Bitcoin Forum

Bitcoin mining process consists of repeatedly increasing "nonce":


It merely tries to find the right number.


If SHA-2 is so secure then why have National Institute of Standards and Technology (NIST) announced an open competition for a new SHA-3 function to replace the older SHA-1 and SHA-2 after 2012?

http://en.wikipedia.org/wiki/NIST_hash_function_competition

Is SHA-2 algorithm hard coded in the bitcoin protocol or not? Is it possible to upgraded it to SHA-3 after 2012?

You think they should wait until SHA-2 is broken to start looking for a replacement? Think about that for a second.


It's possible, yes, but it's going to be a mess and require lots of cooperation.

If they think for a replacement there is a reason, right? If they think for a replacement after 2012 why you shouldn't? Or you intend to use SHA-2 until 2140?

They need to make a replacement becqause the alternative is to wait until SHA256 isn't good enough.

Yes, bitcoin can change to not use SHA2

SHA-1 is still unbroken (as far as i know), but that's no reason to not use SHA-2. Just means that SHA-1 had a possible future weakness that could be fixed, for the most part, but at the cost of using more computing power. The time has just come again that average computing power has yet increased that they see fit to upgrade it to nip any possible weakness in the bud. The only problem found in SHA-1 was a POSSIBLE mathematical weakness, and since SHA-2 is roughly based on SHA-1, just a bit beefed up, the search for a replacement to SHA-1 never really stopped.

It is simply a good idea. SHA-2 is still holding up, but it seems that these hashing functions generally only last so long before someone figures out a way to decrease the attack space enough to make you uncomfortable, or to find a collision fast enough to make you question the theory (MD-4 being the worst).

Updating the client would be a huge mess though. There would have to be a hard coded block (probably) when all the clients switched to whatever the new algorithm was.

Old clients still would be made absolutely useless though, and would create their own block chain at that point.

It would not be good.

Block headers contain a version.

I don't reall understand what are you trying to say, Man From The Future. SHA256 is just 1 of the 4 hashing functions that are used in the SHA-2 hashing algorithm!

So, better sooner than later because if later the mess will be bigger!

Yes, but you don't understand the reason. Designing a new hash is not something you just throw together over a weekend with a few beers and a whiteboard. If they waited until there was a credible threat to SHA-2, then that's waiting too long - the algorithm would be broken before a replacement was ready and proven strong.

So instead, they leapfrog the standards and it's merely up to users to implement it when their risk assessment decides it's time to do so - Bitcoin would be no exception: when SHA-256 is not as useful as one of it's replacements, I'm sure the devs will begin the difficulty and thorny process of replacing it in the Blockchain.

I highly doubt they'll switch just because NIST declares a great new algo and it looks shiny.


I don't think doing it now, versus in 5 years makes it any less of a nightmare, personally. It's still going to take the cooperation of the network, and I don't think making the network more diverse makes that significantly harder. On the flipside, a giant clusterfuck of changing the algo might be another cataclysmic event for a digital currency that's taken a pounding lately.

The only real benefit I can think of is that you wouldn't fuck over the people who are building ASIC farms if you did it now - I think that's their problem though, not the network's.

This is why they have announced an open competition to replace SHA-2 with SHA-3 after 2012...

I have a very simple question. If they don't want to wait anymore, what are you waiting for?

The competition ends in 2012, at which point the new standard will be written. They're not mandating anyone replace SHA-2 in 2012, just that's when the new standard will be written.

They didn't start SHA-3 because they expect SHA-2 to be broken in 2012, which seems to be the assumption you're blindly leaping to.

Another factor that you're not seeing is that SHA-3 will subject to extensive analysis and testing after it's published. There's a small but real possibility that a flaw in the algorithm could be discovered that makes it less secure than SHA-2. Just jumping into the new standard is riskier than waiting until there is a clear reason to make a transition.

Where did I say we should jump into the new standard immediately? All I'm saying we should be prepared to jump once necessity arises.

I'm surprised an option for changing bitcoin hashing algorithm was not envisaged in the original concept. Everything that is man-made can be destroyed or counterfeited by another man. This is why everything valuable for the society should have built-in mechanisms for defence and protection improvements in case it is needed.

Think about current bank notes and bills. In the beginning of their life span they all have a cutting-edge and state-of-the-art protection in place (serial numbers, watermarks, micro seals, color-shifting ink, embedded fibers, security thread, holograms, you name it). As time passes and technologies employed mature (become cheaper to acquire and implement) it gets easier to produce counterfeit money. On top of it, very often a 'leak' occurs and 'unsanctioned' printing of genuine bank notes takes place. When that happens there is no choice but to withdraw old bank notes from circulation and emit new notes with new design and improved protection against counterfeiting.

Bitcoin is a cryptographic currency. That means its strongest line of defence is the hashing algorithm. If this line is somehow endangered there must be options in place to strengthen it by orderly introducing new 'design' with more secure hashing algorithm.

For a variety of reasons, none of which in any way bear on SHA-2's suitability for use in bitcoin. For example, one issue is to provide improved hashing performance.

It is, but the protocol could be changed if needed. However, SHA-2 will be suitable for use in bitcoin *way* past 2012. I would be surprised if SHA-2 wasn't still ironclad for its use in bitcoin until at least 2030.

There:

If it is hard coded then it should not be possible to change it. Ever! Is there anything that can not be changed if needed? I need some more bitcoins. Would you change the protocol for me?

I wasn't sure you were a troll
Now I am

Even something hard coded can be changed, including giving you more bitcoins. The process would be:

1) Obtain a community consensus on the change.

2) Develop patches to support the change without activating the change.

3) Wait for significantly more than 50% of miners to be running a build with those patches. (At minimum. Obviously, if possible, wait longer than this to minimize disruption to clients and services.)

4) Pick a block to begin the change.

5) Develop patches to make that change at that block. (Or trigger on an event.)

6) Wait.

This would be a painful process that would likely be at least somewhat harmful to at least bitcoin's perceived stability. So I doubt you could make it work just to give you a few more bitcoins. Perhaps if you gave me a few more as well ...

Where there, jackjack?

The guy that was arguing with me basically said NIST announced this competition just in case... What I'm asking is 'If they don't want to wait anymore and are acting now just in case, what are you waiting for and don't act just in case as well?'

How are you prepared for a possible change in SHA?

I have X amount of bitcoins in my wallet. Am I part of the community? Where can I read about the procedure to be followed when a community consensus for a change need to be obtained?

I wasn't sure you were stupid.
Now I am.

Actually, that's a very interesting question. From a technical standpoint, you only need the consent of the active miners. From a practical standpoint, you mostly need the consent of those managing the reference client.

Theoretically, a disagreement between a large group of miners and those maintaining the reference client could lead to a fork where the public hash chain splits into two incompatible groups of programs, each rejecting the other's hash chain, where everyone with bitcoins prior to the split has them in both systems (and could spend them differently in each system). However, letting that happen is in nobody's interest. So it's extremely unlikely.
In the post you are replying to, which you already read.

You need all stakeholders to agree to the change.  Although practically it is the client implementors and not the miners who decide which way to go, after all a miner isn't going to use a protocol nobody accepts as being valid.

I appreciate your effort to respond to uneasy question, Joel. Let me assure you that I'm an active bitcoin proponent.

Because the process of analyzing and certifying a new hashing algorithm is lengthy and fraught with pitfalls - the competitions take like five years because if they didn't, there's a good chance everyone would move to a new algo that is weaker than the one they're moving from. Because it takes a few years lead time for everyone to make sure there's no show-stopping weakness in the algorithm, it's typical to start developing new algorithms before the old one is proven broken.

Bitcoin, on the other hand, has the luxury of taking a mere few months to get everyone ready to go before we pull the trigger. We also have the luxury of we don't really need to do anything until there's a credible threat on the horizon - if we went ahead and began the upgrade to SHA-3 as soon as it's certified, then there's a few major issues:

a) It breaks backwards compatibility of the network;
b) There's still a tiny chance we could be moving to a weaker algorithm, as by that point SHA-2 will have had quite a lot of time of people trying to break it because it would be profitable to do so. SHA-3 on the other hand, if you break it now all you get is bragging rights;
c) It would be a political mess upgrading the hash mechanism for no good reason.

Now if there was a credible threat on the horizon, you'd probably be hard pressed to find anyone (save possibly a company that just dumped a few million bucks into SHA-2 ASICs) who'd disagree with making the gradual change. If someone released a "holy shit, it's broken now now now" attack on SHA-2, the community would gladly respond in a quicker, more violent and bloody manner.

I get the feeling that the conclusion you're leaping to is that they're working on SHA-3 because SHA-2 is broken. That's almost certainly false, the NIST competitions don't work that way - if the algorithm is broken, it's too late to still be working on the next one.

False. Knowledge based on formal logic can't be destroyed. Theorems for instance. However, it would be more appropriate to describe them as being man-discovered rather than man-made.

Too bad we still don't have proof for the existence of one-way functions - would surely boost the value of Bitcoins ;)