Topic: If SHA-256 was made by NSA, why make it public? (Read 201 times)

Only as long, as it is not about full preimage attack (which we still don't have even for MD5 or SHA-1). Because SHA-256 is used to calculate the hash of the message, which is signed. Which means, that if you can set a valid ECDSA signature, with a random z-value, then if SHA-256 is fully broken, you can produce a message, which will hash exactly to this random value, and then move those coins anywhere. Which means, that fully breaking SHA-256 is more dangerous, than fully breaking ECDSA, because then, you can hit two birds with one stone (SHA-256 is used inside ECDSA signatures, but ECDSA is not used inside SHA-256).

As long as chainwork is below 2^128, we are safe. But if it will ever reach those levels, then it will be the first warning, to start changing things.

Not only block headers are hashed. You also have transactions, merkle trees, and many other things. If you have a second preimage for some transaction data, then you can present two different transaction versions, for two different nodes. And then, one node can think, that you did "Alice -> Bob" transaction, while another node will receive "Alice -> Charlie" transaction, with the same hash.

Also, in case of transaction hashes, you have many ways, to put consensus-neutral data. Just using "<520-byte-push> OP_DROP" inside any input, is what would allow you to control more than eight message chunks, which should be more than enough for any attacks (in case of SHA-1 collision, it took five 64-byte blocks, where three of them were needed only because of PDF format, and the whole attacking bits were only in two of them).

What about colliding transactions or colliding merkle root branches?

Compromising SHA256 doesn’t have sufficient impact on Bitcoin. A few ways for which it can impact Bitcoin is by:

SHA256 computation speedup - Yielding nothing significant other than increasing the difficulty a little.
Finding second preimage - Your resultant hash has to be valid with the valid block header hash, which is also quite difficult.
Collision - Somewhat similar to the difficulty above.
Generating hash collisions of Bitcoin Core files - Probably not the target in mind for NSA.

Cryptographers and mathematicians have reviewed SHA and the other algorithms released as standard by NIST for years which has concluded that they’re secure enough. The US government uses it, and practically every company that guards their state secrets uses it. It doesn’t take much to figure out any weaknesses when the entirety of the algorithm is public and available.

I understand how people might think of it as that way, but SHA family is pretty much a well known and audited algorithm. It would be far more suspicious if NSA or the government releases a closed-source and obfuscated exe and tells us to use it to replace the existing standards.

Other than SHA1 of course, which has been insecure for the longest time.

I am pleased by the high quality of posts to this question, thank you everyone who participated.



But you’re giving enemies the possibility of communicating without being able to tamper with that communication. To what extent is it harmful when you see this type of “encryption” (someone rightfully stated SHA-256 is not an encryption algorithm), you know it’s the NSA?

I’ve read every answer above, and I still think someone should not completely exclude the possibility that they made it public because they have it solved. I think the answer to this question must be something THEY benefit from, contrary to what some suggested above that they’re doing this for being good benevolent people.

This is not true. SHA256 is not an encryption algorithm, and the speedup for it when using QC is not as significant as asymmetric algorithms.  SHA256 will not be weakened significantly to require a change in algorithm anytime soon, but ECDSA would be entirely different when QC is viable.

One more thing, VPN are not using SHA256 for encryption of data. For the majority of them, they are using AES or similar asymmetric algorithms. SHA256 is a hashing algorithm, in VPN's context, possibly as a checksum to guarantee correctedness of certificate.

I am studying for some Cisco Security certifications because my job needs it and I have seen there that they are talking already or at least being prepared for what they call post quantum computers encryption and algorithms type. This mean that this Sha-256 most likely can be cracked in 10-20 years as that was the time frame in the book assumed when we will be needing these next generation encryption and algorithms. I don't know why it was made public but for the moment it is one of the very strong encryption algorithms as in VPN-Virtual Private Networks site to site connections we are using it as one of the best encryption algorithm, the SHA-256.

You can read more here if you are interested in algorithms security.

https://www.cisco.com/c/en/us/about/trust-center/post-quantum-cryptography.html

This topic has to do with the SHA-256 algo (and its 512 and 1024 variants) - not BTC per-se. While the Bitcoin code uses it for encryption of keys that is not what this is about.

The NSA released it to ensure that the world's financial systems and other parties needing very strong encryption ALL have access to it and for utmost confidence in it, full access to the code used. Having everyone and their brother coming up with their own closed-source encryption raises too many questions over just how secure it would be.

FYI, now NIST is the organization that deals with encryption standards and they have already released 3 algos to handle the post Quantum Computing (PQC) world. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
As the quote from Satoshi said, when needed, a PQC algo can be plugged in to replace the current SHA-256 one.

I would say the answer is probably something along the lines of why they made the TOR Project public. If you think something is the best, you want it to be battle tested. That isn’t possible if you keep something secret. Then there’s also the strength in numbers argument. If the NSA is the only one using a certain type of encryption, one can conclude that anything encrypted with that type of encryption was done by the NSA.

And from the man himself,

For the SHA family, its intention is to replace the existing MD5 which was already broken. It's pretty trivial to make standards like SHA public because its meant to be implemented widely and keeping them proprietary and secret does nothing to help that. In addition, it costs nothing to the government and they had patented it. On a similar vein, GPS was made publicly accessible because it provides more benefits for the world rather than for the military only.

To shutdown your conspiracy theory, SHA is widely audited and there is nothing obscure about this.

Hello,

Has anyone researched or know why this algorithm was made public? What motives? Important question for Bitcoin