What made satoshi go for sha256?

[SuperPandaBear]

Out of all possible options at the time, why did he go for sha256 given its ties to NIST/NSA?

[1713545553]

1713545553

[1713545553]

1713545553

[1713545553]

1713545553

[1713545553]

1713545553

[1713545553]

1713545553

[1713545553]

1713545553

[pereira4]

Out of all possible options at the time, why did he go for sha256 given its ties to NIST/NSA?

Out of convenience I guess. SHA256 was the most time tested, compatible in a big array of hardware, important for mining. Bitcoin was all about security but also about certainty. He couldn't risk it with more exotic algos so he went for 2 rounds of SHA256. Other alternatives may not come from NIST but they can come from Russian or Chinese intelligence if you are paranoid about backdoors at this level.

[nc50lc]

SHA-1 & SHA-0 have been found to be vulnerabe.

I'd say: Performance-wise for most year 2008 hardware when there were more x86-based PC than 64bit.
SHA512 might be faster for 64bit systems but SHA256 is better for 32bit... Also the bandwidth.

Both have ties to NSA

Out of all possible options at the time, why did he go for sha256 given its ties to NIST/NSA?

I have a feeling that this isn't about the technicalities but some sort of conspiracy theory?

Ask him directly: Satoshi

[pooya87]

Out of all possible options at the time,

could you name some of these "possible options" back in 2008?
all i see (https://en.wikipedia.org/wiki/List_of_hash_functions#Unkeyed_cryptographic_hash_functions) is a list of a lot of hash algorithms most of which came along in recent years mostly for SHA-3.
there are old ones like MD and RIPEMD which weren't as safe or popular as SHA256
there is Whirlpool which is again not popular and the digest size is 512 bit which would have made everything in bitcoin that much bigger. so not suitable

[Heisenberg_Hunter]

satoshi could have gone for SHA-1 or MD5 or either SHA-0, but since bitcoin is a security critical software which depends on money, using SHA-256 is better while comparing the other 2 which have been broken already. SHA256 is very strong and safer as far as security of bitcoin is concerned. They can never be broken even if the computers present today become as faster as a quantum computer. 2²⁵⁶is a very vast number which can not easily be computed and there would never be any collision. SHA-256 has a long way to go and will surely serve for some decades and hence this was the reason SHA256 was chosen over others.

Ask him directly: Satoshi

We don't need to ask him, he has answered regarding this back in 2010.

See satoshi's quote

SHA-256 is very strong.  It's not like the incremental step from MD5 to SHA1.  It can last several decades unless there's some massive breakthrough attack.

If SHA-256 became completely broken, I think we could come to some agreement about what the honest block chain was before the trouble started, lock that in and continue from there with a new hash function.

If the hash breakdown came gradually, we could transition to a new hash in an orderly way.  The software would be programmed to start using a new hash after a certain block number.  Everyone would have to upgrade by that time.  The software could save the new hash of all the old blocks to make sure a different block with the same old hash can't be used.

[aplistir]

I'd say: Performance-wise for most year 2008 hardware when there were more x86-based PC than 64bit.
SHA512 might be faster for 64bit systems but SHA256 is better for 32bit... Also the bandwidth.

That is true. There is no point in using SHA256 any longer, as SHA512 is faster in 64-bit processors

https://medium.com/@davidtstrauss/stop-using-sha-256-6adbb55c608

Even if what you need is 256-bit hash, you can still use the more secure SHA512, and just use the first 256-bits.

But in the end of 2008, when bitcoin was created, SHA256 was a good choise.

[pooya87]

That is true. There is no point in using SHA256 any longer, as SHA512 is faster in 64-bit processors

not entirely true. nowadays most CPUs have SHA-extensions (mostly Intel but some AMDs) which are working for SHA1 and SHA256 but not SHA512. the speed gained using these intrinsic are huge.
additionally in bitcoin we are doing a lot of hashing on small bytes such as 33 byte public key, 80 bytes block header,... SHA256 is still faster on them because the higher rounds and bigger blocks of SHA512 adds overhead that slows it down.

Even if what you need is 256-bit hash, you can still use the more secure SHA512, and just use the first 256-bits.

if you want to replace a hash function you should never replace it with the SAME hash function that has the SAME EXACT construction.
as for SHA512-256, the only thing that it provides over SHA256 (and similarly over SHA512 itself) is protection against length extension attacks which doesn't even concern bitcoin usage.

in short if the hash function is to be replaced it must be replaced with something different. for example one of those sponge based constructions instead of Merkle–Damgård, like Keccak (standardized as SHA-3).

[buwaytress]

in short if the hash function is to be replaced it must be replaced with something different. for example one of those sponge based constructions instead of Merkle–Damgård, like Keccak (standardized as SHA-3).

And this I guess is why when we're seeing proposals, they're for different/new hash functions? Although until I saw this I didn't know about this SHA-3 family of standards. I don't trawl all the proposals but that's what I recall (or don't recall) but I always thought that when, if at all, Bitcoin decides for a major change, it will only be to hash funtion, not hash algorithm.

Are you aware of anything suggesting otherwise?

[pooya87]

in short if the hash function is to be replaced it must be replaced with something different. for example one of those sponge based constructions instead of Merkle–Damgård, like Keccak (standardized as SHA-3).

And this I guess is why when we're seeing proposals, they're for different/new hash functions? Although until I saw this I didn't know about this SHA-3 family of standards. I don't trawl all the proposals but that's what I recall (or don't recall) but I always thought that when, if at all, Bitcoin decides for a major change, it will only be to hash funtion, not hash algorithm.

Are you aware of anything suggesting otherwise?

yeah, SHA-3 family have been around for a while now (2015ish). there are even a lot of different altcoins that use these functions. some examples: Blake2 (BlakeBitcoin), Grøstl (DigiByte, Verge), Skein, JH (SecureCoin), and of course Keccak (Ethereum)

i don't think anybody is even thinking about replacing SHA256 at the moment. there is just no reason for it. this hash function is still strong against all the attacks that matter.

[Hydrogen]

Out of all possible options at the time, why did he go for sha256 given its ties to NIST/NSA?

There wasn't a big political agenda pushing default backdoors and standardized encryption defeating measures back when Satoshi developed bitcoin, the way there is now.

I'll give you one example.

US attorney general William Barr says Americans should accept security risks of encryption backdoors

U.S. attorney general William Barr has said consumers should accept the risks that encryption backdoors pose to their personal cybersecurity to ensure law enforcement can access encrypted communications.

In a speech Tuesday in New York, the U.S. attorney general parroted much of the same rhetoric from his predecessors and other senior staff at the Justice Department, calling on tech companies to do more to assist federal authorities to gain access to devices with a lawful order.

Encrypted messaging has taken off in recent years, making its way to Apple products, Facebook, Instagram and WhatsApp, a response from Silicon Valley to the abuse of access by the intelligence services in the wake of the Edward Snowden revelations in 2013. But law enforcement says encryption thwarts their access to communications they claim they need to prosecute criminals.

The government calls this “going dark” because they cannot see into encrypted communications, and it remains a key talking point by the authorities. Critics — including lawmakers — and security experts have long said there is no secure way to create “backdoor” access to encrypted communications for law enforcement without potentially allowing malicious hackers to also gain access to people’s private communications.

In remarks, Barr said the “significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society.”

He suggested that the “residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product.”

“Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety,” he said.

The risk, he said, was acceptable because “we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications,” and “not talking about protecting the nation’s nuclear launch codes.”

The attorney general said it was “untenable” that devices offer uncrackable encryption while offering zero access to law enforcement.

Barr is the latest in a stream of attorneys general to decry an inability by law enforcement to access encrypted communications, despite pushback from the tech companies.

In a rebuttal, Sen. Ron Wyden (D-OR) said the attorney general’s remarks were “outrageous, wrongheaded and dangerous.”

“If we give this attorney general and this president the unprecedented power to break encryption across the board burrow into the most intimate details of every American’s life – they will abuse those powers,” the senator said.

The U.S. is far from alone in calling on tech companies to give law enforcement access.

Earlier this year U.K. authorities proposed a new backdoor mechanism, the so-called “ghost protocol,” which would give law enforcement access to encrypted communications as though they were part of a private conversation. Apple, Google, Microsoft and WhatsApp rejected the proposal.

The FBI inadvertently undermined its “going dark” argument last year when it admitted the number of encrypted devices it claimed it couldn’t gain access to was overestimated by thousands.

FBI director Christopher Wray said the number of devices it couldn’t gain access to was less than a quarter of the claimed 7,800 phones and tablets.

Barr did not rule out pushing legislation to force tech companies to build backdoors.

https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/

For those who read the above article, they might get the impression governments have a vested interest in wanting backdoors built into everything that allows technologies like bitcoin to function. Any platform or service which enables security measures like 2FA to exist are things governments want standardized backdoors built into.

Not only do state authorities support this as a de facto standard, they want it without any safeguards, transparency or accountability process which might ensure that it is not abused or exploited for immoral purposes.

In that when government agencies claim new encryption standards must be devised to keep end users safe from quantum computing, it does somewhat contradict this massive push we see towards standardized backdoors and default exploits being built into everything.

Which isn't to say that there haven't been similar standardized encryption defeating measures in the past. The NSA pushed something called the clipper chip which was encryption with built in surveillance back in the 1990s. It was axed before it was ever deployed. Microsoft's initial version of windows vista was intended to contain built in surveillance of end users, which was discontinued after massive public backlash. There have been similar campaigns in past eras. Just nothing like the massive effort we're seeing today.

[Kakmakr]

I think when a developer creates something that he wants to go global, he or she would opt to use the technology that are the most widely used at the time. Even today, most security features with most sites and services work with SHA256 and it is the tried and tested technology that provides the most stability and performs the best. 

It would not have been wise to use SHA512 at the time and then having most people not being able to use it. This is why most companies are using widely used Operating systems like Windows and Android to launch their software. 

[funkenstein]

A more interesting question is why he went for secp-256k1. 

[pereira4]

A more interesting question is why he went for secp-256k1. 

From the wiki:

Also, unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve.

That could be a reason... reality of the situation is, we will never know the true intentions of satoshi. He HAD to choose something, we would have endlessly discussed why he did choose those constants and not others no matter what. Same goes for 21 million limit, 1 MB blocksize, 10 minute blocktimes, and so follows.

[pooya87]

A more interesting question is why he went for secp-256k1. 

to answer that we first have to figure out which set of curves he had access to (in order to choose from) back in 2008. i couldn't find any list sorting the curves chronologically but the safecurve website has the date of their paper in its table here: https://safecurves.cr.yp.to/

assuming Satoshi was looking at most popular/used curve and also a curve that has a standard defined by NIST (similar to the hash algorithm that was the most popular and had standard by NIST) the choices weren't really that big.
- Curve25519 released in 2005 but it wasn't popular until 2013
- brainpool curves' standards seem to be from 2010
- the rest of the dates are from years after 2008

that leaves NIST curves. so now the choice is limited to a much smaller number of curves.
if we consider size of them (192, 224, 256, 384, 521) and the recommendation by SEC about the fact that 256 bit curve offers a good security for many years and the fact that it matches the hash function (SHA256) makes that group a good choice.

now the list has 2 curves in it: secp256k1 and secp256r1
between these two since the first one is a Koblitz curve and it can be optimized more than the random curve, the choice is obvious.

[Heisenberg_Hunter]

A more interesting question is why he went for secp-256k1. 

As far as we know through the communication mails from satoshi, there is no real reason as to why secp256k1 is used in bitcoin security.

Also we need to note that, secpk1 was never widely used before bitcoin. Apart from pooya87's post on the usage of secp256k1 instead of secp256r1, there seems to be another interesting fact linked to the NIST curves and SECG curves. secp256k1 is a Koblitz and more importantly a pure SECG curve whereas secp256r1 is a NIST curve. NIST and NSA seems to have a good relationship right from 2000's, so satoshi could have figured out the backdoor vulnerability implemented by the NSA in NIST sort of curves. This backdoor was known to be true when Snowden leaked the private documents of NIST! Either way, when Mike Hearn communicated satoshi they said it was purely random and there was no specific reason to use secp256k1.

Another theory could be like, satoshi was coding and creating bitcoin from 2007 but on the other hand satoshi could be well aware of this news published by Wired in 2007. So, satoshi could have thought secp256k1 might be a secure way for random number generation rather than trusting secp256r1 created by NIST.

See this :

I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.