[Bitcoin-development] Lets discuss what to do if SHA256d is actually broken

xor xor at freenetproject.org
Tue Jun 3 04:29:55 UTC 2014

Hash: SHA256


I thought a lot about the worst case scenario of SHA256d being broken in a way 
which could be abused to 
A) reduce the work of mining a block by some significant amount
B) reduce the work of mining a block to zero, i.e. allow instant mining.

Bitcoin needs to be prepared for this as any hash function has a limited 
lifetime. Usually crypto stuff is not completely broken instantly by new 
attacks but gradually. For example first the attack difficulty is reduced from 
2^128 to 2^100, then 2^64, etc.
This would make scenario A more likely.

Now while B sounds more dangerous, I think in fact A is:
Consider how A would happen in real life: Someone publishes a paper of a 
theoretical reduction of SHA256d attacks to 2^96 bit. Mathematicians will 
consider this as a serious attack and create a lot of riot.
If no plan is made early enough, as in now, the Bitcoin Core team might then 
probably want to just do the easiest approach of replacing the hash function 
after a certain block number, i.e. a hard fork.
But what about the Bitcoin miners, those who need to actually accept a change 
of mining algorithm which renders their hardware which cost MILLIONS 
completely worthless?
Over the years they have gotten used to exponential growth of the Bitcoin 
networks hashrate, and therefore exponential devaluation of their mining 
hardware. Even if the attack on SHA256d causes a significant growth of 
difficulty, the miners will not *believe* that it is an actual attack on SHA256d 
- - maybe it is just some new large mining operation?  They are used to this 
happening! Why should they believe this and switch to a new hash function 
which requires completely new hardware and therefore costs them millions?
They will just keep mining SHA256d. Thats why this is more dangerous, because 
changing the hash funciton won't be accepted by the miners even though it is 
Something smarter needs to be thought of.

Now I must admit that I am not good at cryptography at all, but I had the 
following idea: Use the altcoin concept of having multiple hash functions in a 
chain. If SHA256d is broken, it is chained with a new hash function.
Thereby, people who want to mine the new replacement hash function still will 
need ASICs which can solve the old SHA proof of work. So existing ASIC owners 
can amend their code to do SHA256d using the ASIC, and then the second hash 
function using a general purpose CPU.
This would also allow a smooth migration of difficulty - I don't even know how 
difficulty would react with the naive approach of just replacing SHA with 
something else: It would probably be an unsolvable problem to define new rules 
to make it decrease enough so new blocks can actually be mined by the now 
several orders of magnitude slower CPU-only mining community but still be high 
enough to be able to deal with the fact that millions of people will try their 
luck with mining at the release date.

While this sounds simple in theory, it might be a lot of work to implement, so 
you guys might want to take precautions for it soon :)

	xor - A Freenet project developer

Version: GnuPG v1.4.14 (GNU/Linux)


More information about the bitcoin-dev mailing list