Topic: If SHA-2 is so secure then why? (Read 4371 times)

Too bad we still don't have proof for the existence of one-way functions - would surely boost the value of Bitcoins

False. Knowledge based on formal logic can't be destroyed. Theorems for instance. However, it would be more appropriate to describe them as being man-discovered rather than man-made.

Because the process of analyzing and certifying a new hashing algorithm is lengthy and fraught with pitfalls - the competitions take like five years because if they didn't, there's a good chance everyone would move to a new algo that is weaker than the one they're moving from. Because it takes a few years lead time for everyone to make sure there's no show-stopping weakness in the algorithm, it's typical to start developing new algorithms before the old one is proven broken.

Bitcoin, on the other hand, has the luxury of taking a mere few months to get everyone ready to go before we pull the trigger. We also have the luxury of we don't really need to do anything until there's a credible threat on the horizon - if we went ahead and began the upgrade to SHA-3 as soon as it's certified, then there's a few major issues:

a) It breaks backwards compatibility of the network;
b) There's still a tiny chance we could be moving to a weaker algorithm, as by that point SHA-2 will have had quite a lot of time of people trying to break it because it would be profitable to do so. SHA-3 on the other hand, if you break it now all you get is bragging rights;
c) It would be a political mess upgrading the hash mechanism for no good reason.

Now if there was a credible threat on the horizon, you'd probably be hard pressed to find anyone (save possibly a company that just dumped a few million bucks into SHA-2 ASICs) who'd disagree with making the gradual change. If someone released a "holy shit, it's broken now now now" attack on SHA-2, the community would gladly respond in a quicker, more violent and bloody manner.

I get the feeling that the conclusion you're leaping to is that they're working on SHA-3 because SHA-2 is broken. That's almost certainly false, the NIST competitions don't work that way - if the algorithm is broken, it's too late to still be working on the next one.

I appreciate your effort to respond to uneasy question, Joel. Let me assure you that I'm an active bitcoin proponent.

You need all stakeholders to agree to the change.  Although practically it is the client implementors and not the miners who decide which way to go, after all a miner isn't going to use a protocol nobody accepts as being valid.

Actually, that's a very interesting question. From a technical standpoint, you only need the consent of the active miners. From a practical standpoint, you mostly need the consent of those managing the reference client.

Theoretically, a disagreement between a large group of miners and those maintaining the reference client could lead to a fork where the public hash chain splits into two incompatible groups of programs, each rejecting the other's hash chain, where everyone with bitcoins prior to the split has them in both systems (and could spend them differently in each system). However, letting that happen is in nobody's interest. So it's extremely unlikely.
In the post you are replying to, which you already read.

I wasn't sure you were stupid.
Now I am.

I have X amount of bitcoins in my wallet. Am I part of the community? Where can I read about the procedure to be followed when a community consensus for a change need to be obtained?

Where there, jackjack?

The guy that was arguing with me basically said NIST announced this competition just in case... What I'm asking is 'If they don't want to wait anymore and are acting now just in case, what are you waiting for and don't act just in case as well?'

How are you prepared for a possible change in SHA?

Even something hard coded can be changed, including giving you more bitcoins. The process would be:

1) Obtain a community consensus on the change.

2) Develop patches to support the change without activating the change.

3) Wait for significantly more than 50% of miners to be running a build with those patches. (At minimum. Obviously, if possible, wait longer than this to minimize disruption to clients and services.)

4) Pick a block to begin the change.

5) Develop patches to make that change at that block. (Or trigger on an event.)

6) Wait.

This would be a painful process that would likely be at least somewhat harmful to at least bitcoin's perceived stability. So I doubt you could make it work just to give you a few more bitcoins. Perhaps if you gave me a few more as well ...

I wasn't sure you were a troll
Now I am

If it is hard coded then it should not be possible to change it. Ever! Is there anything that can not be changed if needed? I need some more bitcoins. Would you change the protocol for me?

There:

For a variety of reasons, none of which in any way bear on SHA-2's suitability for use in bitcoin. For example, one issue is to provide improved hashing performance.

It is, but the protocol could be changed if needed. However, SHA-2 will be suitable for use in bitcoin *way* past 2012. I would be surprised if SHA-2 wasn't still ironclad for its use in bitcoin until at least 2030.

Where did I say we should jump into the new standard immediately? All I'm saying we should be prepared to jump once necessity arises.

I'm surprised an option for changing bitcoin hashing algorithm was not envisaged in the original concept. Everything that is man-made can be destroyed or counterfeited by another man. This is why everything valuable for the society should have built-in mechanisms for defence and protection improvements in case it is needed.

Think about current bank notes and bills. In the beginning of their life span they all have a cutting-edge and state-of-the-art protection in place (serial numbers, watermarks, micro seals, color-shifting ink, embedded fibers, security thread, holograms, you name it). As time passes and technologies employed mature (become cheaper to acquire and implement) it gets easier to produce counterfeit money. On top of it, very often a 'leak' occurs and 'unsanctioned' printing of genuine bank notes takes place. When that happens there is no choice but to withdraw old bank notes from circulation and emit new notes with new design and improved protection against counterfeiting.

Bitcoin is a cryptographic currency. That means its strongest line of defence is the hashing algorithm. If this line is somehow endangered there must be options in place to strengthen it by orderly introducing new 'design' with more secure hashing algorithm.

Another factor that you're not seeing is that SHA-3 will subject to extensive analysis and testing after it's published. There's a small but real possibility that a flaw in the algorithm could be discovered that makes it less secure than SHA-2. Just jumping into the new standard is riskier than waiting until there is a clear reason to make a transition.

The competition ends in 2012, at which point the new standard will be written. They're not mandating anyone replace SHA-2 in 2012, just that's when the new standard will be written.

They didn't start SHA-3 because they expect SHA-2 to be broken in 2012, which seems to be the assumption you're blindly leaping to.

This is why they have announced an open competition to replace SHA-2 with SHA-3 after 2012...

I have a very simple question. If they don't want to wait anymore, what are you waiting for?

Yes, but you don't understand the reason. Designing a new hash is not something you just throw together over a weekend with a few beers and a whiteboard. If they waited until there was a credible threat to SHA-2, then that's waiting too long - the algorithm would be broken before a replacement was ready and proven strong.

So instead, they leapfrog the standards and it's merely up to users to implement it when their risk assessment decides it's time to do so - Bitcoin would be no exception: when SHA-256 is not as useful as one of it's replacements, I'm sure the devs will begin the difficulty and thorny process of replacing it in the Blockchain.

I highly doubt they'll switch just because NIST declares a great new algo and it looks shiny.


I don't think doing it now, versus in 5 years makes it any less of a nightmare, personally. It's still going to take the cooperation of the network, and I don't think making the network more diverse makes that significantly harder. On the flipside, a giant clusterfuck of changing the algo might be another cataclysmic event for a digital currency that's taken a pounding lately.

The only real benefit I can think of is that you wouldn't fuck over the people who are building ASIC farms if you did it now - I think that's their problem though, not the network's.