Why does Bitcoin keep using SHA256 in its POW?

[wilwxk]

The hard fork is the first problem as mentioned.
But if you really want to change the sha256 to something "better" like a sha3 or cryptonight, you could only stop temporarily the problem with asics.
The asic is only a component specially designed to do something, the current CPUs and GPUs was made to run different things at same time, losing part of the efficiency. If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
A good case to learn with is the hard fork of the monero.

[1715358996]

1715358996

[1715358996]

1715358996

[1715358996]

1715358996

[1715358996]

1715358996

[HeRetiK]

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

And we still have practically only two companies developing hardware used to mine these altcoins.

There are only 3-4 manufacturers producing SHA256 ASICs for mining Bitcoin (and they appear to be price fixing)

There are also effectively 2 GPU and maybe 3-4 major CPU manufacturers. Lack of competition seems to be just a small part of the equation, with the main problem being that mining hardware manufacturers have a strong incentive to produce mining hardware for themselves rather than their customers.

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

SHA256 has nothing to do with curves, it's Bitcoin's private / public key algorithm -- ECDSA -- that is endangered. Which is unfortunately much worse. However it can luckily be mitigated by avoiding address re-use until a new private / public key algorithm has been deployed.

Looks like satoshi didn't predict mining pools, which are the cause of centralization, not the actual specialized hardware.

Good point there!

He kinda did though:
https://bitcointalk.org/index.php?topic=532.msg6306#msg6306

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

A blockchain rewrite caused by dominant hashing power is not a feature though. It's a weakness that is kept at bay by game theoretical incentives, ie. the assumption that no rational actor would waste that much money on an attack of questionable merit. Rewriting transactions is exactly what Bitcoin's consensus algorithm is trying to prevent.

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

I think that's the heart of the issue -- Bitcoin's growth has turned mining into an industrial endeavour where economics of scale is key and money available to be put into R&D is plenty.

Simply changing Bitcoin's PoW algo won't keep ASICs at bay forever, but would come with a lot of challenges -- both technologically and community-wise. Not only evaluating and selecting a new PoW algo will be challenging -- even how the selection for a new PoW algo takes place would likely result in a lot of drama and hidden agendas. Some parties may secretly benefit from one algo over another.

In other words, I too think that the downsides of changing Bitcoin's PoW algo would outweight its benefits -- for now. As much as I'd love to see a time of hobbyist GPU / CPU Bitcoin mining again, I'm afraid this train has left for good.

[Anti-Cen]

Theoretically, it's not impossible as you can think about game theoretical scenarios in which doubts about SHA256 would arise, such as the NSA-NIST conspiracy of a backdoor being somehow true, or somehow the curve gets simply cracked by quantum computing (how else could you crack it anyway?)

I will not use any microsoft black box software like AES on a windows machine because I know myself that windows copies, encrypts and uploads anything it can get
it's hands on and this is impossible to stop without making the machine useless and X-Boxes are even worse not that I or anyone has managed to get inside one.

They are even using ultrasound now to active apps from your TV on your mobile phones so they will stop at nothing to watch you.

Quantum computers are like hardware network switches, mega fast but very limited when it comes to programming which is why it's all been talk for years
with nothing really happening but the long term dangers does not come from men writing hacking code but more from A.I developing it's own computer language
that we mere humans won't understand and if you think this is science fiction then you are behind the times already.

Some of the self teaching software reconfigure itself and works better than anything the developers could write themselves and they don't even understand
how the output works, it just does and we are already seeing questions being asked about the rights of computers so we are going to be in for some interesting
times me thinks.

https://www.rt.com/op-ed/424709-sexbots-sex-dolls-rights/

[butka]

Having a stack of hashing algorithms would probably solve that problem. Take a pool of proven hashing algorithms, then randomly choose several in a series of hashing operations to constitute Bitcoin's PoW. Arbitrarily change the hashing algos within the series after a minimum of 3 months (not with another hard fork, build that behaviour directly into the consensus rules). CPU's or GPU's could be adapted to that, but an ASIC would be conventionally impossible.

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

RavenCoin, RVN

[andrew1carlssin]

>Re: Why does Bitcoin keep using SHA256 in its POW?

Good question. I really would like to see a more useful POW. Since we burn a lot of energy... we could do it in a more intelligent way ..

I was reading this scientific paper called "Proofs of Useful Work"..

Proofs of Useful Work
Marshall Ball ∗ Alon Rosen † Manuel Sabin ‡ Prashant Nalini Vasudevan §

February 27, 2017
Abstract

We give Proofs of Work (PoWs) whose hardness is based on a wide array of computational
problems, including Orthogonal Vectors, 3SUM, All-Pairs Shortest Path, and any problem that
reduces to them (this includes deciding any graph property that is statable in first-order logic).
This results in PoWs whose completion does not waste energy but instead is useful for the
solution of computational problems of practical interest.

The PoWs that we propose are based on delegating the evaluation of low-degree polynomials
originating from the study of average-case fine-grained complexity. We prove that, beyond being
hard on the average (based on worst-case hardness assumptions), the task of evaluating our
polynomials cannot be amortized across multiple instances.

For applications such as Bitcoin, which use PoWs on a massive scale, energy is typically
wasted in huge proportions. We give a framework that can utilize such otherwise wasteful work.
Keywords: Proofs of Work, Fine-Grained, Delegation, Blockchain.

With that in mind I am huge fan of coins like, primecoin, gapcoin, and my favourite one

GridCoin
https://bitcointalk.org/index.php?topic=324118.0

Witch uses BOINC where you can choose a good projects like cancer cure, climate change, etc  ...
https://boinc.berkeley.edu/projects.php


Regards to semiconductor industry centralisation ... how many GPU/CPU manufactures do we have ? Sometimes I think that the centralisation phenomenon is more related to energy price, access to wholesaling market, etc than the hardware architecture itself...    

[DevilOper]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

I wouldn't discard the issue of stability so easily. To reply to your comment, there is an interesting medium article. It nicely illustrates the
concerns and danger of Bitcoin's centralization and having a lot of hash-power concentrated in the hands of several entities.

You don't need to refer to any kind of external media, articles, whatever: it is obvious just by common sense that ANY Proof-of-Something concept essentially trends to concentration of the abovementioned Something, and therefore to centralization.

[DevilOper]

What do you mean by "stability"? Big rock is more stable then small stone. Read-only file is quite stable comparing to one where anyone can write anything.
Blockchain is not about stability, it's about consensus. And if suddenly tomorrow someone having ten times more hashpower will decide to rewrite the entire blockchain - it is not a bug, it's a feature, and it's there by design.

A blockchain rewrite caused by dominant hashing power is not a feature though.

It is a feature, since orphaning the blocks is a feature/part of algorithm.
You cannot be a half-pregnant.

[HeRetiK]

I remember the concept of periodically switching PoW algorithms being discussed before, but I'm not sure if that discussion ever came to any meaningful conclusion. Are there any alts that have been attempting this approach?

RavenCoin, RVN

Thanks, I'll check it out.

You don't need to refer to any kind of external media, articles, whatever: it is obvious just by common sense that ANY Proof-of-Something concept essentially trends to concentration of the abovementioned Something, and therefore to centralization.

The Pareto principle appears to be inescapable, that's true. Still it's vital for the likes of Bitcoin that the top players keep each other in check. Otherwise we're just back to traditional banking but with extra steps. Even if sub-optimal, there's still a difference between having 4-5 dominating mining operations vs a mining duopoly / monopoly.

A blockchain rewrite caused by dominant hashing power is not a feature though.

It is a feature, since orphaning the blocks is a feature/part of algorithm.
You cannot be a half-pregnant.

Following the chain with the largest accumulated work is a feature, that's true. The possibility of a single entity controlling the network with majority hashpower (ie. > 50%) however, is not. Just because the former leads to the latter doesn't mean it's a desired effect. It's a weakness of PoW that has been accepted for lack of a better alternative.

Regardless of code being law and everything working as intended, a cryptocurrency that can not be accepted for fear of history being rewritten by a third party is a useless cryptocurrency.

[DevilOper]

... doesn't mean it's a desired effect.

Well, one is the reverse side of another. As I said, there is no way to be a half-pregnant.

[Anti-Cen]

"Why does Bitcoin keep using SHA256 in its POW?"

The better question to ask would be why do we need POW and how did we ever manage to live without it
before double agent SM from Japan turned up and send Intel chip share prices upwards.

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on
about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit
$55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's
runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware
not a form of POS given the costs or should we not ask questions like that here because it upsets the
resident party faithful and invites attacks.

[ranochigo]

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit $55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

If anything, the fee is not indicative of how the developers or miners have been doing. Its a free market and they are free to decide how much to pay based on the transaction volume. Does the node trust anyone? That should be the main point of trustless.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware not a form of POS given the costs or should we not ask questions like that here because it upsets the resident party faithful and invites attacks.

Mining is not all about how fast your speed is. The speed is more about how fast it is, relative to your competitiveness. Bitcoin could go with a slower algorithm and still function. SHA256 was the newest standard for the SHA family in 2009. POS is whoever has the most coins win while POW is whoever is willing to invest and sacrifice their money for reward the most wins. With POS you don't have to incur any costs other than purchasing the coins and you won't lose any either.

[etherixdevs]

They should submit another hard fork...
In my opinion, changing the sha256 into something "better" like a sha3 or cryptonight, you could only stop with asics.

The asic is created to do something specific.

On the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

[ranochigo]

In the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

Indeed. Most algorithms that were once touted as "ASIC-resistant" are not as resistant anymore. The development of ASICs would be viable for a coin that is so valuable. What most coins has done is to have an adjustable variable to adjust and render ASICs useless. They can be expensive to develop and they can't be used for a long time.

IMO, ASICs are fine. With CPU and GPU only coins, the possibility of botnets would still be there. One CPU one vote has never been a reality.

[keesdewit]

The question that comes in my mind is not regarded to ASIC resistance, but to the security of the hash function over time. What will happen with the current SHA256 implementation when SHA256 gets depricated and declared unsafe?

[andrew1carlssin]

"Why does Bitcoin keep using SHA256 in its POW?"

The better question to ask would be why do we need POW and how did we ever manage to live without it
before double agent SM from Japan turned up and send Intel chip share prices upwards.

Proof of anything is about establishing trust between nodes but they are always careful to rabbit on
about bitcoin being a "trustless" network but the development team and the miners allowing Tx fees to hit
$55 per transaction has ensured just that, it's now "trustless" but not in the way they wanted it to be.

SHA256 is an odd one to pick if you just want to waste CPU power because even on a Intel I7 CPU it's
runs lightning fast when I bench marked the performance and is not having to spend a fortune on hardware
not a form of POS given the costs or should we not ask questions like that here because it upsets the
resident party faithful and invites attacks.

Wastage of computing cycles is indeed a terrible thing ...  

PoWs are wasteful of real resources and energy and, in the massive use case of Bitcoin, have even been called an ”environmental disaster” [And13]

source:
Proofs of Useful Work
https://eprint.iacr.org/2017/203.pdf

In the other hand I do hypothesise that build a SHA-256 miner is much simpler than build a machine to mine Keccak ...for instance ... in theory it could help spread bitcoin mining in order to avoid centralisation (word etymology from French centralisation, or centralise +‎ -ation.)

[Kakmakr]

Why is ASIC mining that bad if it is more energy efficient than CPU/GPU mining? The strength of this network is also in the amount of the hashing power that we have, compared to other networks and Alt coins.

Also, if we changed to some other ASIC resistance technology, the ASIC manufacturers will just develop something new to circumvent these restrictions. We should welcome technological advancements, but it should not be centralized or dominated by one nation or company. Let these companies compete in a free market for the best technology to improve mining of Crypto currencies.

[HeRetiK]

IMO, ASICs are fine. With CPU and GPU only coins, the possibility of botnets would still be there. One CPU one vote has never been a reality.

I also think that for the most part the upsides of ASICs outweigh their downsides. ASICs themselves are not problematic, it's when there's too little competition in the mining market that things could get ugly.

Given the recent uptick of Bitcoin's valuation I think it's likely that we'll see new players entering the mining business over the next couple of years though -- keeping the market fresh and flowing.

The question that comes in my mind is not regarded to ASIC resistance, but to the security of the hash function over time. What will happen with the current SHA256 implementation when SHA256 gets depricated and declared unsafe?

Depends on what kind of flaw is found. Keep in mind that the use case of a PoW scheme is different from the use case of eg. hashing your users' passwords.

Best case it's the kind of flaw that makes SHA256 faster to calculate, in which case we'll simply see a new generation of miners.

Worst case Bitcoin needs to hardfork to a new PoW scheme. This would come with a lot of drama on which algo to choose, possibly leading to a multitude of competing PoW hardforks, but sooner or later one blockchain would emerge as the canonical Bitcoin blockchain. Even then we might see the original, SHA256 Bitcoin, continuing its existence although at likely a much lower market rate, corresponding to the severity of the found flaw.

[DooMAD]

They should submit another hard fork...
In my opinion, changing the sha256 into something "better" like a sha3 or cryptonight, you could only stop with asics.

The asic is created to do something specific.

On the contrary, the current CPUs and GPUs was made to run and work on different things at same time, losing part of the efficiency.
If you want to continue with the proof of work, you will not stop with the creation of the asics, you can only slow down or make more expensive the production of asics, but this will be only a temporarily solution.
I am observing the hard fork of monero about it.

Which is your opinion?

There is no "they" who possess the sole responsibility for announcing hardforks.  It sounds as though you're asking for someone in a position of authority to launch a fork, but we don't have those here.  We've seen BTG fork away with their desire for ASIC resistance, but for the most part, it seems to be a non-event that most people don't care about.  If people did care and it proved to be popular and started to attract lots of hashpower, manufacturers would then start the process of designing an ASIC for the new algo and the initial resistance would be short-lived.

As such, we should probably stop calling it "ASIC resistance", since it's more a case of "ASIC stalling". 

And, as others have alluded to, the more fruitful alternative is to lower the entry barriers and make ASICs more attainable, not less.  Allow time for a greater number of manufacturers to emerge, the competition will generally drive down costs, creating an environment where more people can buy the hardware and mining will become less centralised.

Conversely, if you keep moving the goalposts and changing the algorithm, only a small number of manufacturers will risk developing hardware that might eventually get bricked, which means the small number who do make the breakthrough to create an ASIC will naturally have a monopoly and only the wealthiest participants will be able to afford the hardware.

[cellard]

ASIC resistance is a temporary thing, so far many algorithms that were claimed to be ASIC-resistant have lost this status - scrypt, X11 and now ethash ASICs were recently announced by Bitmain. If Bitcoin would do an emergency fork today to some existing algorithm, it would probably take around a year or less until new ASICs arrive, since there's very strong motivation to develop them.

And even with new algo the mining might still be centralized, because if it would be very profitable, miners would buy GPU's in bulk while hobbyists won't be able to make small home farms, because retailers would enforce 1 GPU per buyer like they do now in many places. CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets - imagine Microsoft or NSA sneaking mining malware into Windows update to attack Bitcoin's network with CPU hashpower of millions of users.

So, in conclusion, it's a very complex subject that needs to be discussed and tested for long time before making any moves. There's no immediate need to change algo today, we have plenty of time.

It only takes money at stake in order for specialized hardware to profiler and be developed to it's maximum extreme at any given point in time. So if they change the PoW and there's a ton of money to be made, there will be a new ASIC's race to get first in line for the next PoW algorithm... it's pointless and kicking-can-down-the-road approach.

As some have said, maybe, and just maybe... a random algorithm change could stop this, or at least would put the advantage in different places. Or maybe not, maybe a single entity develops the best ASIC possibles for all possible algos and the monopoly continues.

I don't see how this can be solved other than competition, and so far competition is failing to dethrone the Bitmain empire, we'll see how it goes in the future.

As of right now, forget about any PoW changes... unrealistic, will only lead to BTC and BTC-newAlgo, so that's another altcoin for you, kind of like Bitcoin Gold and so on.

[DooMAD]

Another aspect to consider is the likely effect it would have on difficulty.  Along with the new algorithm, it would almost certainly involve having to implement emergency difficulty adjustments to the code so that blocks don't come to a temporary standstill when the hashrate suddenly plummets.  Also, since Bitcoin uses the total cumulative proof of work as part of its consensus mechanism, we should keep in mind the possibility it would make future contentious hardforks easier to pull off.  

Bitcoin currently attracts both the largest accumulated proof of work and the largest economic majority.  All the myriad forks we've witnessed so far haven't been able to keep pace with the proof of work Bitcoin has accumulated, but that wouldn't be the case if those who disagreed with the new algorithm continued to support using ASICs.  The new algo would almost inevitably be the minority chain in terms of hashpower, so supporters of the new algo would have to fall back on purely the "economic majority" argument and would also have to be pretty damn sure they'd win that argument.  Quite the gamble.

CPU mining might suffer from the same problems, and on top of that the network will be at the risk of attacks from botnets

And just to stress that point a little more...  Not exactly something we'd want to encourage in Bitcoin.