public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Rusty Russell <rusty@rustcorp.com.au>
To: Luke Dashjr <luke@dashjr.org>,
	bitcoin-development@lists.sourceforge.net,
	xor@freenetproject.org
Subject: Re: [Bitcoin-development] Lets discuss what to do if SHA256d is actually broken
Date: Tue, 03 Jun 2014 22:15:23 +0930	[thread overview]
Message-ID: <87iooi40ws.fsf@rustcorp.com.au> (raw)
In-Reply-To: <201406030452.40520.luke@dashjr.org>

Luke Dashjr <luke@dashjr.org> writes:
> On Tuesday, June 03, 2014 4:29:55 AM xor wrote:
>> Hi,
>> 
>> I thought a lot about the worst case scenario of SHA256d being broken in a
>> way which could be abused to
>> A) reduce the work of mining a block by some significant amount
>> B) reduce the work of mining a block to zero, i.e. allow instant mining.
>
> C) fabricate past blocks entirely.
>
> If SHA256d is broken, Bitcoin as it is fails entirely.

I normally just lurk, but I looked at this issue last year, so thought
I'd chime in.  I never finished my paper though...

In the event of an *anticipated* weakening of SHA256, a gradual
transition is possible which avoids massive financial disruption.

My scheme used a similar solve-SHA256-then-solve-SHA3 (requiring an
extra nonce for the SHA3), with the difficulty of SHA256 ramping down
and SHA3 ramping up over the transition (eg for a 1 year transition,
start with 25/26 SHA2 and 1/26 SHA3).

The hard part is to estimate what the SHA3 difficulty should be over
time.  My solution was to adjust only the SHA3 target on every *second*
difficulty change (otherwise assume that SHA2 and SHA3 have equally
changed rate and adjust targets on both).

This works reasonably well even if the initial SHA3 difficulty is way
off, and also if SHA2 breaks completely halfway through the transition.

I can provide more details if anyone is interested.

Cheers,
Rusty.



  parent reply	other threads:[~2014-06-04  1:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-03  4:29 [Bitcoin-development] Lets discuss what to do if SHA256d is actually broken xor
2014-06-03  4:52 ` Luke Dashjr
2014-06-03 11:51   ` Ethan Heilman
2014-06-03 15:12     ` Ashley Holman
2014-06-03 12:45   ` Rusty Russell [this message]
2014-06-04  1:38     ` Charlie 'Charles' Shrem
2014-06-05  6:09       ` Rusty Russell
2014-06-03 14:43 ` Kevin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87iooi40ws.fsf@rustcorp.com.au \
    --to=rusty@rustcorp.com.au \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=luke@dashjr.org \
    --cc=xor@freenetproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox