Checkpoints do protect Bitcoin, don't they?

[Come-from-Beyond]

Just an idea... What if NSA someone is able to produce block data that have a particular hash (collisions)? Is it possible to rewrite the blockchain starting from the block 1? An attacker just has to find blocks with the same hashes to bypass checkpointing... Because I assume that the attacker knows a backdoor in SHA-256, he can "generate" blocks very very quickly.

[1714773506]

1714773506

[1714773506]

1714773506

[1714773506]

1714773506

[DeathAndTaxes]

Sure.  However if SHA-2 can be trivially preimaged then essentially everything from secure communications, to your Bitcoin address, to SSL to password hash tables are also useless.  Since if that happens it is pretty much game over it probably doesn't warrant a backup however there is nothing that requires checkpoints be SHA-2 hashes or even a single hash.  You could store the RIPEMD-160, WHIRLPOOL, and SHA-3 hashes of checkpointed blocks and for a node to accept a block as valid it needs to not only have the proper difficulty SHA-2 has but much the three stored checkpoint hashes as well.

Still like I said if SHA-2 is subject to that kind of preimage at will attack well it probably doesn't matter.  It would be like asking if an attacker was immortal, could destroy enemies with his mind, and teleport at will would national armies still be effective?  

[Come-from-Beyond]

You could store the RIPEMD-160, WHIRLPOOL, and SHA-3 hashes of checkpointed blocks and for a node to accept a block as valid it needs to not only have the proper difficulty SHA-2 has but much the three stored checkpoint hashes as well.

What approach is used in your Satoshi's client? Only SHA-256?

[DeathAndTaxes]

You could store the RIPEMD-160, WHIRLPOOL, and SHA-3 hashes of checkpointed blocks and for a node to accept a block as valid it needs to not only have the proper difficulty SHA-2 has but much the three stored checkpoint hashes as well.

What approach is used in your Satoshi's client? Only SHA-256?

Yes.  It stores the blockhash used by the network for validating difficulty (mining and all that).  It doesn't have to.  It is just a client side check.  Hell you could make the checkpoints MD5 if you wanted to.

[Come-from-Beyond]

Thank you.

[gmaxwell]

Bitcoin is non-functional if you can compute second pre-images of SHA256^2 which look like valid blocks or valid transactions.

Checkpoints do not and cannot protect from that.

But thats a fairly ridiculous supposition: Even if we use MD5 it wouldn't currently be possible to do that.

Hash algorithms are not brittle like asymmetric crypto, when they fail it is not a complete failure.