Bitcoin Forum

Can somebody lay down the scenario step-by-step (preferably numbered) what needs to happen for the Bitcoin community to recover from this?
I'm thinking about choice in new algorithm(s), politics, duration, which software needs changes, securing the network from the start, convincing the current miners, etc.

Compromised how?

1) SHA-256 compromised as in there is a quick way to discover the nonce required to produce the valid block hash.
Assuming the discoverer is malicious and stupid:
2) Attacker zip through blocks, providing instant confirmation for his malicious activities.
3) Attacker tries to sell all the coins.
4) Exchanges freeze.
5) No one needs convincing that the hashing algorithm is really broken.
6) Bitcoin algorithm switched
7) Everyone agrees to rewind to a block before the attack
8 ) bitcoin continues.

Assuming the discoverer is malicious and smart:
2) Attacker zip through blocks at 5 minutes interval to avoid detection.
3) When this has happened for a while, more and more people will become suspicious
4) 5 - 8 will happen.


Assuming the discoverer is benevolent:
2) Research claims SHA-256 compromised
3) demonstrates this by zipping pass a few blocks.
4) 4-8 in the stupid attacker case happens.

I have left out the other serious implications of the complete breakdown of SHA-256. 

 

Not so well, I'm afraid.

Replace SHA-256 with something newer

4-5 would be too hard for it to happen.
Another coin would replace it that uses different security.
A coin with more security like Quark Coin would most likely replace it or another alt coin that uses another security.
The general public would not be able to trust Bitcoin again even if 4-8 happens.

This is an important question. Cryptography tends to get "cracked" step by step, it never goes from being secure to utterly and completely broken over night. If there's an indication of it having a weakness there is a lot of time to prepare.

Bitcoin uses double-SHA256, which is not broken if SHA256 is compromised. But other financial and banking protocols (credit cards, wire transfers, etc) all use algorithms way, WAY weaker than SHA256, so they're in big trouble.

So, when SHA-256 is compromised, everybody will flee from fiat to Bitcoin.

And then, it will take several more years before before double-SHA256 is broken in any way, so we'll have plenty of time to switch to SHA3.

Bitcoin wins.

Kermitcoin? The mother of all scamcoins ? Are you serious?

This would make all the ASIC mining equipment worthless... wouldn't miners need to sell all their coins to recover their losses? With the network ending up less secure. That could completely crash the market and people spreading over to different altcoins to hedge their bets.

ASIC mining equipment has a short shelf life anyway. Current-gen equipment will be long dead by the time bitcoin uses anything apart from SHA-256

This bears repeating and elaborating.

It's not like you go to bed and SHA256 is fine, and you wake up in the morning and it's broken.  The chances of this happening to SHA256 are zero.  The chances of this happening to anything written by you or I that hasn't been reviewed and examined by thousands of brilliant minds is pretty much guaranteed.  

One day a researcher will publish a paper that shows that they can, say for example, drop the size of the brute-force keyspace for creating a collision by an order of magnitude or three.  So instead of SHA256 being 2^256 strong, it will be "only" 2^252 strong.  

Then someone else discovers another flaw that, say, allows them to partially recover the input based on a given hash, such that repeated hashing of messages that differ by a known amount allow an attacker to recover the original message.

In ways such as these, the strength of the algorithm is weakened over time.  But the key point is that it happens over significant time - years.  As soon as the first real dent is made in the strength of SHA256, we can begin discussing what should replace it, and how we move there.

Yes, mining hardware that utilises double-sha256 will be useless (although as was pointed out above, just because SHA256 is broken doesn't mean double-SHA256 is broken).

Such a move will take years.  The first step would probably be to alter the Bitcoin protocol to allow a different hashing method.  This hashing method would not be valid until the majority of miners and clients had moved to the protocol version that supports the new hash method.  Then we enter the time of dual hashing.  Old-style double-SHA256 hashes would be valid, but new style DERP512 hashes would also be equally valid.  After enough time has passed, and enough blocks are mined using DERP512 instead of double-SHA256 (say, 10 to 1) then the network could cut over to only accept the new hashes, and the old miners would be retired.  At least, that's one way to do it.

Such unanimous agreement is very doubtful.

This, along with the fact that if SHA-256 is compromised, there are FAR more valuable targets than Bitcoin.  


If someone malicious or dishonest broke SHA-256, why would they mine blocks when they would have the private key to every wallet?

Because they wouldn't have the private key. For that they will need to compromise ECDSA too. We are talking about having SHA-256 compromised only.

And RIPEMD-160 would need to be broken too.

Not if someone has spent outputs with that address. Then public key for that address would be known. This is one reason you should not re-use addresses.

Folks, read the Bitcoin whitepaper, use the search engine, and in general just assume whatever flaw with Bitcoin that occurs to your brain, has already occurred along with a dozen others to someone with 160+ IQ

http://bitcoin.org/bitcoin.pdf

True.

i would prefer dogecoin  ;D

How is that quark coin is more secure with that ridiculously fast maturing?

Ah I didn't consider this scenario ... that might actually be a good way to convince miners to invest in new hardware, while not completely losing their old investments.

This.