Bitcoin Forum

http://en.wikipedia.org/wiki/SHA-3 (http://en.wikipedia.org/wiki/SHA-3)

Now that the standard for SHA-3 is known why not upgrade for the 1.0 release of bitcoin ?

Sha3 does not provide anything particularly new or useful, and sha2 is still quite secure.
not to mention, utilizing sha3 would require specific libraries installed on every computer that uses it.. or at least compile time libraries.. which wouldn't be particularly fun. Sha2 is already so well distributed, most systems are already going to have it (though perhaps not windows :P)

give it a few years, then maybe.

(it also gives sha3 a chance to be cracked if there is some inherent flaw in it that no one has found yet.)

This.  Let's give it time to be vetted.  What we have is fine and will be for some time: http://blog.oleganza.com/post/42523601710/how-to-steal-all-coins

Have you completely missed the fact that hard fork is a bad thing? Once we just started talking about raising the block size limit the forum filled with angry discussions, and that change actually has a practical importance. Here you want to make a change which does not really affect anything and make a hard fork, just like that, for the sake of it?

If you are going to hard fork the chain doesnt it make sense to add more features that also require a fork ie 1 hard fork is better than 100 individual ones.

Yes, but this is not how cryptography works. Keccak has just been announced so it will take a few years of people trying to break it (apart from the NIST competition) before enough confidence is gained in its favor. It is however a great candidate in the event that Merkle-Damgard constructions are weakened.

You're also forgetting that ditching SHA256 will make all mining software and current ASIC designs useless. It will also require completely new addresses if you use it for address generation.

SHA-2 is older and yet, it has not been cracked, despite everyone in the world trying do to that because it is used by everyone.

This SHA-3 is new, much less tested and with much less people trying to break it (any bank that use it yet? Nah)

Right now SHA-2 is safer.

In other words... impossible. Miners would never vote themselves into obsolescence.

Interesting. In that case, surely a way to support two standards simultaneously will have to be devised, at some point? Otherwise the security of the network and the difficulty would drop near zero overnight…

uhhhh... That is not how Bitcoin works. Miners exist at the pleasure of the users, not the other way around. Miners vote on the ordering of transactions, _thats it_. The rest of the rules are baked in... bit as a whole Bitcoin's users moved to something incompatible with existing miners— well, they just wouldn't be miners anymore. Otherwise— you could presume they'd still be paying themselves 50 BTC/block now. :)

Though this is all a silly tangent: the use of SHA256 for the POW is totally distinct from the hash used elsewhere. It's quite possible to change other things to use something else but keep the POW SHA256.  Not even unlikely, since problems in SHA256 which would be fatal elsewhere would be harmless for the POW.

Untrue.
Miners voted on BIP 16 vs BIP 17 in the past. No reason to think they won't on hardforks in the future.

Miners aren't the only ones that count, but they certainly play a role in determining whether to adopt a hardfork or not.

Maybe it's better to say "unclear" than "untrue". I think that the interesting observation is that the more decentralized the SHA256 (ASIC) hashpower is, the more users who'd prefer to stay with the SHA256 PoW network. One reason for that is simply that there'd be more users who are also SHA256 ASIC miners, and those users have a financial interest to stay with SHA256. Another reason for that is that when the hashpower becomes more centralized, it also becomes more worthless, so the users who aren't miners wouldn't have an incentive to stick to SHA256.



For example the collision attack that Gavin described here (https://bitcointalk.org/index.php?topic=120473.msg1301958#msg1301958) could be fixed by switching to SHA3, while still using SHA256 for the PoW, right? So I guess that the SHA256 PoW would become unusable only if there's (full) preimage attack, or worse if there's second preimage attack since we'd need to add SHA3 hashes to all the old blocks. In other words, collision attacks on SHA256 are irrelevant for the PoW.

BIP16 wasn't a hardfork.

This might be a good idea for Netcoin.

SHA3 offers absolutely no advantage. Even if collisions for SHA2 can be found, it still won't affect mining, and address hashing can be improved with quick fixes, rather than implementing a new hashing algorithm. If QC is invented, its influence on SHA2 and SHA3 will be the same.

Difficulty would drop to 0 along with the hashrate because you need libraries that are SHA-3 capable, along with new miner software. Simply, forget the idea.