Why does Bitcoin keep using SHA256 in its POW?

[butka]

This is a question I've had for some time. It has to do with the hashing algorithm of Bitcoin, namely:

Why Don't We Change the SHA256 in Bitcoin's proof of work?

This question is probably naive, asked many times before, but still I would appreciate your thoughts, especially regarding the current situation.

I get it that no one could've foreseen the appearance of specialized ASIC mining equipment when Bitcoin was in its early days.
If I understand it correctly, over time this has led to centralization, with the majority of computer power for hashing in Bitcoin's POW concentrated in the hands of a few entities.
Or, would this have happened regardless of the ASIC?

How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.
The obvious disadvantage is that implementing other POW algorithms that would be ASIC resistant would require a Hard Fork and we would lose backward compatibility.

Is this the only disadvantage? What else am I missing?

Also, in light of this, and given that Bitcoin is a decentralized system, who decides whether or not changes of this type could or should happen?

[1714018932]

1714018932

[1714018932]

1714018932

[Austin Alexis]

That is a good question. Especially given AES256 is more secure (advanced encryption standards) I think its probably a case that sha is still good enough to do the job

[Carlton Banks]

It's complicated.

To simplify, this has actually already happened: I think it was Bitcoin Gold (?) that hard-forked from Bitcoin a couple of months ago, on the basis of a more decentralised mining ecosystem by changing PoW to an algo that's difficult to produce an ASIC for. Needless to say, it didn't gain much popularity.


Until the mining cartel start to affect everyday Bitcoin users in a way that forces them to act, I expect nothing will happen. Segwit2x almost forced this situation, but in the end it was averted.

In principle, I think it would be better if PoW was changed, but it needs ALOT of planning to make the change seamless, there must be a minimally disruptive way to transition to the alternative source of hashrate to ensure highest possible confidence in the change. Otherwise the BTC exchange rate could crash badly.

Exactly what that would look like... well, maybe a testnet could be running beforehand, with all the new-PoW miners testing that chain. Then a "hand-over" period of blocks could be specified to permit both SHA256 and new-PoW blocks, after which only new-PoW blocks are accepted when handover is complete. Maybe if the end of the hand-over period is specified by the percentage of blocks produced using new-PoW (say 90% or 95%), it could be a very smooth transition. There would almost certainly be people continuing to mine the SHA256 chain afterwards though, although it's unlikely to gain much traction if they're only doing 5% of the work of the main chain.

Choosing the algorithm to ensure the viability of out-hashing the SHA256 miners would be very important, but that would also be the key to success.

[Carlton Banks]

That is a good question. Especially given AES256 is more secure (advanced encryption standards) I think its probably a case that sha is still good enough to do the job

AES is an encryption algorithm, not a hashing algorithm.

[teamzeropoint]

I think this is a question that brings up some interesting points. As the Bitcoin algorithm gets harder, and the ASIC dominated mining becomes more centralised and monopolised, it's what's needed to bring it back to the people.

[aleksej996]

Is this the only disadvantage? What else am I missing?

It is the biggest one. That and the fact that SHA256 is very well tested and known to be secure.
Having ASICs mine is one thing, but having a hashing algorithm that is insecure is a complete chaos.

ASICs happen for every algorithm, but there are currencies like Monero that hard fork every time they have a doubt that ASICs are developed.

Also, in light of this, and given that Bitcoin is a decentralized system, who decides whether or not changes of this type could or should happen?

This is exactly why it never forked and it won't for a very long time. First you need for the almost entire community to agree that fork needs to happen.
Then you need a vast majority of the community to agree to which algorithm we should change.
And after all of that being discussed for years (probably decades based on how much time we needed to simply increase a block size) we would already have some company create an ASIC for the new algorithm.

It is not a simple problem and it doesn't seem to be absolutely necessary.
ASICs do hurt decentralization, but it is not widely established how much they really hurt it.
Anyone can buy ASICs and multiple companies can develop them.
And we still have big mining centers and pools in other cryptocurrencies that don't have ASICs for their algorithms.
And we still have practically only two companies developing hardware used to mine these altcoins.
Centralization in mining is not just an ASIC problem, it is a bit more complicated than that.

[Carlton Banks]

SHA256 is very well tested and known to be secure.

SHA256 won't necessarily be secure forever though (although how long for is anyone's guess). PoW algorithm will have to be changed eventually.

This is exactly why it never forked and it won't for a very long time. First you need for the almost entire community to agree that fork needs to happen.
Then you need a vast majority of the community to agree to which algorithm we should change.
And after all of that being discussed for years (probably decades based on how much time we needed to simply increase a block size) we would already have some company create an ASIC for the new algorithm.

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

And we still have practically only two companies developing hardware used to mine these altcoins.

There are only 3-4 manufacturers producing SHA256 ASICs for mining Bitcoin (and they appear to be price fixing)


The other alternative is some kind of very sophisticated 3D printing technology that can usurp traditional processor fabricators. But no such tech yet exists AFAIA (and certainly won't be able to compete with bleeding edge nm node processes at first anyway)

[butka]

Then a "hand-over" period of blocks could be specified to permit both SHA256 and new-PoW blocks, after which only new-PoW blocks are accepted when handover is complete. Maybe if the end of the hand-over period is specified by the percentage of blocks produced using new-PoW (say 90% or 95%), it could be a very smooth transition.

This is really interesting and has never occurred to me as a possibility. It doesn't seem hard to implement. I guess, one would have to modify the difficulty separately for both hashing algorithms to have equal chances to find the solution.

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

If I'm not mistaken, I think we have seen recent alogs that employ that idea, like X16R, which switches between several algos to discourage the idea hardware built specifically for the purpose of mining.

[RedWojak]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

[European Central Bank]

How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

the moment ASIC resistance returns, hundreds or thousands of researchers, scientists and programmers set to work breaking it. the rewards are too high not to try it. bitcoin could spend the rest of its days skipping from algorithm to algorithm which would be an endless cycle of ruin and disruption for little gain.

if someone could come out with something forever unbreakable then great, but i don't think anything can be certain. and even if it returned to GPUs there's enough capital out there in a small number of hands to centralise that too.

the little guy is done in bitcoin mining no matter what. it's better to have more diverse machine manufacturers and as many deep pockets as possible competing to find coins. that's about as good as it's gonna get.

[cellard]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

it is practically impossible, it's too late and anyone that thinks otherwise is most likely delusional. We are stuck with SHA256 until SHA256 is proven to be cracked somehow, which shouldn't happen in our lifetimes, but who knows.

So unless EVERYONE's money on Bitcoin is at risk, there will be no consensus to change, and even if there is a problem, I can see lack of consensus to select what algo to change to, I would like to see how that would resolve like.

[butka]

the little guy is done in bitcoin mining no matter what. it's better to have more diverse machine manufacturers and as many deep pockets as possible competing to find coins. that's about as good as it's gonna get.

We are stuck with SHA256 until SHA256 is proven to be cracked somehow, which shouldn't happen in our lifetimes, but who knows.

If that's really the future of Bitcoin mining, another question comes to mind. What happens with all specialized hardware once the number of bitcoins in circulation comes close to 21 million? As the block reward is not there any more, the usual answer is that the miners will continue to mine just to collect the transaction fees, but that sounds a little bit too far fetched to me.

[European Central Bank]

If that's really the future of Bitcoin mining, another question comes to mind. What happens with all specialized hardware once the number of bitcoins in circulation comes close to 21 million? As the block reward is not there any more, the usual answer is that the miners will continue to mine just to collect the transaction fees, but that sounds a little bit too far fetched to me.

most of us will be back in nappies before this is a real issue, but it is indeed an issue. personally i'll simply get on with my day and not sweat about it. that's the next generation or two's problem.

if bitcoin is still a thing and still important by then it's gonna get solved by brighter people than me.

[DevilOper]

I get it that no one could've foreseen the appearance of specialized ASIC mining equipment when Bitcoin was in its early days.
...
How about changing the algorithm? There are other memory intensive hashing functions, or even a combination thereof, which would result in ASIC resistance.

What would be the point of doing so?
People move hashing from CPU to GPU, develop ASICs, etc. in  order to gain more coins, to profit more from their "mining". Just remove the reward from "mining" - and nobody will care to throw tons of dollars into developing a new HW for nothing.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

[butka]

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

[pereira4]

Changing SHA256 on live Bitcoin Network is extremely complicated but not at all impossible. The above posters already described the process in details more then enough to satisfy one's curiosity. I would only like to add that necessity of any improvement should be always taken into consideration. In case of deeply rooted into Bitcoin's architecture hashing algorithm it would be very unwise to change or even plan changes unless there is absolutely critical to do so. It's like upgrading perfectly good foundation of a skyscraper - it can be done, may even improve future performance, but hardly worth the effort.

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

Both scenarios are sci-fi, if you think about it.

Therefore the ultimate fate of Bitcoin is being stuck with SHA256, which is not necessarily a bad thing, as long as we keep seeing improvements in competition in the mining game. DragonMint is a new hope in mining competition, for instance. Other than that, thinking there's going to be achievable consensus to change SHA256, is in my opinion a waste of time.

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

[butka]

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

Good point there!

[DevilOper]

The obvious advantage of switching to ASIC resistant algorithms would be promoting decentralization as more people would be able to enter the mining process with "normal" hardware.

Again, what is the real sense of your meaning of decentralization? If you are talking about [more or less] fair coin distribution - just use (a kind of) random distribution. Otherwise, if there is any feasible way to increase one's part of [coin-]cake - one will always do so.

Wouldn't it be good for the stability of Bitcoin's network to have numerous small miners scattered throughout the world rather than a couple of big miners centralized in those parts of the world where electricity is cheap? Wasn't that the original idea back then in 2009? I believe so. But I also get the reality of this mining business and I know that what I'm asking is probably unrealistic. People with big money will always find a way to game the system.

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

[hatshepsut93]

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

So, in conclusion, it's a very complex subject that needs to be discussed and tested for long time before making any moves. There's no immediate need to change algo today, we have plenty of time.

[butka]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

I wouldn't discard the issue of stability so easily. To reply to your comment, there is an interesting medium article. It nicely illustrates the
concerns and danger of Bitcoin's centralization and having a lot of hash-power concentrated in the hands of several entities.