Bitcoin Forum

What would it take to get the algo changed from SHA-256 to Scrypt?

51% of the network in agreement pretty much.

Pretty much impossible in the foreseeable future with all the investments in single-purpose (SHA) ASICs.

Unless someone wealthy or an organization with a lot of resources manages to do a 51% attack (or simply become the most dominant mining entity) with their own in-house ASIC production, in which case a switch to scrypt could happen overnight.

The reason I say this is I consider it somewhat possible: as budget goes up linearly in an ASIC production enterprise, the output and efficiency goes up something more exponentially.  A big whale could do it, the way I see it.

Uh no.  A 51% attack cannot trigger a hard fork.

I think Let's Talk Bitcoin covered the issue pretty well in Episodes 21 and 22. I've had the same beliefs for some time, and with the way the ASIC world is going, it is playing out. If the community doesn't step up and make the change, or at least have an open discussion on the issue, I see Bitcoin dead in less than a year.

Go buy some Litecoins.

uh. "51%" has nothing to do with anything here.

Why? You think ASICs are centralizing bitcoin too much? Am I missing some other concern?

I have a block-erupter USB running on a Raspberry PI right next to me as I type this. I'm also thinking of ordering some Avalon chips. Various mining hardware suppliers are finally shipping. ASICs are being *widely* distributed, and spiking the total hashrate/security dramatically. Yes, we're absolutely going to see a handful of pools and operators with huge share, but we'll also see a very long-tail of distributed pretty-impressive hashrate.

With GPUs, you'd get that effect less in the long-run because of the reduced efficiency... Fewer people are willing to put a couple expensive graphic cards in their machines and spend the power and space on them versus sticking a tiny efficient USB device in their laptop.

Andreas is grossly wrong on this one.

i seriously doubt it.  they'd have to compete with Avalons chip shipments and they have made a conscious decision to disseminate them widely.  plus, Avalon makes more money doing it this way.

Big project like this, not possible to modify method at the later stage. Also there is not only one

I think changing the algo would hurt it worser than the ASICs will (which won't hurt it imo). :-\
Like someone mentioned already, if you want scrypt because you think Bitcoin will die due the ASIC's, get Litecoins.

I have. My GPU farm is pointed at Litecoin. I also have ASICs on order. But Bitcoin is my first love, and I hate to see it slowly commit suicide.

This I wish this myth would just die.

You can fork Bitcoin easily.  Clone the github, make an incompatible change and publish it.  Assuming you have at least one node mining TADA you have forked Bitcoin.  You can do it with 1% of the hashing power or 99%. In either case two incompatible forks will exist.   Technically there would be two different "Bitcoins".  "Will the real Bitcoin please stand up?"

Now convincing people to use your fork over the original... well that is the tough problem.  It is a societal problem not a technological one. So for the OP example one could make a scrypt fork in probably less than a day.  Now how are you going to convince people to use it?

+1 Also didn't like the misquoting of Satoshi (or technically the Bitcoin paper).

Also the whole idea of some miners having "4, 5 magnitudes of efficiency over other miners" is just silly.  It won't happen.  If someone is that inefficient the competitive market means they simply will not mine.  They will use competitive hardware or they won't mine.  Competitive doesn't necessarily mean the absolute best.  If someone releases a 40nm ASIC it doesn't obsolete all other ASICSs.  Sure their resale value goes down, they are less competitive, they spend more per BTC on energy but they can still compete.  A 1 or 2 level process improvement (i.e. 110nm vs 85 vs 60 nm) doesn't produce a magnitude improvement.  In theory a 2x improvement in electrical efficiency and maybe a 1.5x improvement in capital efficiency however real world often falls short (even by major players like Intel and AMD).

So the question comes looking forward 18-24 months will ASICs be widely available from multiple sources competing in an open free market?  Nothing I have seen indicates it won't.  So instead of debating buying used AMD 5000 series cards vs the new HD 7970 it will be "should I buy this used BFL SC Single" or spend more on this next gen ASIC Miner board.

Can someone please articulate an argument that in 18-24 months there won't be multiple ASICs, reasonably available from multiple vendors.

A security researcher has predicted SHA 256 will be cracked this year.  When that happens the algorithm may change.

Cite?  There are not even any "academic attacks" against SHA-2 at this time.  An academic attacking being a method which is faster than brute force but still computationally infeasible to exploit in the real world.

Can I bet on that?

So, If that should happen, someone could attack the block chain, and possibly mine the entire rest of the chain in a matter of days\weeks? Yeah, if that is the case, that would force a hard fork.

It is srypt altcoins, who should worry, that somebody privately develops a scrypt asic and shuts them all down.

Quick question:

Why is taking hashing power away from botnet operators and putting it in the hands of hardware owners a bad thing? 

Just nonsense. The blockchain is still safe even it uses MD5(MD5()). The difficulty will adjust.

Actually, a weakened SHA256 gives advantage to GPU mining because ASICs are not programmable.

Before the Internet, experts were experts. You usually only ever heard a security expert talk about security, an economist talk about economics, or a physicist talk about physics.

Now experts still get audience, same as before, but they can talk about anything. Yet we still have the impression that experts are always reliable, since back when they only spoke about things in their field they generally were. The result is they make a lot more mistakes, and sometimes people get misguided because they trusted the expert.

This is most apparent when non-economists who have no understanding of economics speak on a subject that, unbeknownst to them, actually requires a solid understanding of economics.

I don't see the point of all the people that complain about Bitcoin mining on SHA-256 is overspecialized etc. I think it's actually a necessary requirement for stability.

Just imagine that we would change to hash function X (be it SCRYPT or whatever). Immediately, the arms race would start again from the beginning, just as we see it with Litecoin now. People would develop GPU miners, then FPGA, then ASICs. It does not make sense to re-start this arms race every time, because it bring a lot of insecurity and instability to the currency.

In the end, a currency that does not has reached the ASIC-stage yet always runs the risk of someone developing an ASIC and using it to get control over the network. With Bitcoin, we're close to the end of development. There are ASICs, but they are spread out among many entities, vendors and miners. There is progression, but we're getting close to the end of playing catch-up with the rest of the technological development of chips: we're close to the end, and the advancement of mining speeds will slow down. It's a really good thing that we've got to ASICs already. No surprises.

Jazkal= pissed off from the fact that he's 3 years late.  I think myself and everyone else who bought into asics hardware would be up in arms  if that happens.  Likely BTC falls out of prominence and PPC becomes the Reining Champ - thus keeping the sha256 dominance maintained.  If you can't read into that there was bits of sarcasm peppered into the statement above.

I am following not only these threads, but also this bet:

http://betsofbitco.in/item?id=1432

I'm betting you are right... in the sense that there will be a change sometime before the end of the year. :)

I think people's investment into GPU mining is still an order of magnitude higher... although, as far as I know Scrypt is GPU unfriendly, so who the heck knows!

Maybe some new G-scrypt will be invented ;)

https://mobile.twitter.com/jgarzik/status/336218499938668544

I'm sorry you didn't take the time to read.

As I stated above, I've been in the game since 2011, don't see how that is "3 years late". And if you had read, you would see I have invested into ASICs, so I am not just a GPU farmer, I have the greater good of Bitcoin in mind for these discussions, not just some stick in the mud that is upset the tech has gotten ahead of him.

I personally think that ASIC minning was innevitble and only hurts those that dont have them. But once everyone has them, well, something better will come out. It just further secures the chain.

Changing to scrypt.. Well mine FRK's  ;D

If Bitcoin was using scrypt from the start, you won't escape from ASICs. Just accept that people will optimize mining and there is nothing you can do about it. Like in every social organisation there are leaders, runner-ups and outsiders. Bitcoin is no exception. Communism never works. I, for instance, couldn't care less about mining BTC myself and don't see a problem with some bunch of guys having 70% of hashing power. Those who are interested in preserving the value of their coins would strive to process transactions "fairly" and distribute mining hardware as wide as possible.

In that case the algorithm will get changed... pretty much overnight. You can bet all your coins on that.

Not sure if you can't read or you think this says something it doesn't.  Nothing in there about SHA-2 being compromised this year.

Then stop being tired.  Nobody asked you to do any research.  You made an unsubstantiated claim.  When asked for a cite you linked to something completely unsupporting.

I will take your claim of SHA-2 being broken this year (as if such a thing is even predictable) as utter nonsense.  See your done.

No problem.  Thanks for making my decision easier.

I like short posts like this one, hitting the nail on the head.

What would be the point?  No one would use it.

Er,
Let's all be clear that bitcoin  utilizes DOUBLE SHA-2 before making bold statements.

Actually there are partial attacks that are very well documented against SHA 2 upto about 25 bits , but not so much against double SHA 2....

The other issue is that the research into SHA 2* attack vectors has a weakness.....(which you can figure out yourself if you think about it....)

Plus there is some VERY interesting shit if you can program up your own FPGA farm..... The big issue is getting the shit out fast enough...

It isn't a bold statement, it is merely a statement of fact.  Lets ignore the potential added security of double SHA hash and just focus on single SHA-2 hashes.

SHA-2 uses 64 or 80 rounds.  There are no known attacks against 64 or 80 round SHA-2.  None.  No first preimage attacks, no second preimage attacks, no random collisions.  

This isn't for a lack of trying.  SHA-2 is one of the most analyzed algorithms in the world.  It is used for just about everything from banking to PGP to SSL.  A lot of different entities in a lot of different places all around the world have a very vested interest in knowing if SHA-2 is secure.  Cryptography can never be mathematically proven secure, the best we can do is (collectively) look for flaws and if enough people look hard enough for long enough the probability that an unknown flaw will appear suddenly and without warning is reduced, never eliminated but reduced.

An academic attack on a theoretical variant of SHA-2 which uses 41 instead of 64 rounds isn't an attack vector unless Bitcoin happens to use this modified variant with 41 instead of 64 rounds.  For the record it doesn't, nobody does, anywhere, for anything.  Publishing a reduced round version of an attack is essentially saying "we looked for a flaw but couldn't find one however if this algorithm only used x rounds instead of y rounds here is a flaw".  It is a way for other researchers to potentially expand upon but often many of these reduced round attacks are simply dead ends.  What works for 41 rounds may NEVER work for 64 rounds.  It is possible that these known reduced round attacks are dead ends.  That is to say that eventually SHA-2 is broken but it is broken in a completely unrelated manner and researchers who will try to expand on these known attack vectors will spend countless hours it what will ultimately prove to be "barking up the wrong tree".

I never predicted that SHA-2 won't eventually be broken but to claim it will be broken this year requires some significant supporting evidence and none was provided.  When asked for a cite, link to tweets unrelated to the claim were provided.  When confronted the person left saying he "doesn't need to prove anything to anyone".  That isn't what I would call "significant supporting evidence".  

Maybe SHA-2 will be broken this year, or maybe next year, or maybe it is never broken because over time most applications migrate to SHA-3 (after significant cryptoanalysis) because it has less theoretical flaws.  If that happens a exploitable flaw in SHA-2 may never be found because the focus of global analysis will shift to SHA-3 as it will be the bigger target.  To make a long story long regardless of if/when SHA-2 is broken the statement that "it will be broken by the end of the year" is rubbish.  Nobody credible said that, and nobody credible would.

Besides, the more specialized hardware has to be to complete, the harder it will be for an attacker to use off the shelf hardware to attack the network. ASICs are good.

conclusion: sha-2(56) reasonably secure (thanks DeathAndTaxes for explaining the research). Reason for doubt (and also LTC popularity): GPU miner denial. Centralization by ASIC seems to be a myth so far.

case closed. jgarzik will win the bet (https://twitter.com/jgarzik/status/336210942717214720) against @dakami (if Kaminzki has the balls to take it, which doesn't seem to be the case. But maybe he has no bitcoins, who knows).

you misunderstood what jgarzik was saying that Kaminsky was saying in that tweet.

what Kaminsky was saying was that the Bitcoin POW system would be broken by a 51% attack due to the concentration of ASICs into a single attackers hand, not that SHA256 would be cracked.  there's a big difference. 

even so, Kaminsky is nuts in making that prediction.  no way in hell that happens by the end of the year; or perhaps EVER.

No, sorry. Wrong again. The bet concerned Kaminsky's statement at the security panel of the Bitcoin 2013 conference that the current proof-of-work function will not see the end of 2013:

“I assign a 0% probability that we will continue with the present proof of work function. The present proof of work function is not going to survive the year. Period. If there’s one hard prediction I’m going to make it’s going to be that.” – Dan Kaminsky

Sources:

• http://thegenesisblock.com/go-fork-yourself-life-after-a-bitcoin-hard-fork
• https://mobile.twitter.com/jgarzik/status/336218499938668544

i know what he said, i attended the session.  i've also read those links.

what he means is exactly what i said.  he predicts Bitcoin's POW won't survive b/c he thinks someone is going to accumulate enough ASIC hash power to perform a 51% attack.

he said nothing about SHA256.

Remember a couple of years ago, right after GPU mining really took off, when everybody panicked because of Deepbit? Remember how that turned out?

exactly right.

nothing.

Yeah, I was also in the room when Kaminsky made that statement, and was paying attention to the entire session and context. Cypher is right.

arnuschky - Go watch the videos from the conference....the security panel should be up.

I did by now, thanks. Context is important. :)

Indeed.  See http://www.coindesk.com/bitcoin-developer-jeff-garzik-on-altcoins-asics-and-bitcoin-usability/ for some thoughts.