF THE BITCOIN BLOCK HEADER is that GPUs are generally much less energy efficient than ASICs, meaning that a massive adoption of ASIC-resistant Bytes Name cryptocurrencies would significantly increase the (already very 4 version high) energy consumption of cryptocurrency mining. FPGA- 32 previous block header hash 32 merkle root hash based miners, on the other hand, are flexible, energy efficient, 4 time and readily available to the general public at reasonable prices. 4 nBits Thus, provided that public and user-friendly FPGA-based 4 nonce miners become available, we believe that FPGAs are in fact an attractive platform for ASIC-resistant cryptocurrencies that should not be shunned by the community. A. Proof of Work Contributions: This work presents the first FPGA im- In order to explain the PoW concept in more detail, plementation of the simplified Lyra2 hashing algorithm as we use Bitcoin as an example [18], but it is important to used in Lyra2REv2. Moreover, contrary to our previous work note that many other Bitcoin-derived cryptocurrencies, such [1] which only contained an implementation of the Lyra2 as MonaCoin and Vertcoin, use the same structure. Each core, in this work we describe an FPGA-based hardware block in the Bitcoin blockchain has an 80-byte (or 640-bit) implementation of a fully functional standalone Lyra2REv2 header that contains information about the block, as shown miner on a Xilinx Multi-Processor System on Chip (MPSoC). in Table I. The version field dictates which version of the While we do not provide explicit implementation results for block validation rules needs to be followed. The previous Lyra2MOD or for a Lyra2REv3 chain, which is currently only block header hash and merkle root hash contain used by the (somewhat less popular) Vertcoin cryptocurrency, hashes of the headers of previous blocks to ensure that no we explain in detail how the presented architecture can be previous transaction in the blockchain can be modified without modified correspondingly. We present post-layout results for a also modifying the header of the current block. The time Xilinx MPSoC for the complete standalone Lyra2REv2 miner field contains the Unix epoch at which each miner started as well as for the individual hashing cores. These results performing the PoW, which must be strictly greater than the show that the proposed Lyra2REv2 hardware architecture can median time of the previous 11 blocks. The nBits and achieve a hashing throughput of 31.25 MHash/s with an energy nonce fields are the most relevant to the PoW. Specifically, efficiency that is up to 4.3 times better than existing solutions nBits defines a 256-bit numerical value using an encoding at 0.80 µJ/Hash, while requiring approximately 85% of the explained in [18], while nonce can be chosen freely by programmable logic (PL) resources of the MPSoC. the miner. The PoW that each miner performs amounts to Outline: The remainder of this paper is organized as fol- finding a value for nonce so that a (chained) hash function lows. Section II provides the necessary background for the of the header has a numerical value that is strictly smaller than PoW concept and for the Lyra2 algorithm. Section III gives an the target threshold defined by nBits. Since hash functions in-depth explanation of the simplifications that Lyra2REv2 and possess the property of preimage resistance, i.e., they are not Lyra2REv3 make to the generic Lyra2 algorithm. The hard- invertible, this can only be achieved by testing a very large ware implementations of the simplified Lyra2 and Lyra2MOD number of nonce values until the target threshold is satisfied.