📅 Original date posted:2014-06-03
📝 Original message:Luke Dashjr <luke at dashjr.org> writes:
> On Tuesday, June 03, 2014 4:29:55 AM xor wrote:
>> Hi,
>>
>> I thought a lot about the worst case scenario of SHA256d being broken in a
>> way which could be abused to
>> A) reduce the work of mining a block by some significant amount
>> B) reduce the work of mining a block to zero, i.e. allow instant mining.
>
> C) fabricate past blocks entirely.
>
> If SHA256d is broken, Bitcoin as it is fails entirely.
I normally just lurk, but I looked at this issue last year, so thought
I'd chime in. I never finished my paper though...
In the event of an *anticipated* weakening of SHA256, a gradual
transition is possible which avoids massive financial disruption.
My scheme used a similar solve-SHA256-then-solve-SHA3 (requiring an
extra nonce for the SHA3), with the difficulty of SHA256 ramping down
and SHA3 ramping up over the transition (eg for a 1 year transition,
start with 25/26 SHA2 and 1/26 SHA3).
The hard part is to estimate what the SHA3 difficulty should be over
time. My solution was to adjust only the SHA3 target on every *second*
difficulty change (otherwise assume that SHA2 and SHA3 have equally
changed rate and adjust targets on both).
This works reasonably well even if the initial SHA3 difficulty is way
off, and also if SHA2 breaks completely halfway through the transition.
I can provide more details if anyone is interested.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 15:22:14
in reply to nevent1q…nyrz
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 15:22:14Event JSON
{
"id": "8018279ec1835915a44a418df39a5207715151a4494ed57ad410c43043b56f35",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686151334,
"kind": 1,
"tags": [
[
"e",
"c3178a7c4915528f303d2155708d8624269c29cc1fae2cb68cf22f7c476bad58",
"",
"root"
],
[
"e",
"12f1819685c8749b8add59502c730f736e05e3b7bc4c9b1a1e6f08f78e3aeab5",
"",
"reply"
],
[
"p",
"aa1955e2ae78ac220d3da7148643b207d31c232ce1a265debae5923983f8f9cc"
]
],
"content": "📅 Original date posted:2014-06-03\n📝 Original message:Luke Dashjr \u003cluke at dashjr.org\u003e writes:\n\u003e On Tuesday, June 03, 2014 4:29:55 AM xor wrote:\n\u003e\u003e Hi,\n\u003e\u003e \n\u003e\u003e I thought a lot about the worst case scenario of SHA256d being broken in a\n\u003e\u003e way which could be abused to\n\u003e\u003e A) reduce the work of mining a block by some significant amount\n\u003e\u003e B) reduce the work of mining a block to zero, i.e. allow instant mining.\n\u003e\n\u003e C) fabricate past blocks entirely.\n\u003e\n\u003e If SHA256d is broken, Bitcoin as it is fails entirely.\n\nI normally just lurk, but I looked at this issue last year, so thought\nI'd chime in. I never finished my paper though...\n\nIn the event of an *anticipated* weakening of SHA256, a gradual\ntransition is possible which avoids massive financial disruption.\n\nMy scheme used a similar solve-SHA256-then-solve-SHA3 (requiring an\nextra nonce for the SHA3), with the difficulty of SHA256 ramping down\nand SHA3 ramping up over the transition (eg for a 1 year transition,\nstart with 25/26 SHA2 and 1/26 SHA3).\n\nThe hard part is to estimate what the SHA3 difficulty should be over\ntime. My solution was to adjust only the SHA3 target on every *second*\ndifficulty change (otherwise assume that SHA2 and SHA3 have equally\nchanged rate and adjust targets on both).\n\nThis works reasonably well even if the initial SHA3 difficulty is way\noff, and also if SHA2 breaks completely halfway through the transition.\n\nI can provide more details if anyone is interested.\n\nCheers,\nRusty.",
"sig": "22a22690c53cf71197583c60c0027fd3b958d4aff3b64d70ed84049ae98eeab656be2f3b05e071ae99c7eb1c4be5921f890931ddd5c63872e5509b2bb726c2bb"
}