Energy requirements to brute force SHA-256

[qwk]

We all know that famous picture of the sun and how long it would take to just count to the number 2^256.

I've been thinking, why not put it another way?
What if it were possible to build and power a computer that could brute force SHA-256?

Let's assume for practical reasons that we want a computer the size of the earth, not much larger.
That's a diameter of 12,742,000 meters.

Let's also assume for practical reasons that we want that computer to be able to brute force SHA-256 within 10 years.
That's 10 * 365 * 24 * 60 * 60 = 3,154e+8 seconds.

The smallest amount of energy that could possibly do any kind of computing is defined by the wavelength of a photon.
I.e. our photon may have a wavelength of 1 diameter of the earth.
The energy of a photon with a wavelength of 12,742,000m is 1.56×10^-32 joules [1]

Let's assume we have a highly efficient algorithm that will be able to compute a number with that least amount of available energy.
To compute all the results in 2^256 (or, as it's sometimes called in a fanciful, scientific way: "count") in ten years would require:
2^256 * 1.56×10^-32 joules / 3,154e+8 seconds =
5.72719275 × 10^33 watts

For comparison, the sun's energy output is
3.846×10^26 W
(according to google)

Now, assuming we are able to build our supercomputer the size of the earth and we'll be able to run it at such extremely low energy requirements, what we'd also be doing would be releasing the energy output of give or take a million suns within the diameter of the earth.
(why? because thermodynamics is a bitch, and ultimately, that energy will end up as heat)

In other words, if we ever manage to build a supercomputer with the unbelievable power and efficiency to brute force SHA-256 within a human's lifetime, we'd turn that computer into the equivalent of a supernova as soon as we turned it on.

Why am I writing this? I somehow never found that "sun picture" truly satisfying.
The idea of blowing up your home planet, solar system, and maybe even nearby star systems if you were to succeed seems slightly more discouraging.

I've probably made quite a few mistakes in those calculations, so I might be off by a handful of magnitudes, but quite frankly, that doesn't matter much. But please let me know if and where I'm wrong.

[1] https://www.omnicalculator.com/physics/photon-energy

[1714822560]

1714822560

[1714822560]

1714822560

[1714822560]

1714822560

[pooya87]

the term "brute force" doesn't make any sense here. brute force is the process of decrypting an encrypted data in many tries such as finding a password of an encrypted file by guessing different passwords. but there is nothing encrypted in a hash.

using the term "brute force" here makes it seem like you are talking about "reversing a hash and finding the message" which is simply impossible no matter how much computing power you have. it would be like wanting to find a and b in the equation (a+b=18). there is no mathematical way of finding a and b no matter how much power you have. all you can do is put different values in that equation and find other possible answers. and that is called "collision attack" where you try different messages and compute hash of each to find two that match (the collision attack) or have the hash and find another message that returns the same hash (preimage attack).

[aplistir]

Yeah. That would indeed be quite a machine.

But realistically speaking. Sooner or later SHA256 will be "cracked".(or we will be able to find collisions as pooya87 defined cracking in this case) And it wont require earth sized supercomputer to do it.

If you study the history of cryptography, it is full of examples of ciphers that were "impossible" to break, whose cracking would take longer than the age of the universe etc. And they have all been cracked. And it did not take billions of years to break any of them 
Why would it be different this time?

Substitution cipher was impossible to crack
Enigma was impossible to crack
and many many others.

Yeah. if you have to brute force (almost) anything it takes forever, but there will always be a shortcut. We just don't know it yet.


 

[qwk]

the term "brute force" doesn't make any sense here. brute force is the process of decrypting an encrypted data in many tries such as finding a password of an encrypted file by guessing different passwords. but there is nothing encrypted in a hash.

Granted, "brute force" is kind of a misnomer here.
Actually, I shouldn't have posted at all in "Technical Discussion", because the whole idea is not about any technical aspect, but rather an idea of how to explain the odds of someone "hacking Bitcoin".
But I don't really know where else to post it.

using the term "brute force" here makes it seem like you are talking about "reversing a hash and finding the message" which is simply impossible no matter how much computing power you have.

A hash doesn't even contain information to reverse it, so for a hash of an arbitrary message, you're absolutely right, of course.
Otoh, for the purposes of "hacking Bitcoin", which is what people are concerned about, a hash of e.g. a key from a known search space of 2^256, "brute forcing" collisions in said search space is more or less equivalent to "reversing" the hash.
Yes, there will be (2^90? AFAIR) collisions, any of which could be the key, but all of them kind of "fit the shoe".

[bitmover]

I believe that trying to brute force a hash 256 is the wrong approach. This won't work.

I was thinking about something more effective and efficient (energy speaking).

What if some tries to create an AI that would try to reverse SHA 256 hashes? That is not impossible. Although no one never succeeded , a highly advanced and dedicated AI could try.

I believe that with AI advances a lot of things will change.

[qwk]

What if some tries to create an AI that would try to reverse SHA 256 hashes? That is not impossible.

Yes, it is.
AIs don't magically overcome the laws of mathematics
A (good) hash doesn't contain the information of its input/s.
With no information to go on, there's nothing to "reverse".


I sometimes try and explain hashes to people without mathematics.
My example usually goes like this:

Let's assume you run a night club with a guest list.
You don't want the doorman to know who the guests are before they arrive.
But he should be able to know if a person at the entrance is on the guest list.

Now, what you could do instead of writing the names of guests on the list, is write hashes of their names.
A very simple (not really good) hash could be:
1. shift one letter in the alphabet (ROT-1)
2. leave out all vowels

So, a name like "Satoshi Nakamoto" would turn into:
1. Tbuptij Oblbnpup
2. Tbptjblbnpp

It's obvious that this still contains a lot of information to go on, so it's really not a good hash function at all.
But the doorman at the night club might not know what a prominent guest we'll have tonight.
As soon as satoshi turns up, he'll be able to apply the same hash function to his name and see that he's on the list.

[PrimeNumber7]

If you study the history of cryptography, it is full of examples of ciphers that were "impossible" to break, whose cracking would take longer than the age of the universe etc. And they have all been cracked. And it did not take billions of years to break any of them 
Why would it be different this time? 

With SHA-256, it is very easy to go from unencrypted message --> encrypted message that is encrypted with a given public key. It is also very easy to go from encrypted message --> unencrypted message if you have the private key associated with the public key ("Associated Private Key") the message is encrypted to. It is very difficult to (what the OP is referring to) go from encrypted message --> unencrypted message if you do not have the Associated Private Key.

Likewise, if you have a given private key, it is easy to calculate the public key, but it is difficult to calculate the private key with a given public key.

All of the above is given known formulas are used for performing each calculation. In the past, ciphers were broken, not because they were brute forced, but because formulas were discovered to make it trivial to calculate the private key with a given public key.

The risk to those using SHA-256 to encrypt their sensitive information is that a more efficient formula will be discovered that can calculate a private key with a given public key. Will this happen in the future? I don't know, that is above my pay grade.

[ABCbits]

What if some tries to create an AI that would try to reverse SHA 256 hashes? That is not impossible. Although no one never succeeded , a highly advanced and dedicated AI could try.

I believe that with AI advances a lot of things will change.

I can't imagine AI to reverse hash of Bitcoin's blockchain, i'd save my storage space

The risk to those using SHA-256 to encrypt their sensitive information is that a more efficient formula will be discovered that can calculate a private key with a given public key. Will this happen in the future? I don't know, that is above my pay grade.

You can't use SHA-256 to encrypt something because it's hash function.

If a software claim using SHA-256 to encrypt information, it's very likely they use other encryption algorithm where it's private key (with length 256 bit) came from hashed password/passphrase.

[Welsh]

In other words, if we ever manage to build a supercomputer with the unbelievable power and efficiency to brute force SHA-256 within a human's lifetime, we'd turn that computer into the equivalent of a supernova as soon as we turned it on.

Why am I writing this? I somehow never found that "sun picture" truly satisfying.
The idea of blowing up your home planet, solar system, and maybe even nearby star systems if you were to succeed seems slightly more discouraging.

Supercomputers aren't going to be as powerful as people think when compared to the grand task of taking down an encryption method. However, they're going to be fairly good at niche specific tasks. I think the development behind supercomputers is a good thing, but they are never going to get to the capability of breaking SHA-256 unless something truly groundbreaking develops in physics. Most people's home computers aren't cooled efficiently, but a super computer would literally have to spend its time in a super super cold freezer which allows the computer components to still move. Also, its the small problem of it having to be bigger than Roger Ver's ego.

What if some tries to create an AI that would try to reverse SHA 256 hashes? That is not impossible. Although no one never succeeded , a highly advanced and dedicated AI could try.

I believe that with AI advances a lot of things will change.

It depends what you mean by using AI to tackle this problem. AI isn't automatically anymore efficient than other alternatives. The definition of AI is something that can imitate human behaviour. Whereas a human probably wouldn't be able to reverse the SHA 256 hashes why would AI be anymore effective at this? I'm not saying its completely impossible, but it is very unlikely that AI would be capable of this. Most artificial intelligence is quite....how do I put it? Dumb. There's been some advancements in AI over recent years, and there are promising results from various sources. However, these are niche specific, and none of them are related to deconstructing SHA 256 or reversing a hash of SHA 256.

[bitmover]

Yes, it is.
AIs don't magically overcome the laws of mathematics
A (good) hash doesn't contain the information of its input/s.
With no information to go on, there's nothing to "reverse".

I was not thinking about magic, but about math  just like your example.

Now, what you could do instead of writing the names of guests on the list, is write hashes of their names.
A very simple (not really good) hash could be:
1. shift one letter in the alphabet (ROT-1)
2. leave out all vowels

So, a name like "Satoshi Nakamoto" would turn into:
1. Tbuptij Oblbnpup
2. Tbptjblbnpp

This is 100% reversible.
I would like to understand more, and I don't this was a good example...is it not reversible with our current math or not at all? Our paradigms may change in the future

I will take a further look at this.

[qwk]

A very simple (not really good) hash could be:
1. shift one letter in the alphabet (ROT-1)
2. leave out all vowels

So, a name like "Satoshi Nakamoto" would turn into:
1. Tbuptij Oblbnpup
2. Tbptjblbnpp

This is 100% reversible.

Uhm, no?
How do you go from "Tbptjblbnpp" to "Tbuptij Oblbnpup"?

I would like to understand more[...]...is it not reversible with our current math or not at all?

Not at all.
"Reversing" in this context probably means taking some information, doing something with it and getting the "real" information out.
This is not possible if the information isn't there in the first place.

The string "Tbptjblbnpp" doesn't contain (all of) the information to create the string "Satoshi Nakamoto".
No matter if you use mathematics, mechanics, chemistry or anything other than magic, there's no way to get from one to the other.

[bitmover]

The string "Tbptjblbnpp" doesn't contain (all of) the information to create the string "Satoshi Nakamoto".
No matter if you use mathematics, mechanics, chemistry or anything other than magic, there's no way to get from one to the other.

The tbptjjsja have the information to create the string. However it is very hard to find that pattern, specially with a single example.

However you unlimited amounts of examples of SHA256 to learn from them seeking for that pattern.
Imagine to train a software to train on those examples seeking for that pattern, with huge processing power and an efficient code.
I believe this is something very interesting and doable.

Maybe  not to really break it , but to hugely  narrow the possibilities . Like I your example,  just look for ome single character swap

I never researched about it, just had this idea.

There's been some advancements in AI over recent years, and there are promising results from various sources. However, these are niche specific, and none of them are related to deconstructing SHA 256 or reversing a hash of SHA

Maybe some people are researching in secret ..?

[pooya87]

~

if you want to understand why it is not possible to reverse a hash, i already gave a good example above. and you don't need a super computer or an AI to try and reverse it. basically the reason is the same. you can not reverse (a+b=18) to find a and b because there simply is no way! and lets not confuse guessing different values for a and b with reversing.

what hash algorithms do is the same, it is math. it is a bunch of additions, bit shifts, bit rotates,... in multiple steps that will return a final result. you can not reverse even a single step let alone the entire process.

[bitmover]

if you want to understand why it is not possible to reverse a hash, i already gave a good example above. and you don't need a super computer or an AI to try and reverse it. basically the reason is the same. you can not reverse (a+b=18) to find a and b because there simply is no way! and lets not confuse guessing different values for a and b with reversing.

what hash algorithms do is the same, it is math. it is a bunch of additions, bit shifts, bit rotates,... in multiple steps that will return a final result. you can not reverse even a single step let alone the entire process.

I am not convinced, but I didn't read about it yet.
I am not convinced because we have unlimited samples, not just one.

If you have one more samples everything changes.
a+b=18
A-b=1
You can easily determine now. I know it is not that simple, however we have unlimited examples. That's the idea. Teach a machine to train on those examples searching for any kind of pattern.

But we are all just repeating ourselves already...

To break something like this would turn the world into chaos. Blocks could ne mined at will, bank accounts  easily accessed , financial system... probably someone is already looking for this im secrecy

[qwk]

I am not convinced

I'm not even sure if you simply don't understand or are trolling.
Again: a hash doesn't contain the information to reverse it.
This is not a matter of finding "patterns".
Information that isn't there can not be found.
Thermodynamics / information theory (entropy) is in the way.

[bitmover]

I'm not even sure if you simply don't understand or are trolling.
Again: a hash doesn't contain the information to reverse it.
This is not a matter of finding "patterns".
Information that isn't there can not be found.
Thermodynamics / information theory (entropy) is in the way.

I took some time to read some texts related to the subject, and nothing I read said that "information is not there to be found".
Information is there, but highly scrambled.

Some interesting quotes from this answer (2nd answer on the topic), which is the best I found.

It is unclear whether one-way functions can actually exist. Right now, we have many functions that no one knows how to invert; but this does not mean that they are impossible to invert, in a mathematical sense. Note, though, that it is not proven that one-way functions cannot exist, so hope remains.

There are some functions which can be linked to well-known hard problems. For instance, if n is the product of two big primes, then the function x ⟼ x2 mod n is hard to invert: being able to compute square roots modulo a non-prime integer n (on a general basis) is equivalent to being able to factor n, and that problem is known to be hard. Not proven to be hard, mind you; only that mathematicians have tried to efficiently factor big integers for (at least) the last 2500 years, and although some progress has been made, none of these smart people found a really killer algorithm for that.

This problem is mainly related to https://en.wikipedia.org/wiki/Integer_factorization where it is very hard to factorize very big subprime numbers. Factorize is to decompose a number into a product of smaller integers.



This was a good example based on the above problem. But it is still reversible, we just don't know how to easily do it.

Let me invent a simple "password hashing algorithm" to show you how it works. Unlike the other examples in this thread, this one is actually viable, if you can live with a few bizarre password restrictions. Your password is two large prime numbers, x and y. For example:

x = 48112959837082048697
y = 54673257461630679457
You can easily write a computer program to calculate xy in O(N^2) time, where N is the number of digits in x and y. (Basically that means that it takes four times as long if the numbers are twice as long. There are faster algorithms, but that's irrelevant.) Store xy in the password database.

x*y = 2630492240413883318777134293253671517529
A child in fifth grade, given enough scratch paper, could figure out that answer. But how do you reverse it? There are many algorithms people have devised for factoring large numbers, but even the best algorithms are slow compared to how quickly you can multiply x by y. And none of those algorithms could be performed by a fifth grader, unless the numbers were very small (e.g., x=3, y=5).

On the post I mentioned on stack exchange he explained how MD5 is hard to invert. It is interesting, and the main problem is related to bit depency, which is :

Bit dependency: A hash algorithm is designed to ensure that each bit of the output is dependent upon every bit in the input. https://crypto.stackexchange.com/questions/45377/why-cant-we-reverse-hashes

At that point you begin to understand the problem of inverting MD5: every time you touch a single bit, it triggers an awful lot of modifications throughout the algorithm, which you need to cancel out by touching other bits, and there are just too many interactions. Basically, you juggle with 2128 balls at the same time, and that's way too much to keep track of all of them.

~

So, I looks to be possible. Just not humanly doable. From time to time even some hash functions are considered broken, just like SHA-1 which became vulnerable to shattred attack  (read it  here https://en.wikipedia.org/wiki/Cryptographic_hash_function)

So, personally, I would use your qwk's Planetary Super Efficienty Computer to try to break those hash functions instead of brute forcing them.

[qwk]

I took some time to read some texts related to the subject, and nothing I read said that "information is not there to be found".
Information is there, but highly scrambled.

Take a 2-bit piece of information.
Use a function to reduce it to one bit.
Is the two-bit-information still in that single bit?
q.e.d.

What you're probably confused about is that for many (if not almost all) problems, it's actually not possible to prove wether or not the information is still there, somehow.
That has a lot to do with the concept of Kolmogorov complexity, i.e. the problem that it's generally unknowable wether some string can not be expressed by some shorter string (very simply put).

The idea that it is unproven wether or not there are irreversible functions is basically true and for cryptography boils down to the question of P=NP, but that has nothing to do with the possibility of simply reducing information in the output and thus rendering it impossible to recreate the input.
Most of today's applied cryptography and most specifically public-key cryptography requires P!=NP.

[Philipma1957cellphone]

Okay I need a bit of help. To explain this but let's try.

I have a private key say 12345.   To an address say 1fool it is a vanity address made offline safely.   I input it to a btc wallet with a second password say 24680


A thief inputs random price keys to a wallet.  Brute force all the way.

One day private key comes up 12345  the one for address 1fool

At this point is the thief in.? I think not I think he needs to guess password 24680

Is this correct?

He needs the private key and the second password correct?

[DannyHamilton]

Okay I need a bit of help. To explain this but let's try.

I have a private key say 12345.   To an address say 1fool it is a vanity address made offline safely.   I input it to a btc wallet with a second password say 24680

A thief inputs random price keys to a wallet.  Brute force all the way.

One day private key comes up 12345  the one for address 1fool

At this point is the thief in.? I think not I think he needs to guess password 24680

Is this correct?

No.

He needs the private key and the second password correct?

No.

Think about it like this...

I have a digital map with directions that show exactly where my buried treasure is hidden.

I also have a secondary password that I used as an encryption key to scramble the map into a digital cipher.

If you have my digital cipher file AND you know my password, then you can decrypt (unscramble) the cipher back into the original digital map and get to my treasure.

HOWEVER, you don't know my password AND you don't have my cipher file. Therefore, you decide to just "brute force" my map.  You start generating completely random digital maps, and checking to see if they lead to a treasure.  After many, many, many years you get extremely lucky and the digital map that you randomly generate is exactly the same as my original map.

Do you now ALSO need my secondary password to go get my treasure?

No.  The only purpose of the secondary password was to decrypt the encrypted map.  Since you now have a copy of the original map, you can just use it to go get the treasure. You no longer need the digital cipher or the password.

Bitcoin works the same way.

If you generate a private key for a vanity address, then the private key is the "map" that allows you to access the funds that are received using that vanity address.  Just like with the map, anyone with that private key has access to those coins.

If you then import the private key into a wallet and have a password for that wallet, all you've done is encrypted (scrambled) the private key using the password as the encryption key, and stored that scrambled cipher in a file that the wallet has access to.  Anytime you want to use the wallet, you provide the password so that the wallet can decrypt the key and then use the decrypted key to access the bitcoins.  If anyone steals your wallet, they need to know your password to decrypt the key.

However, if they "brute force" the private key, and they somehow get lucky enough to generate the actual exact private key, then they no longer need to steal your cipher file or know your password.  They have the map (key) to access the bitcoins.

[pooya87]

If you have one more samples everything changes.
a+b=18
A-b=1

well that example works the way it is, you can't change the example itself. it is a simplified explanation of why it is irreversible.

Some interesting quotes from this answer (2nd answer on the topic), which is the best I found.

Gödel's incompleteness theorems is talking about basic arithmetic and is mostly a philosophical theory. not to mention that the reply there is mostly talking about cryptography in general (like encryption) not hash and the reply is making the conclusion about "preimage" attack not reversing the hash function.

So, I looks to be possible. Just not humanly doable. From time to time even some hash functions are considered broken, just like SHA-1 which became vulnerable to shattred attack  (read it  here https://en.wikipedia.org/wiki/Cryptographic_hash_function)

you can't say SHA-1 is broken because it is not. that is why it is still being used in many places such as in git and PGP. and it is still irreversible. nothing has changed in that front.

this hash function is only insecure for certain usage where certain type of collision is important, because so far the only attack against SHA-1 has been a special form of collision attack where the attacker can decide what the message is. in other words he controls both m1 and m2 and finds a hash h that is the same for both m1 and m2. and that still requires computing 2^63.1 hashes. and if the attacker has no control on messages then he still has to compute at least 2⁸⁰ hashes (have h(m) and want to find m2 where the hash is equal to h(m)).