A basic question

[oblivi]

Keccak subset SHA-3 also contains SHA384 (192 bit) and SHA512 (256 bit), so the Bitcoin Core can be upgraded if the need ever arises. Plus, I am sure more secure algorithms will be developed in the future that Bitcoin can be upgraded to if needed.

That said, I've yet to hear of a single collision with SHA256, and we know that cryptographers and hackers are trying to do it. But if you can produce any SHA256 collisions, please show us all, but I don't think you can.

This all is really a non-issue.

Yeah, during our lifetime and beyond SHA256 will be uncrackable, all counterarguments include traits of science fiction. You can sleep at night Op, your BTC is safe.

[no-rice-peas]

This should put things in perspective for you...
http://miguelmoreno.net/wp-content/uploads/2013/05/fYFBsqp.jpg

The info graphic shows only that it would be inordinately difficult to brute force sha256.

I have to ask why some people are misrepresenting potential weaknesses in sha256.

md5 also was impossible to brute force but then several different ways were found to crack it within seconds on a home PC system.

Sha256 is as uncrackable by brute force as md5 and the evidence strongly suggests that it is just as cryptographically flawd as md5 as well.

Again, do you understand that your argument refers only to bruteforcing?
And do you understand that the argument thus looks good but has no merit whatsoever?

Or do you not understand that?

-------------------------------------------

Keccak subset SHA-3 also contains SHA384 (192 bit) and SHA512 (256 bit), so the Bitcoin Core can be upgraded if the need ever arises. Plus, I am sure more secure algorithms will be developed in the future that Bitcoin can be upgraded to if needed.

That said, I've yet to hear of a single collision with SHA256, and we know that cryptographers and hackers are trying to do it. But if you can produce any SHA256 collisions, please show us all, but I don't think you can.

This all is really a non-issue.

Keccak is sort of discredited by anyone who wants to research it.

There are a series of articles about NSA involvement in these algos that has more info. You might be able to find more info by searching "what the NSA created cryptonote for" or you might not.

The evidence seems to be that sha2 is broken, that keccak is not a secure substitute, and that there will be some effort to funnel people into cryptonote.

I don't think that will be successful and, aside from cryptonote in the very short term, I am looking for some algorithm that is profitable.

--------------------------------------

MD5 only had 64 bits of security, SHA-256 has 128.

Anyway, don't forget...information wants to be free.
If something is cracked, it won't be a secret for long.

When md5 was trusted the same sort of info graphic as above was used. The evidence indicates that md5 was broken for a long time before it was known to be broken, and that the history of public knowledge of its weakness was altered. In other words if you look at actual forum comments on various sites the timeline of awareness about its potential weaknesses is not quite what is portrayed on Wikipedia and elsewhere. Revisionists are covering their asses.

Looking at all the evidence I believe there is sufficient proof already that sha2 is broken.

[jonald_fyookball]

What evidence would that be?

[R2D221]

The evidence seems to be that sha2 is broken

Can you explain us, in detail (and by detail I mean all the technicalities, not just a weak “what if”) how does that evidence work to prove SHA is broken?

[no-rice-peas]

What evidence would that be?

~it's not 'proof,, but it is enough to give me pause~

Among others

1) Bitstamp hack involved roughly one tenth of one percent of all existing bit coin.
But a person or group who could hack Bitstamp's hot wallet as late as January 2015 would have the capability to get much more. In other words the hacker probably limited the scope of the hack. This and several other hacks point to an attack originating in a flaw in sha.

2) The md5 hack was known to various governments before it was public. That is obvious. They used the flaw for political malware until it was exposed. After md5 was shown weak, instead of going to something that would be beyond question, such as an objectively strong algorithm, trusted widely, they extended their 'current product'. In other words sha2 is an extension of md5 rather than something different. Why? Please speculate.

There is one further piece of evidence that convinces me but I don't want to start a shitstorm with it.

There is no question but that my arguments are not 'rock solid'. They involve speculation. But when I look at the public supporters of sha2, and their arguments such as the info graphic above, I am forced to ask what they are hiding. Why are defenders of sha2 using 'brute force strength' arguments instead of 'cryptographic strength' arguments? Is the deception accidental, irrelevant?

[R2D221]

What evidence would that be?

~it's not 'proof,, but

OK, it is not proof. Stop there.

Among others

1) Bitstamp hack involved roughly one tenth of one percent of all existing bit coin.
But a person or group who could hack Bitstamp's hot wallet as late as January 2015 would have the capability to get much more. In other words the hacker probably limited the scope of the hack. This and several other hacks point to an attack originating in a flaw in sha.

One exchange getting hacked means that they got access to the server storing the private key, not that SHA was broken.

2) The md5 hack was known to various governments before it was public. That is obvious. They used the flaw for political malware until it was exposed. After md5 was shown weak, instead of going to something that would be beyond question, such as an objectively strong algorithm, trusted widely, they extended their 'current product'. In other words sha2 is an extension of md5 rather than something different. Why? Please speculate.

You say:
MD5 is a hashing algorithm.
MD5 is known to be weak.
SHA2 is a hashing algorithm.

And then you conclude, disregarding how logic actually works, that SHA2 is broken too.

There is no question but that my arguments are not 'rock solid'. They involve speculation.

Please come back when you do have rock solid evidence.

[no-rice-peas]

What evidence would that be?

~it's not 'proof,, but

OK, it is not proof. Stop there.

What we are talking about here is the financial protocol used to secure a lot of money. The burden of proof is on those who claim it is secure. I am struck again and again that defenders of sha2 resort to using ad hominems, inaccurate portrayal of 'brute force attack' as the risk and on and on. Maybe there is someone who knows cryptography and is able to defend sha2 but so far its defenders have only been throwing up smokescreens, and I have to ask why.

Among others

1) Bitstamp hack involved roughly one tenth of one percent of all existing bit coin.
But a person or group who could hack Bitstamp's hot wallet as late as January 2015 would have the capability to get much more. In other words the hacker probably limited the scope of the hack. This and several other hacks point to an attack originating in a flaw in sha.

One exchange getting hacked means that they got access to the server storing the private key, not that SHA was broken.

Quite a few exchanges secured by some of the best security people available have been hacked. It's not just a question of getting access to a server.

2) The md5 hack was known to various governments before it was public. That is obvious. They used the flaw for political malware until it was exposed. After md5 was shown weak, instead of going to something that would be beyond question, such as an objectively strong algorithm, trusted widely, they extended their 'current product'. In other words sha2 is an extension of md5 rather than something different. Why? Please speculate.

You say:
MD5 is a hashing algorithm.
MD5 is known to be weak.
SHA2 is a hashing algorithm.

And then you conclude, disregarding how logic actually works, that SHA2 is broken too.

Please explain what logic I am disregarding. Md5 was state of the art just a few years ago. Now it can be cracked easily by an amateur within seconds on a cheap computer. Sha2 is a more elaborate algorithm than md5 but uses the same basic principle to encrypt.

There is no question but that my arguments are not 'rock solid'. They involve speculation.

Please come back when you do have rock solid evidence.

It was not my intention to force you to respond to my questions. I did not come to your thread, you came to mine.

It boggles the mind that despite such obvious questions about the cryptography involved in bitcoin there is no site, or at least I have not seen one, that spells out the exact computation, in layman's' terms, with an example, alongside a comparable example with md5.

Your basic answer, and the answers of most of the others on this thread so far, is "bitcoin is secure because we can yell louder than you". Underneath that is the implicit "well the NSA says it is secure and they lied to us about md5 so they could play assinine spy games with it, so let's just trust them".

[jonald_fyookball]

Please explain what logic I am disregarding. Md5 was state of the art just a few years ago. Now it can be cracked easily by an amateur within seconds on a cheap computer. Sha2 is a more elaborate algorithm than md5 but uses the same basic principle to encrypt.  

A fair point, but what you are saying is a hypothesis, not evidence, which are 2 completely different things.

Furthermore, your hypothesis is a weak one because of hasty generalizing and ignoring the number
of bits of security advertised in each of the hash functions (64 bits vs 128 bits).

Simply assuming that all hash functions will be broken at some point in the near
future is a counterfactual fallacy as well... There are many strong hash functions
regardless of the fact that there others such as MD5 that are broken.

[ensurance982]

Well, as others pointed out: There's no 'rule' or no 'progression'. The input into the one-way functions (hashing algorithms) need to be random in order for Bitcoin to be secure. That's the 'only' requisite!

[no-rice-peas]

Please explain what logic I am disregarding. Md5 was state of the art just a few years ago. Now it can be cracked easily by an amateur within seconds on a cheap computer. Sha2 is a more elaborate algorithm than md5 but uses the same basic principle to encrypt.  

A fair point, but what you are saying is a hypothesis, not evidence, which are 2 completely different things.

There seems to be evidence for both sides. I was trying to present evidence on one side and asking people to refute it. Nobody has done so. Instead they have presented 'defenses' of sha2 that are very weak.

At this point therefore my hypothesis is that sha2 is cracked, or should be considered so.

Furthermore, your hypothesis is a weak one because of hasty generalizing and ignoring the number
of bits of security advertised in each of the hash functions (64 bits vs 128 bits).

A few years ago people were saying about md5, 64bit etc "it would take millions of years to break, so trust it!
It can be broken now in seconds.

Not 'broken' through a random collision but through a collision on any key you choose, i.e., 100% broken.
Not broken through a single obscure crack identified by some genius at MIT. Broken through several independently found weaknesses identified by amateurs in their spare time.

So if the purpose was to offer at least the credible perception of security then 1) the standard would have gone from 64bit to at least several hundred thousand bits and b) a totally new function would be depended on to convert data to code. But instead of that a tiny step was offered.

Simply assuming that all hash functions will be broken at some point in the near
future is a counterfactual fallacy as well... There are many strong hash functions
regardless of the fact that there others such as MD5 that are broken.

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?

Please don't say 256 bits.
64 bit hash broken easily in seconds by an amateur with a cheap computer.
So how long would it take a PhD with a supercomputer to crack a flawed 256?

----------

Well, as others pointed out: There's no 'rule' or no 'progression'. The input into the one-way functions (hashing algorithms) need to be random in order for Bitcoin to be secure. That's the 'only' requisite!

But that is proven untrue.
It is true that the input must be random and if the hash function is truly one way then a high number of bits would guarantee security.

But it is not true that the hashing functions described are one way. Therefore the security is false.

MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.

[hhanh00]

@ice
These algorithms are not new. If you had studied cryptography, you would know that proving that a hash is uncrackable is impossible. So the best way is to come up with a method, have everyone have a go at it and if it has a weakness, tweak the method and incrementally improve. Starting from a completely new method is more risky.
I understand your concerns and the people who keep bringing up the infographics of the sun surely don't help. It is obviously of little value yet the truth requires much more advanced mathematics that very few people have the patience for.
Their arguments may be wrong but the theory still can be right. You criticize their logic but haven't shown any proof on your side. All I see from your post is handwaving too.

For instance,

Please explain what logic I am disregarding. Md5 was state of the art just a few years ago. Now it can be cracked easily by an amateur within seconds on a cheap computer. Sha2 is a more elaborate algorithm than md5 but uses the same basic principle to encrypt.

MD5 is weak + SHA2 is based on MD5 => SHA2 is weak

If this line of reasoning is correct to you, then there isn't much to say. No one forces you to put money in bitcoin or crypto currencies.

[hhanh00]

MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.

No, you are simply at the wrong place. Why don't you ask on a cryptography forum instead?

[no-rice-peas]

Sorry, I don't have my no ice please password so I created a new I'd.

This is what I have understood so far:
1) MD5 was considered utterly secure until it was cracked. The crack involved a flaw inherent to using hashes in asymmetric cryptography and should obviously thus preclude their use for things such as bit coin.
2) The hash cracking process involved two basic steps. Initially a meta flaw in hashing security, then a specific application adapted to a specific algorithm such as md5.
3) There have been not one but several completely distinct meta vulnerabilities found in using hashes for cryptographic purposes. In other words several different ways have been mentioned publicly to crack them. Some are slow others are very fast.
4) Using a longer key length does not realistically increase the cryptographic strength of hashes even with very long keys.

So I with my small years old computer and meager interest in the subject will not break sha2, but someone has. There are literally dozens or more of people working full time to crack it, using powerful computers, it is safe to say they can do to sha2 what relatively poorly equipped researchers did years ago with md5.

So my question now is which coin has a more reliable algorithm, preferably without the seal of approval from any govt?

MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.

No, you are simply at the wrong place. Why don't you ask on a cryptography forum instead?

A good idea.

Thank you.

[jonald_fyookball]

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.

[Cryddit]

However finding only the relative position of an address, being able to say one address comes before or after another, would be much easier and would get the private key of any address within a few hundred steps by telling you whether you need to generate a higher or a lower private key.

No.  It isn't.  There is no way that is "much easier:"  In fact it's every bit as hard as reversing the hash operation in the first place.

[Cryddit]

If you took the first 1 million bitcoin addresses, generated from the lowest 1 million private keys, and you were able to find any difference whatsoever with the last million addresses, generated from the highest 1 million private keys, it would be the end of bitcoin using the current key/address system. Is there any such difference? There certainly is.

They are different in that no single address appears in both sets, but there is no discernible difference in the statistical distribution of any bit or any pattern of bits.  There is literally no way, given an address, to guess which of these set it's in.  Except, you know, by iterating through all the possible private keys and seeing if it matches. 

[no-rice-peas]

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.

Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?

[jonald_fyookball]

Okay then. What is it about sha2 that makes it unbreakable when compared to md5?
 

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.

Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?

I don't know.  Do you have a reference for that?

Even if they were, it was private organizations that exposed the weaknesses so wouldn't that be a moot point anyway?

[Cryddit]

For what it's worth, the MD5 break is of a very particular kind.

MD5 has a collision vulnerability, but it does not have a meaningful preimage vulnerability.

What that means is that it is now easy to construct two  or more documents that have the same MD5 hash (a collision), but given a hash value it is still damned hard to construct something which hashes to that value (a preimage). 

It's preimage resistance isn't quite perfect mind you; an attack has been found that takes 2^123.5 operations to find a preimage, when it ought to take 2¹²⁸ if its preimage resistance were as good as it was supposed to be.  So MD5, while completely broken in terms of collision reistance, is only about 1/24 as hard to find a preimage as it ought to be. In practice finding a preimage is still far beyond the amount of computing power that could be produced by a computer the mass of Earth in a time less than the expected lifetime of the sun. 

Of course, attacks never get worse ... and it's possible that the preimage attack can be extended somehow. 

[ensurance982]

Phew... people should keep in mind that there effectively is an infinite amount of private keys, so every public key (and thus also address) has an infinite number of private keys that can access that address! Scary, isn't it? If you look at the math, it isn't anymore!