Should SHA256 be replaced with SHA512?

[Jet Cash]

This question was asked in this forum back in 2010in this thread
https://bitcointalk.org/index.php?topic=1713.0
In view of the massive increase in hash power and computer technology since then, I wondered if it might be worth reconsidering this.

I appreciate that this is probably a topic for the technical forum, but I've started it in the beginner's board to encourage members who are new to Bitcoin to research SHA256. If view of this, please don't be discouraged from asking questions, and making constructive comments.

[qwk]

I've started it in the beginner's board to encourage members who are new to Bitcoin to research SHA256.

So, now that it's no longer in the beginner's board, shall "we the oldies" answer it?

[gmaxwell]

In view of the massive increase in hash power and computer technology since then, I wondered if it might be worth reconsidering this.

Your prompt is a non-sequitor.  Increases in hashrate or computer technology don't make sha512 more attractive.

One change in technology has made it a lot less attractive:  Modern high speed CPUs have special instructions for computing sha256 extremely fast. ... these instructions don't do sha512, so it the speed gap between the two has widened further.

[pooya87]

the only reason for even considering a replacement for the hash algorithm (SHA-256) is if there were any security risk in using it. for example in the future maybe finding a collision for SHA-256 became as easy as finding a SHA-1 collision today. in which case the replacement should be to a different algorithm not the exact thing (ie. SHA-512).

lets not forget that if we change SHA-256 to SHA-512 we also have to probably change the elliptic curve to a 512 (or 521) bit curve. and that would hugely increase transaction sizes as both hashes and signatures would take twice the previous space.

[aplistir]

the only reason for even considering a replacement for the hash algorithm (SHA-256) is if there were any security risk in using it. for example in the future maybe finding a collision for SHA-256 became as easy as finding a SHA-1 collision today. in which case the replacement should be to a different algorithm not the exact thing (ie. SHA-512).

lets not forget that if we change SHA-256 to SHA-512 we also have to probably change the elliptic curve to a 512 (or 521) bit curve. and that would hugely increase transaction sizes as both hashes and signatures would take twice the previous space.

There was a discussion here where change to SHA512 was suggested with only using the first 256 bits of the result. That way security would be increased while transaction sizes would not take more space.

And if SHA512 would be slower, that would just be an added bonus   

With 64bit CPU:s SHA512 would actually be faster to calculate than SHA256. That is if the modern CPUs didn't have dedicated instruction sets for speeding up calculating SHA256, which they do.

And I do not think we would have to change the elliptic curve if we just change the hash algorithm. We could, but they aren't really connected.

[pooya87]

There was a discussion here where change to SHA512 was suggested with only using the first 256 bits of the result. That way security would be increased while transaction sizes would not take more space.

that solves the problem of bigger length but raises the question of why stick to SHA-2 and not switch to SHA-3 while we are making that change.

With 64bit CPU:s SHA512 would actually be faster to calculate than SHA256. That is if the modern CPUs didn't have dedicated instruction sets for speeding up calculating SHA256, which they do.

how about using AVX512 for SHA512?

And I do not think we would have to change the elliptic curve if we just change the hash algorithm. We could, but they aren't really connected.

well hash functions are chosen based on the curve not the other way around so it doesn't make sense to me to use a 512 bit hash with a 256 bit curve which is why i say we may have to change to secp521r1 curve so that usage of a 512 bit hash makes sense.
although if the result is truncated (SHA512-256) then it could make some sense.

[Kakmakr]

Was one of the reasons why people did not want to consider that, not the performance issues? I think in previous discussions where the Quantum computing issue was discussed, some posters mentioned that it would take more computing power to process SHA512 based transactions.  

If it was a threat, Banks and other financial institutions that are using SHA256, would have moved to SHA512 already, but you are not seeing that in the market. <Including secure browsing>  

https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512