Topic: Change Bitcoin SHA-256 to SCRYPT (Read 5912 times)

Indeed.  See http://www.coindesk.com/bitcoin-developer-jeff-garzik-on-altcoins-asics-and-bitcoin-usability/ for some thoughts.

I did by now, thanks. Context is important.

Yeah, I was also in the room when Kaminsky made that statement, and was paying attention to the entire session and context. Cypher is right.

arnuschky - Go watch the videos from the conference....the security panel should be up.

exactly right.

nothing.

Remember a couple of years ago, right after GPU mining really took off, when everybody panicked because of Deepbit? Remember how that turned out?

i know what he said, i attended the session.  i've also read those links.

what he means is exactly what i said.  he predicts Bitcoin's POW won't survive b/c he thinks someone is going to accumulate enough ASIC hash power to perform a 51% attack.

he said nothing about SHA256.

No, sorry. Wrong again. The bet concerned Kaminsky's statement at the security panel of the Bitcoin 2013 conference that the current proof-of-work function will not see the end of 2013:

“I assign a 0% probability that we will continue with the present proof of work function. The present proof of work function is not going to survive the year. Period. If there’s one hard prediction I’m going to make it’s going to be that.” – Dan Kaminsky

Sources:

• http://thegenesisblock.com/go-fork-yourself-life-after-a-bitcoin-hard-fork
• https://mobile.twitter.com/jgarzik/status/336218499938668544

you misunderstood what jgarzik was saying that Kaminsky was saying in that tweet.

what Kaminsky was saying was that the Bitcoin POW system would be broken by a 51% attack due to the concentration of ASICs into a single attackers hand, not that SHA256 would be cracked.  there's a big difference. 

even so, Kaminsky is nuts in making that prediction.  no way in hell that happens by the end of the year; or perhaps EVER.

conclusion: sha-2(56) reasonably secure (thanks DeathAndTaxes for explaining the research). Reason for doubt (and also LTC popularity): GPU miner denial. Centralization by ASIC seems to be a myth so far.

case closed. jgarzik will win the bet against @dakami (if Kaminzki has the balls to take it, which doesn't seem to be the case. But maybe he has no bitcoins, who knows).

Besides, the more specialized hardware has to be to complete, the harder it will be for an attacker to use off the shelf hardware to attack the network. ASICs are good.

It isn't a bold statement, it is merely a statement of fact.  Lets ignore the potential added security of double SHA hash and just focus on single SHA-2 hashes.

SHA-2 uses 64 or 80 rounds.  There are no known attacks against 64 or 80 round SHA-2.  None.  No first preimage attacks, no second preimage attacks, no random collisions.  

This isn't for a lack of trying.  SHA-2 is one of the most analyzed algorithms in the world.  It is used for just about everything from banking to PGP to SSL.  A lot of different entities in a lot of different places all around the world have a very vested interest in knowing if SHA-2 is secure.  Cryptography can never be mathematically proven secure, the best we can do is (collectively) look for flaws and if enough people look hard enough for long enough the probability that an unknown flaw will appear suddenly and without warning is reduced, never eliminated but reduced.

An academic attack on a theoretical variant of SHA-2 which uses 41 instead of 64 rounds isn't an attack vector unless Bitcoin happens to use this modified variant with 41 instead of 64 rounds.  For the record it doesn't, nobody does, anywhere, for anything.  Publishing a reduced round version of an attack is essentially saying "we looked for a flaw but couldn't find one however if this algorithm only used x rounds instead of y rounds here is a flaw".  It is a way for other researchers to potentially expand upon but often many of these reduced round attacks are simply dead ends.  What works for 41 rounds may NEVER work for 64 rounds.  It is possible that these known reduced round attacks are dead ends.  That is to say that eventually SHA-2 is broken but it is broken in a completely unrelated manner and researchers who will try to expand on these known attack vectors will spend countless hours it what will ultimately prove to be "barking up the wrong tree".

I never predicted that SHA-2 won't eventually be broken but to claim it will be broken this year requires some significant supporting evidence and none was provided.  When asked for a cite, link to tweets unrelated to the claim were provided.  When confronted the person left saying he "doesn't need to prove anything to anyone".  That isn't what I would call "significant supporting evidence".  

Maybe SHA-2 will be broken this year, or maybe next year, or maybe it is never broken because over time most applications migrate to SHA-3 (after significant cryptoanalysis) because it has less theoretical flaws.  If that happens a exploitable flaw in SHA-2 may never be found because the focus of global analysis will shift to SHA-3 as it will be the bigger target.  To make a long story long regardless of if/when SHA-2 is broken the statement that "it will be broken by the end of the year" is rubbish.  Nobody credible said that, and nobody credible would.

Er,
Let's all be clear that bitcoin  utilizes DOUBLE SHA-2 before making bold statements.

Actually there are partial attacks that are very well documented against SHA 2 upto about 25 bits , but not so much against double SHA 2....

The other issue is that the research into SHA 2* attack vectors has a weakness.....(which you can figure out yourself if you think about it....)

Plus there is some VERY interesting shit if you can program up your own FPGA farm..... The big issue is getting the shit out fast enough...

What would be the point?  No one would use it.

I like short posts like this one, hitting the nail on the head.

No problem.  Thanks for making my decision easier.

Then stop being tired.  Nobody asked you to do any research.  You made an unsubstantiated claim.  When asked for a cite you linked to something completely unsupporting.

I will take your claim of SHA-2 being broken this year (as if such a thing is even predictable) as utter nonsense.  See your done.

Not sure if you can't read or you think this says something it doesn't.  Nothing in there about SHA-2 being compromised this year.

In that case the algorithm will get changed... pretty much overnight. You can bet all your coins on that.

If Bitcoin was using scrypt from the start, you won't escape from ASICs. Just accept that people will optimize mining and there is nothing you can do about it. Like in every social organisation there are leaders, runner-ups and outsiders. Bitcoin is no exception. Communism never works. I, for instance, couldn't care less about mining BTC myself and don't see a problem with some bunch of guys having 70% of hashing power. Those who are interested in preserving the value of their coins would strive to process transactions "fairly" and distribute mining hardware as wide as possible.

I personally think that ASIC minning was innevitble and only hurts those that dont have them. But once everyone has them, well, something better will come out. It just further secures the chain.

Changing to scrypt.. Well mine FRK's