Why rely on a single hash function?

[laminar_hash]

2. Perhaps there are other very valuable uses, but Bitcoin does have half a trillion market cap. You could for example place a gigantic leveraged short on BTCUSD just before publishing your proof that SHA-256 is broken. Or you could rebuild the chain unchanged except for reassigning the Satoshi wallet to yourself.

The latter is not possible. As for the former, if you were to approach NSA or related organizations directly, you would probably have a guaranteed payout rather than to attack the chain and risk being labelled a criminal and getting yourself investigated. You'd probably have much better things to do if you could discover a feasible way to generate collisions anyways (at low costs of course).

Why would the latter not be possible? Assuming that I can mine essentially for free, I can just re-create a version of the full blockchain, keeping all transactions identical to the original, except for the destination address in some coinbase transactions (those which are attributed to Satoshi in the original chain). Not sure what would prevent me from doing this.

Why would all of cryptography be dead if this was possible for a specific hash function?

Because historically well studied algorithms has never been broken with very little computational power/efforts. If you were to prove that one-way function don't exist, ie. P=NP, then any other cryptography functions would also be dead.

Ok, but breaking SHA-256 would not imply that one-way functions don't exist (and neither would breaking ten or a hundred different hash functions).

Anyway, it still seems to me that there is a lot (too much) riding on the fact that SHA-256 will not be broken, or if so, that it would be broken in a slow, and visible fashion. I am quite surprised by this, seeing as Bitcoin's main tenet is immutability guaranteed by PoW, which falls apart in case of a break. Admittedly I don't know anything about cryptography, but the single point of failure strikes me as strange.

[1714797071]

1714797071

[1714797071]

1714797071

[1714797071]

1714797071

[ranochigo]

Why would the latter not be possible? Assuming that I can mine essentially for free, I can just re-create a version of the full blockchain, keeping all transactions identical to the original, except for the destination address in some coinbase transactions (those which are attributed to Satoshi in the original chain). Not sure what would prevent me from doing this.

Simply because you won't be able to generate hashes like these just like that. There has never ever been any attacks which allows users to find pre-image in this manner.

You can do that, but the community won't recognize your chain as valid. It is quite obvious which chain to follow.

Ok, but breaking SHA-256 would not imply that one-way functions don't exist (and neither would breaking ten or a hundred different hash functions).

Anyway, it still seems to me that there is a lot (too much) riding on the fact that SHA-256 will not be broken, or if so, that it would be broken in a slow, and visible fashion. I am quite surprised by this, seeing as Bitcoin's main tenet is immutability guaranteed by PoW, which falls apart in case of a break. Admittedly I don't know anything about cryptography, but the single point of failure strikes me as strange.

As I've mentioned, the manner which the topic postulates SHA-256 to be broken seems to suggest a catastrophic failure of it and for which I'm inclined to believe that the only scenario that happens is when all the other algorithms are also broken. Speed ups in the PoW is counter-acted by difficulty increase, at best there would be a minor reduction in the complexity of pre-image but not financially sensible enough to exploit it.

I think there is a clear distinction between what should be classified as a point of failure, which in this case is how the algorithm can become insecure. I don't doubt that SHA-256 would eventually be broken, but what I do doubt is that it would be broken in this manner. The most likely scenario is that we would recognize its weakness decades in advance and when it finally becomes (remotely) feasible, then we would've long shifted from using SHA256 as the PoW algorithm.

[j2002ba2]

i think you might be assuming sha256 is a one-way function. it might not be. and thus there could be an easy way to reverse it that no one ever though of yet.

It is and it will always be impossible to reverse hashes until the end of time, this is even true for non-cryptographic hash functions like MurmurHash. That's for a very simple reason: math.

Well, 90 years ago Kurt Gödel proved such absolute statements are false.

That said - and thanks to bitcoin - we would never know if one is capable to easy reverse hashes. If NSA and similar cannot do it yet, then they would never be able to. Anybody coming close to an answer would be very incentivized to keep it to himself, and never ever share.

[garlonicon]

we would never know if one is capable to easy reverse hashes

We know today that reversing hashes is impossible and will always be. If you know that the hash is 4, and your hash function is mod10, then you can use 4, 14, 24, 34, 44, ..., and you will never know, which value was hashed. You could know that only in one case: if you would know some properties of the hashed data. So, if you know that some ASCII string is hashed, then it may be possible to prove that this particular 256-bit hash will only match "Hello World", because nothing else is matching ASCII values (or nothing else is in your "dictionary"), and you can try to prove that, based on context. But if something is totally random, for example some private key, some signature nonce, things like that, then you will never know, what was really hashed, and what was recovered as a second preimage.

Why rely on a single hash function?

I think the answer is quite simple: because using two or more hash functions can make the system more complex, and will not make it more secure at the same time, so it is not worth it. But as I described, you can do it yourself, if you really want. You can implement it, you can promote it, you can convince people to switch to things like that, but I think the consensus will be formed around single hash function, unless something serious will be broken (or will show some serious weakness). Also, to add something more to SHA-256, you have to know, how it can be attacked, because you don't want to add mod10 and other useless hash functions when they are not needed and can be as "broken" as SHA-256, so it may turn out that for example SHA-3 is even worse in case of some particular attack vector, that's why it should be attack-vector-based, and not randomly picked.

[pooya87]

Well, 90 years ago Kurt Gödel proved such absolute statements are false.

Although I'm not a mathematician but that's not what he proved. He proved that in any mathematical system there are some statements that are considered true but can not be proven. Not that everything that is true such as basic math could be false! That would be crazy talk.