From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Ws03j-0005Q9-Ga for bitcoin-development@lists.sourceforge.net; Wed, 04 Jun 2014 01:32:07 +0000 X-ACL-Warn: Received: from ozlabs.org ([103.22.144.67]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1Ws03h-0000lP-OH for bitcoin-development@lists.sourceforge.net; Wed, 04 Jun 2014 01:32:07 +0000 Received: by ozlabs.org (Postfix, from userid 1011) id CC8011400DD; Wed, 4 Jun 2014 11:16:04 +1000 (EST) From: Rusty Russell To: Luke Dashjr , bitcoin-development@lists.sourceforge.net, xor@freenetproject.org In-Reply-To: <201406030452.40520.luke@dashjr.org> References: <2341954.NpNStk60qp@1337h4x0r> <201406030452.40520.luke@dashjr.org> User-Agent: Notmuch/0.17 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) Date: Tue, 03 Jun 2014 22:15:23 +0930 Message-ID: <87iooi40ws.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.2 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.8 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1Ws03h-0000lP-OH Subject: Re: [Bitcoin-development] Lets discuss what to do if SHA256d is actually broken X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2014 01:32:07 -0000 Luke Dashjr writes: > On Tuesday, June 03, 2014 4:29:55 AM xor wrote: >> Hi, >> >> I thought a lot about the worst case scenario of SHA256d being broken in a >> way which could be abused to >> A) reduce the work of mining a block by some significant amount >> B) reduce the work of mining a block to zero, i.e. allow instant mining. > > C) fabricate past blocks entirely. > > If SHA256d is broken, Bitcoin as it is fails entirely. I normally just lurk, but I looked at this issue last year, so thought I'd chime in. I never finished my paper though... In the event of an *anticipated* weakening of SHA256, a gradual transition is possible which avoids massive financial disruption. My scheme used a similar solve-SHA256-then-solve-SHA3 (requiring an extra nonce for the SHA3), with the difficulty of SHA256 ramping down and SHA3 ramping up over the transition (eg for a 1 year transition, start with 25/26 SHA2 and 1/26 SHA3). The hard part is to estimate what the SHA3 difficulty should be over time. My solution was to adjust only the SHA3 target on every *second* difficulty change (otherwise assume that SHA2 and SHA3 have equally changed rate and adjust targets on both). This works reasonably well even if the initial SHA3 difficulty is way off, and also if SHA2 breaks completely halfway through the transition. I can provide more details if anyone is interested. Cheers, Rusty.