Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WrnFx-00045O-Fi for bitcoin-development@lists.sourceforge.net; Tue, 03 Jun 2014 11:51:53 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.212.174 as permitted sender) client-ip=209.85.212.174; envelope-from=eth3rs@gmail.com; helo=mail-wi0-f174.google.com; Received: from mail-wi0-f174.google.com ([209.85.212.174]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WrnFv-0000tp-W8 for bitcoin-development@lists.sourceforge.net; Tue, 03 Jun 2014 11:51:53 +0000 Received: by mail-wi0-f174.google.com with SMTP id r20so6378138wiv.13 for ; Tue, 03 Jun 2014 04:51:45 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.249.228 with SMTP id yx4mr47857205wjc.53.1401796305278; Tue, 03 Jun 2014 04:51:45 -0700 (PDT) Received: by 10.180.231.42 with HTTP; Tue, 3 Jun 2014 04:51:45 -0700 (PDT) In-Reply-To: <201406030452.40520.luke@dashjr.org> References: <2341954.NpNStk60qp@1337h4x0r> <201406030452.40520.luke@dashjr.org> Date: Tue, 3 Jun 2014 07:51:45 -0400 Message-ID: From: Ethan Heilman To: Luke Dashjr Content-Type: multipart/alternative; boundary=001a11c2a05ad2dfba04faed2252 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (eth3rs[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WrnFv-0000tp-W8 Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Lets discuss what to do if SHA256d is actually broken X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2014 11:51:53 -0000 --001a11c2a05ad2dfba04faed2252 Content-Type: text/plain; charset=UTF-8 An attack on the mining difficulty algorithm does not imply violation of the typical security properties of a cryptographic hash function*. Assume someone discovers a method which makes it far easier to discover new blocks, this method: may or may not be implementable by the current SHA256 ASIC hardware. 1. If it is usable by the mining hardware, then there will be brief period of overproduction and then difficulty will adjust. If the attack is so bad that difficulty can't scale and we run out of a leading zero's, then the SHA256 collision resistance is broken and we have bigger problems. Under this scenario, everyone would see the need to immediately switch to new hardware as people could create cycles and irreconcilable forks in the block chain 2. If the attack is not usable by the mining hardware, then the miners will need to switch to new ASICs anyways and the hash function can be changed without resistance. But lets ignore all that and say, for some unspecified reason, the bitcoin community wants to switch hash functions and has some lead time to do so. One could require that miners find two blocks, one computed using SHA256 and one computed using the new hash function. We could then slowly shift the difficulty from SHA256 to the new hash function. This would allow miners a semi-predicable roadmap to switch their infrastructure away from SHA256. * It would be a distinguisher which would be bad, but collision resistance could be merely weakened. On Tue, Jun 3, 2014 at 12:52 AM, Luke Dashjr wrote: > On Tuesday, June 03, 2014 4:29:55 AM xor wrote: > > Hi, > > > > I thought a lot about the worst case scenario of SHA256d being broken in > a > > way which could be abused to > > A) reduce the work of mining a block by some significant amount > > B) reduce the work of mining a block to zero, i.e. allow instant mining. > > C) fabricate past blocks entirely. > > If SHA256d is broken, Bitcoin as it is fails entirely. > > Luke > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --001a11c2a05ad2dfba04faed2252 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
An attack on the mining difficulty algorithm does not impl= y violation of the typical security properties of a cryptographic hash func= tion*.

Assume someone discovers a method which makes it far easier t= o discover new blocks, this method:=C2=A0may or may not be implementable by= the current SHA256 ASIC hardware.

1. If it is usable by the mining hardware, then there will be brief per= iod of overproduction and then difficulty will adjust. If the attack is so = bad that difficulty can't scale and we run out of a leading zero's,= then the SHA256 collision resistance is broken and we have bigger problems= . Under this scenario, everyone would see the need to immediately switch to= new hardware as people could create cycles and irreconcilable forks in the= block chain

2. If the attack is not usable by the mining hardware, then = the miners will need to switch to new ASICs anyways and the hash function c= an be changed without resistance.

But lets ignore = all that and say, for some unspecified reason, the bitcoin community wants = to switch hash functions and has some lead time to do so. One could require= that miners find two blocks, one computed using SHA256 and one computed us= ing the new hash function. We could then slowly shift the difficulty from S= HA256 to the new hash function. This would allow miners a semi-predicable r= oadmap to switch their infrastructure away from SHA256.

* It would be a distinguisher which would be bad, but collision resista= nce could be merely weakened.

On Tue, Jun 3, 2014 at 12:52 AM, Luke Dashjr <lu= ke@dashjr.org> wrote:
On Tuesday, June 03, 2014 4:= 29:55 AM xor wrote:
> Hi,
>
> I thought a lot about the worst case scenario of SHA256d being broken = in a
> way which could be abused to
> A) reduce the work of mining a block by some significant amount
> B) reduce the work of mining a block to zero, i.e. allow instant minin= g.

C) fabricate past blocks entirely.

If SHA256d is broken, Bitcoin as it is fails entirely.

Luke

---------------------------------------------------------------------------= ---
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases = and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/s= fu/NeoTech
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

--001a11c2a05ad2dfba04faed2252--