SHA

_not_quite_there_yet

I'm so impressed that you know what I think You're right. I'm so dumb, I don't know what a node does. But let's pretend for a minute that a node is a computer that runs some open source software, that is decentralised by design. And maybe that software has some strict rules about how to validate transactions and create blocks where a fixed amount of bitcoin is issued to the wallet that was first to generate a SHA256 hash of all the transactions plus a random number with a sufficient amount of zeros at the start that made it really difficult to compute. Now let's pretend that I'm a complete idiot that thinks that if enough people decide they want to change that open source software that can't because they don't understand how decentralised networks operate. 😂

mrpoops

If an exploit were found in the cryptography underlying Bitcoin, either in its hashing algorithm (SHA-256) or in its digital signature algorithm (ECDSA), it would effectively end the currency. If digital signatures could be forged due to the exploit, attackers might be able to send transactions from wallets without having actual access to the private keys. This could undermine the transaction immutability that blockchain technology is known for, allowing users to spend the same bitcoins more than once. Exploits in the hashing algorithm could allow miners to find block solutions faster than intended, potentially centralizing mining power or disrupting the normal creation of blocks. There are is a big list of hash and signature algorithms you shouldn’t use today because there are exploits. MD5, SHA-1, DES, RC4, etc. One day SHA-256 and ECDSA will be on that list. It could be due to advances in computing power like quantum computing, or it could be due to flaws found in the algorithms themselves. Result is the same, Bitcoin go bye bye, anyone holding Bitcoin will be screwed.

SteveW928

I've never tried to study SHA256, but couldn't it be a complex math problem? I get what you're saying... it isn't doing math like we think of it... solving some equation or adding up an Excel spreadsheet. But, there must be some complex math involved in doing a SHA256 hash, right?

ddbbccoopper

A pet peeve I have is when people make the statement that miners are solving a complex math problem. It's not. It's simply brute force attempts to find a proper hash. For example, go to the site: [SHA256 - Online Tools (emn178.github.io)](https://emn178.github.io/online-tools/sha256.html) Type in a string of characters in the input field until you find a hash beginning with the number 8. Its pretty simple, right? Now try to input a string of characters that begins with 88888. How long does it take? That's what miners are doing and what everyone refers to as "a complex math problem." Bitcoin adjusts its requirement every two weeks to estimate that the miners will likely find the proper hash/block every ten minutes. Depending on the amount of hash attempts made to find blocks over the last two weeks the difficulty may be increase or decreased.

PurpleChannel5676

Agreed. ChatGPT perpetuates the false narrative that this is a complex math problem. It's not a complex math problem. It's simply brute force attempts to find a proper hash. For example, go to the site: [SHA256 - Online Tools (emn178.github.io)](https://emn178.github.io/online-tools/sha256.html) Type in a string of characters in the input field until you find a hash beginning with the number 8. Its pretty simple, right? Now try to input a string of characters that begins with 88888. How long does it take? Thats what miners are doing and what everyone refers to as "a complex math problem." It's not. Bitcoin adjusts its requirement every two weeks to estimate that the miners will likely find the proper hash/block every ten minutes. Depending on the amount of hash attempts made to find blocks over the last two weeks the difficulty may be increased or decreased.

sozzos

It’s true with a super computer where you can test insanely large samples of data to find collisions. As of now SHA-256 is still good hashing algorithm.

dk349303

If that's true then wouldn't SHA-256 be an awful choice for block hashing? I thought the whole reason Bitcoin uses SHA-256 is because of how collision resistant it is. If what you're saying is true, then it should be trivial to swap out legitimate blocks with fraudulent ones that happen to produce the same hash, no?

zenethics

Here is an explanation... Bitcoin works like so: You get a public key that represents a point on the elliptic curve (ECDSA/secp256k1) - it has a corresponding private key that is never revealed. This public key is hashed twice. First with SHA256, second with RIPEMD-160 - this is your address (basically). When you send a transaction from that address, you sign for it in such a way that it reveals your public key. Each address has its own public key that is only revealed once (if used correctly / not reusing addresses). There is some fear that Bitcoin might be vulnerable to quantum attacks. For people who reuse addresses this fear may have some merit. For people who never reuse addresses this fear is unmerited due to the double hashing. I'll explain further. Hashing works by an iterative process that loses information at every step. For example, your hashing algorithm might be "double the number, add 7, drop the last digit, repeat 512 times." This is a bad hashing algorithm but demonstrates the problem with reversing a hashed output. Imagine you started with 13; you'd double it, getting 26, add 7, getting 33, then drop the final digit, getting 3. How would you reverse such a process? Well, with this simple example, you could. But with cryptographic hashing functions generally, you could not, because step one would be to guess at what the lost information was. With this simple algorithm you have a 1 of 10 chance of being right and have to guess correctly 512 times in a row. Quantum computers work like so: It is not accurate to think of quantum computers as "really fast computers" - they work in fundamentally different ways. Classical computers have instruction sets that processes instructions iteratively until an algorithm has run to completion. This is why classical computers can solve problems, generally, if those problems have known algorithms. The downside is that they don't get to skip any steps. Quantum computers solve problems by setting up qubits into a superposition of states, then harnessing some known result in quantum mechanics to solve _certain kinds_ of problems. An example of this is Schor's algorithm which leverages the fact there is a known quantum observation such that collapsing wave functions have an associated periodicity that happens to require a solution that has, as a component, an equation that can be reformed as a solution to large prime number factorization. As a result, setting up a quantum computer in just such a way can be used to "do it in reverse" (that is, instead of using the equations to predict what a wavefunction will do, set up a wavefunction in just such a way that we can observe what the solution was, which allows us to factor large prime numbers - at least in theory). Conclusion: It is possible that quantum computers may allow us to solve the discrete logarithm problem similar to how they allow us to solve for factoring large numbers (like with Shor's algorithm). This would break the ECDSA mentioned above in the description of how Bitcoin works. This is because problems like the discrete logarithm problem and large number factorization seem to have corollaries in the physical/quantum world (that is, these math problems describe quantum phenomena, therefore we can exploit quantum phenomena to solve these math problems). It is much much less likely that quantum computers will allow us to solve SHA256 or RIPEMD-160 because these are human inventions. There is no good reason to think that "double the number, add 7, repeat 512 times" has corollaries in the quantum world since the process is a human invention (even though it uses mathematical primitives). It would be like discovering that a DNA helix was written in English. And even if there were some flaw to be exploited by quantum computers in SHA256 or RIPEMD-160, it would be very strange to discover flaws in both because they work so differently. Is it possible? Yes, but... wildly unlikely. Too much time has been spent on this topic by people who shouldn't be spending any time on this topic because they don't even understand the fundamentals.

ShaidarHaran2

This is just panic and hype. There's already post quantum cryptography. Even quantum would take a very long time to break SHA256 unless there was a flaw discovered.

Frogeyedpeas

Quantum computers cannot break SHA-N in poly(N) time. They take 2\^(N/2) as opposed to 2\^N time on classical computers to break it. Breaking SHA-256 will NOT be possible with a quantum computer the size of our entire planet. Stealing private keys on the other hand with a quantum computer... will be trivial. That is the only and yet still fundamental risk that quantum computers pose to bitcoin.

Frogeyedpeas

It's not useless. When people talk about what they don't understand I have no choice but to handhold you through the issues here. I will address your comments one last time. Even the "it's not recommended to reuse btc" DOES NOT protect you from quantum computing. See below: 1. Every-time you pay you exposed your public key. Your public key isn't stored in the transactions (only a hash of it) but when you submit a transaction you expose your public key (this is HOW they verify your wallet's digital signature). Do you understand this? Why would a miner actually submit your transaction IF they could just take your coins and keep it for themselves? Suppose you SUBMIT your transaction (it's not yet on the chain, you are asking miners to include it) to two miners Alice and Bob and you offer to pay a fee of $5 to whoever successfully includes it in the next block. Bob tells Alice "forget papy66, I already stole their private keys, I will pay you $10 to ignore papy's transaction and submit this other transaction that transfers ALL of papy66's money to ME onto the blockchain". Alice, if she hasn't already stolen your info first will say "sure $10 is better than $5" etc... Every time you pay, IF someone had a quantum computer, they could steal all those coins, EVEN THOUGH, you NEVER reused your address AFTER paying ONCE. Just the act of submitting a SINGLE transaction, NOT EVEN getting it onto the blockchain, means they can drain that address. 2. "And yes a QC could mine block faster" -- by a square root. Do you understand how meaningless Quantum Computing IS in terms of breaking SHA256? It will take a SINGLE small adjustment of difficulty to UNDO ALL the efficiency gains that Quantum Computing provide in terms of mining. The only valid opinion here is 1. Big quantum computers break bitcoin AS bitcoin stands right now precisely because Bitcoin uses secp256k1. If bitcoin can change the transaction scheme in the future to some lattice based scheme or other quantum-resistant scheme this might be okay. 2. Quantum computers will have no noticeable effect on mining. A very minor increase in difficult will destroy ANY perceived advantage that Quantum computers had. Of course that increase in difficulty means everybody NEEDS a quantum computer just to keep up, but that's already how it is today with ASICs.

analogOnly

I understand your point, about the translation of private keys from one chain to the forked chain. There could be a mechanism to secure it. I imagine the SHA256 hasing algo could stay the same while ECDSA which is vulnerable would be replaced with a quantum resistant one.

dk349303

>Not SHA-256. It’s mathematically impossible to assume a reversed a 256bit hash (or 32 character string) can hold data much much larger the hash itself. If I hash 1GB of text, there’s absolutely no way to reverse the original 1GB of data out of 256bits I thought about this over lunch and I think it's incorrect to say it's mathematically impossible. It's certainly infeasible and impractical given current day computing limitations but you could theoretically do a brute force and guess-and-compare outputs right? I mean that might take a million years with today's processing limits but who knows what it'll be in the future

sozzos

NS and other intelligent agencies alike are most likely under the impression that AES and RSA will be reversible someday with quantum computers. Not SHA-256. It’s mathematically impossible to assume a reversed a 256bit hash (or 32 character string) can hold data much much larger the hash itself. If I hash 1GB of text, there’s absolutely no way to reverse the original 1GB of data out of 256bits.

dk349303

I have no idea what that algorithm is. I don't think anyone would deny the far-reaching implications of reversing a SHA-256 hash. It would literally alter the trajectory of life on earth.

dk349303

>lots of people I worked with couldn't set the clock on the microwave That might be true of "IT pro" but everyone in my tech shop is an IC. Half of us are SDE2 and SDE3s from FAANG, myself included. We don't enforce PIPs as strictly as Amazon but we do a pretty good job of forcing out underperformers. Map, encode, compress, translate are all close approximations of what hashing achieves. If someone reports that they "compressed values using SHA256" and a listener is unable to understand what that means, I'm probably going to assume the listener is an idiot.

ZeroSumSatoshi

Quantum Computing is actually inferior for mining bitcoin than SHA Processors…. Quantum Computing doesn’t automatically do everything better, just some things.

VectorBoson

That doesn't work for old coins that don't move to a new wallet after the encryption method is changed, which is the whole point of the OP. The quantum threat is real when you consider how important Satoshi's unmoved coins are to the Bitcoin narrative. Think about it like this, if the encryption method changes, how do you prove that you own the Bitcoin in a particular wallet? It's not like the protocol has an internal mailing list that can send you your new private keys. The only claim to base layer bitcoin that anyone has IS the SHA-256 private key, even if we change encryption methods. You would have to send your funds to a new wallet to take advantage of quantum resistance. We need to accept that if quantum computers live up to their potential, Satoshi's coins will be plundered.

OmeIetteDuFrornage2

>we will simply switch to a quantum proof hashing algorithm SHA-256 is already quantum-proof. A quantum computer *might* be able to reduce its entropy by half, but 128 bits of entropy is still plenty. So a quantum computer won't break the mining. The problem is not with the hashing, it's with the ECDSA asymmetric crypto (what you use to sign transactions).

alejungle

Bitcoin has two layers of protection against the threat of quantum computing: A) The time window between when a transaction is sent and when it is confirmed on the blockchain is very short, so a quantum computer would need to be extremely quick to exploit this vulnerability before the transaction is confirmed. B) Bitcoin's protocol can be upgraded to use post-quantum cryptography algorithms that are resistant to quantum computing attacks. Antonopoulos believes the Bitcoin community will be able to implement such upgrades as the threat of quantum computing becomes more imminent. Those targeting Bitcoin's cryptography are interested in such technology.Why would they 'destroy it', take value from it and make it public? Anyway, SHA-256 is already quantum proof (NSA says), and BTC is not the easiest or more lucrative target.

fverdeja

Your keys are protected by public key cryptography, more specifically secp256k1's elliptic curve, not SHA256, which can be changed in no time to meet the requirements of being Quantum resistant.

sozzos

SHA-256 is a hashing algorithm, not an encryption algorithm.

dk349303

>I also don’t believe we’re 5-10 years away from this technology. Seems something like 50-100 years. I spent a couple years at NSA as a green-suiter and one thing I thought that was interesting is that when the US loses classified mediums encrypted in SHA-256 to foreign adversaries today, it is assumed that the foreign adversary has immediate and total access to everything on that medium and we start going into asset protection measures. Even though NSA created SHA-256, they have very little trust in its efficacy and it's not considered a valid protection measure for classified material. If I walk out of a SCIF with Top Secret material that's encrypted with SHA-256, it's considered data spillage. Air-gapped networks are basically the only thing they trust.

Original_Lab628

Bingo. This is the perfect response to a lazy parroted answer likely given by someone who knows nothing about SHA-256. Banks can upgrade overnight because they are centralized and can also reverse transactions, while Bitcoin has to fight another fork war for years before this gets decided, with no way to reverse the transactions from theft that happened during this interim period. The fact that guy compared cracking SHA-256 to a comet wiping out the earth is just absolutely comical, especially when it’s guaranteed to happen by the end of this decade. You asked a super legitimate question and of course, you’re getting lazy answers that parrot the mainstream view from people who know absolutely nothing about encryption and parrot what they heard from their local crypto trading bro.

Original_Lab628

I hate this answer. It’s such a lazy cop out that gets parroted constantly. If quantum computing breaks SHA-256, banks can upgrade to SHA-512 because they’re centralized entities that can make decisions like that. Almost all centralized cybersecurity can upgrade their security pretty easily. There will be some pain, but almost everyone will have upgraded in a matter of weeks. In Bitcoin land, we’d likely have another fork war over how to solve this problem and plenty of proposals as to what the proper encryption tech is. Miners will hate this too since their capital is worthless. I love Bitcoin for all its decentralized properties as censorship resistant money, but let’s not pretend this isn’t a problem and lazily say that the world would end if we could crack SHA-256. I guarantee this happens before the end of the decade and most other entities can overcome it in a way that will be much harder for Bitcoin.

SuccotashComplete

The other answer is we just switch to a quantum-safe encryption format. It’s also theorized that SHA-256 already is quantum-resistant to some degree

Frogeyedpeas

Okay I don’t want to be rude to you but you are very clearly not a technical person. Bitcoin’s use of hashing and SHA256 does not make its private keys MORE secure. Those hashes serve a completely different purpose.  If you grab a copy Satoshi’s paper here: https://bitcoin.org/bitcoin.pdf on page 2 paragraph 1 there is a diagram which clearly explains each block contains a digital signature + the public key from the previous owner. (FYI you cannot verify a digital signature WITHOUT exposing the entire public key).  Elliptic Curve asymmetric schemes like secp256k1 are vulnerable to quantum computing. See the quantum computing section here if you want an explanation why:  https://en.m.wikipedia.org/wiki/Elliptic-curve_cryptography#:~:text=of%20a%20backdoor.-,Quantum%20computing%20attack,on%20a%20hypothetical%20quantum%20computer. Any cryptographic scheme with is a subset of the Abelian Hidden Sungroup problem, like factoring, like discrete log, like elliptic curves can be broken by Quantum computers.  This is not such a big deal. Almost nobody is actually running quantum resistant protocols and quantum resistant protocols are extremely slow. 

Frogeyedpeas

This is misleading. Bitcoin is vulnerable to Quantum computing because it uses elliptic curves to create its public and private keys.  A quantum computer can just retrieve private keys and can steal people’s money and double spend in bitcoin WITHOUT having broken SHA256. Your long monologue about hashing is giving a lot of stupid people on this forum the wrong idea that bitcoin is quantum resistant - it is not, it never was, and there is no plan to make it resistant in the near future. 

Frogeyedpeas

SHA-256 is a hashing scheme. It’s not a public private key scheme. Bitcoin uses elliptic curves for signing transactions and verifying and those fall apart to quantum computing like butter. Any scheme that reduces to Abelian Hidden Subgroup (such as elliptic curves and integer factorization and discrete log) is susceptible. You can read this to find out more: https://en.m.wikipedia.org/wiki/Hidden_subgroup_problem

No_Investigator3369

Here's how secure SHA-256 is. And currently it would take a quantum computer with over 100m qubits of computing power to break that encryption. IBM is currently the closest with their computer running a whooping 37 qubits. https://youtu.be/S9JGmA5_unY?si=uKhnt8lKrU76ECfF

Top_Personality_6560

The discussion here is quantum breaking private keys, not breaking SHA-256.

CowDogRatGoose

SHA256 is not the "encryption algorithm" used to make public/private keys. Algorithms that make public/private keys are like RSA, or Elliptic Curve variants.

OptiYoshi

A lot of people are commenting and not actually answering the question. The encryption algorithm to make public/private keys are SHA 256. This standard has been mathematically proven as equivalent to a 128 bit hash against quantum attacks. This is because quantum processes are inherently better at certain types of computations but not others. A simplistic way to think about this is parallel vs serial tasks. Quantum computing is great at finding a solution amongst a large number of parallel paths to reach an answer. However it's quite poor (or equivalent) at performing serial tasks (I.e. find A as solution to find B then to find C)

brianddk

IIRC in the height of the block wars there was someone claiming there was some "turbo boost" in some ASIC miners that get left in for BCH and forbidden in BTC. I don't know how someone can "boost" SHA256, but I thought someone was making the claim. If it's not all BS, then there would be miners that work "better" on BCH than BTC, making moving a BTC miner without the "boost" to BCH a non-starter.

E_coli42

I have used a ledger wallet, and the main things that I don't like about it are that it is: 1. Not open source - My version will be 100% open source for software, firmware, and hardware 2. Expensive - The only cost would be an ISO7816-4 PCSC compliant SmartCard with SHA256 encryption which are like $10 3. Cumbersome to carry around - My wallet and smartphone are something I carry with me at all times anyways, so if I ever need to send crypto, I can do it at anytime anyplace. This is AFAIK the only cold solution to sending crypto anytime/anywhere where you don't need to carry anything separate 4. Only can plug in through USB - Contactless methods like NFC and RFID are so much nicer. Just tap the hardware wallet card to your phone, put your biometrics, and boom done.

Odd_Monk_132

Your backup very bad it is a 3of3, if you loose one piece you have lost your money - which is very likely in the scale of long-term savings. You can use a passphrase with a suitable place to back it up - that's one you can solve with a bit of thinking. Or you can use SLIP39 (supported by trezor), which splits the 24 word seed into three 24 word pieces that are encrypted. You need any two of the three pieces to recreate the wallet. for PartB 1-5. Use standard methods is best and for anything digital use multiple USB sticks and on the stick itself duplicate the data 3 times (and do a SHA sum of the folder) to help avoid bitrot. For extra safety you can also record the derivation paths. I don't think you are as likely to have problems, there's wallet standards that didn't exist years ago and will likely stay the same.

seed-cat

The easiest would be just to use the XPUB if you have it (no derivation paths makes things faster). Otherwise, just try say the first 100 derivation paths once you have the XPRIV / XPUB. You should be able to reuse this for the derivation paths so you avoid the expensive 2048 iterations of SHA512 for each derivation path. The bitcoin Rust libraries support this. I wrote a tool that supports this with pure GPU acceleration, but if you are dealing with 49M that should be easy on a modern CPU. [https://github.com/seed-cat/seedcat](https://github.com/seed-cat/seedcat) In my case I needed to try \~100B combinations so GPU acceleration was necessary.

No-Pepper6969

No. I don't believe nor see how bitcoin could die without everything else follow thru. Even if SHA256 is broken, bitcoin would be the last on your mind. As long as there's an internet and electricity. Bitcoin will survive.

coinjaf

The fact that your comment and question make no sense. Try again with a coherent question. > So to compute sha it would take 119304.6471111111 hashes per second. Like whut? Why are you even bringing in hashes per second into this? OP and Amber\_Sam were not talking about that, nor did they need to. 119304.6471111111 hashes per second means that many SHA's per second (technically double that). If you're trying to say something about 10 minutes of 119304.6471111111 hashes per second, then your math doesn't even work out even closely. So it's totally unclear what you even mean. > On average but that number makes no sense so I'm obviously missing something what is it? What does it mean for a "number to make sense", other than that it's correct when you apply it to the correct calculation?

bieker

Its worse than that. The Nonce that gets incremented is the last 4 bytes of that header. so you can build an SHA256 hash function that keeps its internal state from the last for iterations and roll back each time you fail. So the hash rate is not how many times you can hash the whole header, but basically the time it takes you to hash 4 bytes and roll back. You only need to hash the whole header once every 4.2B hashes when you run out of nonces

arthurwolf

Ok ok we're getting somewhere, thanks for sticking with me. > … I don’t think you’re listening, hashing is a one way function so what do you want to circumvent? SO, am I correct in understanding that your position is that an attack (other than brute force) against SHA256 is impossible? Is that what this means?

arthurwolf

Thanks for that. Now please give me a tiny bit of patience, let's do this step by step: Please explain how that is in any way related to my argument that people who claim that « it is impossible for the NSA to have designed SHA256 in a way that gives the an advantage », are wrong. Just to help smooth the conversation: You'll note how no part of my argument includes the word « brute force ».

arthurwolf

> The algorithm is public, widely-known, and widely-studied. Would it be currently widely studied if all that needs to be known about it is already known and there was no possibility of finding further flaws in it? Wasn't it already very widely studied when the 2011 attacks were found? How do you measure/determine by how much the likelyhood of finding an attack decreases every year or decade? How do you determine at what value that likelihood started ? > is *extremely* unlikely, How did you determine how unlikely it is ? I'd be very curious to see your math. What probability, between 0 and 1, does "extremely likely" map to? Is that probability 0 ? If it's not, you're essentially agreeing with my position, which has never been anything except « people who claim that the chance of this is zero, are demonstrably wrong ». Listing reasons why something might be more likely than without those reasons, is not the same as saying something is likely. It might or might not be likely that the NSA created SHA256 by starting from the intent of designing it so it gives them an advantage. I do not know if that is the case or not, I just believe it sounds like something that could reasonably be decided at a NSA meeting. I can totally see a team of mathematicians at the NSA being tasked with doing \*\*exactly that\*\*. Whether they decided to do it, and whether what we have now is what they produced, I have \*\*no way\*\* to know how likely that is. And neither do you, which is my point. My point is, it's possible, and we don't know how likely it is, therefore people claiming/expecting it's impossible, or they know how likely it is, are wrong. Here, let me explain (again) to you what I mean by « I do not know how likely this is, but I can show a reason that makes it MORE likely »: « Dual\_EC\_DRBG. » There. Now, I don't know how likely it is that the NSA designed SHA256 in a way that they have an advantage. BUT I know that they have done it before. THE FACT THAT they have done it before, makes it MORE likely (notice how I said « more likely », not « likely ») that this is the case for SHA256. Do you agree with this statement? Let me do it again: « Bullrun leaks ». There again. THE FACT THAT it has been leaked that the NSA DOES THIS, makes it MORE LIKELY that they do this for any specific case/algo. NOT «likely» (though you'll certainly hear some argue that it is... just not me), but «more likely». And that applies to SHA256 as well.

anon-187101

I'm gonna say this one more time. The algorithm is public, widely-known, and widely-studied. The idea that *only* the NSA (which itself isn't a monolith, but an ever-evolving group of people who are ostensibly goal-aligned, but who certainly all have differing views/morals/ultimate loyalties) knows "this one weird trick" which weakens/breaks SHA-256 is *extremely* unlikely, and grows even more unlikely with each passing day.

arthurwolf

> What idea? Wait, so the issue all this time has been that you can't read? > You have no evidence of any backdoor to SHA-256, I have never at any point claimed to have evidence of such a backdoor, that's not in any way even close to the argument I'm making. [https://yourlogicalfallacyis.com/strawman](https://yourlogicalfallacyis.com/strawman) > You only have a conspiracy theory You clearly do not understand what a conspiracy theory is. What is the conspiracy I am presenting here? That a security agency designing a security algo with worldwide usage would have considered designing it in a way that gives them an advantage? ie essentially \*\*doing exactly their stated job\*\* ?? That's like saying it's a conspiracy theory to claim that plumbers do plumbing... > You only have a conspiracy theory Even if it was a conspiracy theory (it's not really, but sure. it's a theory of some kind for sure), you saying that is still not demonstrating it's wrong. > to anyone with an IQ > 100, is boring. I'm not sure when was the last time I've talked to somebody with the arrogance of claiming they speak for half the population...

anon-187101

What idea? You have no evidence of any backdoor to SHA-256, nor any interesting lead(s) to pursue. You only have a conspiracy theory which, to anyone with an IQ > 100, is boring.

anon-187101

Okay, then don't buy Bitcoin because you're afraid of a backdoor to SHA-256 that only the NSA knows about.

arthurwolf

> If it wasn't, the NSA wouldn't be able stop it from being broken and we would already know by now. I don't get the logic, care to explain? If SHA256 was so well understood that it's impossible to find a new attack against it, nobody would be currently researching the security of SHA256... that's what we'd expect to see in the research, right? Let me explain my logic by the way: Think of the 2011 attack against SHA256. Before 2011, it wasn't publicly known. After 2011, it was publicly known. Now imagine some other attack that's "larger" in scope, that would let one break SHA with like a month of current supercalculator processing or something. And imagine it'll get discovered in 2035. That's in the realm of possibilities correct? So, currently we don't know about that attack. After 2035 we will know about that attack. What if the NSA \*currently\* knows about that attack, but doesn't make that public for reasons I trust are so obvious I don't need to explain. We wouldn't know, right? And there'd be an attack still. So, attack, that we don't know about. Possible then. Correct? And from there, it really doesn't take a big leap to notice that SHA256 wasn't designed by Microsoft. Or by Cambridge. Or by some random Norwegian researcher in his study. It was designed by, of all organizations, the NSA ... Isn't that \*\*the tiniest bit\*\* suspicious? Woudn't you raise an eyebrow if it was coming from the GRU ? I'm sure the NSA would raise an eyebrow in that case... absolutely certain. If SHA256 was so well understood it's perfectly known to be safe, isn't it weird how the US' enemies put considerable ressources into designing and implementing their own alternative systems? > You are just conspiracy-theorizing because you can't conceive of a world where all-powerful government agencies that don't always "win" don't exist. Yep, note, that's not what's happening here. Govenment agencies lose all the time. 9/11 for one, and general human incompetence more generally, they fail constantly. That's not what this is about. It's about understanding what's possible, and what the motivations (and even duties) of the various parties are.

anon-187101

SHA256 is secure today. If it wasn't, the NSA wouldn't be able stop it from being broken and we would already know by now.

arthurwolf

It's always shocking to me how peoplethank/talk about those things as if they were sure things (be it gold people, bitcoin people, etc). Massive profits almost always come with massive risks. Bitcoin might be a case of massive profits coming with half-massive risks, and gold might be a case of medium benefits coming with medium risks, but the risk's still there. Take gold: it (probably) won't happen overnight, but new technology/industrial development can have massive effects on the gold economy/value, in both direction: maybe next year we discover some superconductive allow that's partially made with gold, revolutionizes the energy industry, and decuples the demand for gold (and therefore value explodes). But it also works the other way: maybe next year we discover some new way of mining gold ( a more efficient way of mining sea-floor nodules, some space-mining technique that's realizable at-scale in the coming decade, some new way of extracting it from the Earth's crust that doesn't require mining/processing ore, etc, the possibilities are endless ), and if that happens, the value would plummet. Human history is FULL of discoveries like this, especially these past two centurise, ESPECIALLY these past few decades, and it's accelerating/exploding. Gold is \*likely\* a safe and stable investment. But we CAN NOT know how safe. If somebody pretends they know, they are bullshitting. You do not know what will be discovered tomorrow, you do not know how society and industry will evolve. Maybe it'll become more valuable than platinum, maybe it'll become as common as copper... You don't know. Same is (in different ways) true with Bitcoin: It \*might\* keep growing in explosive ways the way it has so far. It might also plateau. Or something might appear that has such massively improved utility, it "steals away" most of the crypto market growth/adoption, leaving Bitcoin just a historical curiosity with a slow increase in value. OR it might even completely collapse: it's based on cryptography, and cryptography is famous for algos/techniques some day completely collapsing because of some weird mathematical trick nobody had figured out until then. Look up the history of cryptography. Bitcoin is based on SHA256, and SHA256 was created by NSA, which provided the primes for it. It's a bit naive to think the reason they created it and promoted it and ensured it's widely adopted, isn't that they have \*some\* way to circumvent it. I don't know if it's certain, but it sure seems likely. [https://eprint.iacr.org/2011/286.pdf](https://eprint.iacr.org/2011/286.pdf) Now the good thing for Bitcoin is, the NSA likely doesn't care about breaking Bitcoin, because they want SHA256 to keep the appearance of security. But \*\*somebody else\*\* might figure out what they did, and the day that happens, our Bitcoins are completely worthless. Even if the network switches, massive amounts of value would be lost. Even if I'm wrong about this specifically, it's still not safe. It's still possible some flaw will come along. It's possible it's impossible, it's possible it's likely. You just don't know. For both gold and bitcoin, you DO NOT KNOW what will happen. That makes them dangerous assets. Which might be worth it considering the profits we've made so far. But people shouldn't operate under the impression this is risk-free, as I hear a lot of people do operate...

yung_dingaling

> this is a public key. Just to clarify, that's not a public key. That's an address which is a hash of a public key. To be specific it's a [RIPEMD160](https://en.bitcoin.it/wiki/RIPEMD-160) hash of the [SHA256](https://en.bitcoin.it/wiki/SHA-256) hash of the public key. For anyone curious on how the address is generated you can [read this wiki](https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses#How_to_create_Bitcoin_Address). It's an important distinction for when quantum computing (QC) becomes more relevant because QC can potentially reveal private keys from their public keys. QC doesn't pose as much of a threat to hashing.

only_merit

> Am I retarded for thinking this? It's not called retarded, it's called uneducated, ignorant. > Like companies on a stock market but instead traded on blockchain The main problem of blockchain is that it does not scale. Therefore, if you are saying that "with many use cases that shouldn't be used on the btc blockchain to avoid bloat" you kind of acknowledge that scaling problem, but at the same time you try to solve it with more blockchains. You can't scale blockchain with having more blockchains. If you find some value in some security tokenization something or whatever, you should do it offchain. Unsurprisingly, you can do such offchain things off-bitcoin-chain via e.g. RGB or Taro. However, blockchain is not the genius invention in Bitcoin. Blockchain is just a data structure, that has been known before Bitcoin, just like the SHA256 hashing algorithm has been known before Bitcoin, just like ECDSA has been known before Bitcoin, just like Proof of Work has been known before Bitcoin. The genius invention of Bitcoin is how all these previously known pieces were put together and then the difficulty adjustment PoW.

arthurwolf

I explained in detail the reasons why that won't work in another comment, but I thought I'd also write down exactly how the pool/mining process works, on top of that: 1. **Getting Set Up:** When you join a mining pool, you're given a block template by the pool's server. It's got what you need to start mining - minus the full block details. It's like getting the outline of a puzzle without all the pieces, letting you jump straight into cracking the code without knowing every transaction detail. 2. **The Mining Mission:** Your main goal? Find a nonce, a one-of-a-kind number that, when you mash it together with the block data and run it through a crypto hash function (I think for Bitcoin that's SHA256), gives you a hash that fits the network's difficulty level, like starting with a string of zeros. 3. **Nonce Hunting:** This is where you and your computer flex your muscles, trying out nonce after nonce with the block data. It's a high-stakes, number-crunching marathon to find that perfect nonce that leads to the right hash. 4. **Proof of Work:** Hit the nonce jackpot? You send your findings - the nonce and its matching hash - back to the pool. This is your proof that you've done the legwork. 5. **Verification Time:** The pool takes your submitted nonce and partial block data, does the math to get the hash, and checks if it passes the difficulty check. This step confirms you've actually found a legit nonce. 6. **No Shortcuts Here:** Trying to game the system with random nonces or hashes won't work. The pool's check-up process catches any fake attempts since they won't match up with genuine mining efforts. 7. **Coinbase Transaction:** If your work checks out and the block gets mined, the block reward first goes to the pool's address through a coinbase transaction. It's a safeguard that ensures miners can't redirect the reward to themselves. Messing with this transaction would make the block invalid from the pool's perspective. 8. **Splitting the Spoils:** Finally, the pool divvies up the block reward among miners based on the computational work everyone contributed. The share each miner gets is based on the pool's own rules and agreements. That's the gist of it. Mining isn't just about having powerful hardware; it's about cooperation, precision, and a bit of luck in finding that golden nonce.

harrumphx

It's just FUD. There are still many years before quantum computing gets to that point, and we will have time to update the code. Not an expert, but I seriously doubt it will be able to crack 512-bit keys. Either way, SHA256 is embedded in the entire internet and legacy financial system, and if it can't be protected then BTC will be the least of your concerns.

Designer-Appeal3721

I don't think you understand what I mean. I am highlighting the critical hashing function for the Bitcoin block which secures it. QLDB has NO proof of work mechanism. And no I didn't mean hashing as a means of error correction. And I have no idea why you are talking about records "disappearing". Are you replying to the correct comment thread? You sound like you are rambling. Hash trees (or merkle trees) have been around for a long time. They do secure transactions, but please read the parent comment. He is specifically talking about attacks on the blockchain. I mentioned encryption because I assumed his point about "attacks" which could mean exploits against the ECDSA which is virtually uncrackable at this point of time. But you insisted on talking about hashing again which would be in the context of mining, and asserting that QLDB is as equally secure as Bitcoin where you are wrong again. They both use SHA-256. But like I said, there is no POW mechanism on QLDB. I am disappointed in you.

Odd_Monk_132

Nope. When you use a SHA256 hash it creates a proceedural random number. The importance of the function is that it is one way, you can't get back to the original information from the hash. SHA256 is used as part of the process for converting a seed into a private key.

OmeIetteDuFrornage2

What's cute is not realizing that quantum computers won't be able to "crack" secret phrases, and any cryptographic primitive that is based on scrambling (SHA, BIP-32, AES, etc...). At best, it will reduce their security by some factor, which can easily be remediated by increasing the block size.

CNNJDream

Thank you for your response. I apologize if my initial explanation was not clear enough. Allow me to provide more details about the underlying principles of Bitcoin addresses and the specific issue I am facing. In the Bitcoin system, an address is derived from a public key, which in turn is generated from a private key. The process typically follows these steps: A private key is generated, which is a random 256-bit number. The corresponding public key is derived from the private key using elliptic curve cryptography (specifically, the secp256k1 curve). The public key is then hashed using the SHA-256 and RIPEMD-160 algorithms to create a 160-bit hash. This hash is then encoded using Base58Check encoding, which includes a version byte and a checksum, resulting in the final Bitcoin address. In my case, an issue arose during step 2. When generating the public key, the first character of the first 32 hexadecimal characters of the public key was 0. This led to the first 8 bits of the public key being 0, effectively making it a 248-bit public key instead of the expected 256 bits. Despite this, the incorrect 248-bit public key was used to generate a Bitcoin address following steps 3 and 4. This address ended up receiving some bitcoins. Later, I used the same private key to generate the correct 256-bit public key and derived a different Bitcoin address from it. However, the bitcoins that were sent to the first address (derived from the incorrect 248-bit public key) are not accessible using the private key directly, as the Bitcoin system associates those funds with the incorrect public key and address. To further illustrate this, consider the two examples I provided: Example 1: PrivateKeyHexStr: 1D179D45DF2F02271CD4DAA1114B7226480BBF3DA62D94081CC6228C950F3300 Incorrect Public Key (248 bits): 2C3D118366F853F7A7FCD0E0506A87FD1ED7AD7E19103059A85C0FA8ADED85 Incorrect Address: 13mpPh9UMtSN54GTbjj4ht7S3hzCPhmmVA Example 2: PrivateKeyHexStr: 08C5F27C4B0522975583AE6BAE67B2155F5339BA040693335D4A2C4A0A213726 Incorrect Public Key (248 bits): BEC0F8B027D6333EFBBCC87ABD1C2912AB052DE99F391DB3E3EE1EF50708DD Incorrect Address: 14z6wZb4uGE1iT9osbQGMW75iNS1awCGSe In both cases, the incorrect public keys and addresses were generated due to the leading 0 in the public key, causing them to be 248 bits instead of 256 bits. I hope this clarifies the issue I am facing. I am looking for ways to recover the bitcoins that were sent to the addresses derived from these incorrect public keys, given that I have the corresponding private keys. If you have any further questions or need more information, please let me know. I greatly appreciate your interest and any help you can provide.

bitcoin_barry

Not quite (I think) Your dice rolls will be compressed, most likely to 256 bits using SHA256, but I'm not sure if that's all that Coldcard does. Let's assume that for now. The checksum doesn't come from your dice rolls, it comes from your initial entropy (which in this case is the sha of the dice rolls) So dice rolls => sha256 => initial entropy Initial entropy => sha256 => first N bits = checksum Initial entropy + checksum = bip39 Bip39 => translate with word list => seed words. It looked like in your example, you took the checksum from the initial dice rolls. If you do that, the checksum is not useful. The checksum is something that can always be recalculated by anyone. Checksum validation takes the entropy bits (first 256 bits) from your number, hashes it and compares it to the remaining bits. You can't do that if you use the dice entropy because that information is lost after hashing and we typically throw it away, we have no use for it after we have made our key. The checksum in this form allows us to do some quality checking. If any of the words are changed in the middle, the checksum is broken and we know that something went wrong. Even if the last word changes, the checksum also breaks. There may be other combinations of seed words that have the same checksum, but it is unlikely that one of those combinations is so similar to your original seed words that it can be found by swapping out just one or two words accidentally.

HSuke

Now you're just moving the goalposts. We were talking decentralization, and you're talking about 51% cross-chain mining attacks. To answer your question: Bitcoin Cash wouldn't survive because it also uses SHA256 hash. Litecoin wouldn't be affected because it's top-dog for Scrypt hash. But this is completely irrelevant to the measure decentralization, which is based on true Sybil resistance.

SharpText7100

I see where you are coming from. To have a good understanding of any subjects, we need to understand the basics or the fundamentals. Then we used that information as reference to understand more complex ideas. In the context of cryptocurrencies & blockchain technology, a "hash" refers to a fixed-size output generated by a cryptographic hash function. A hash function is a mathematical algorithm that takes an input (data of any size) & produces a fixed-size output, known as a hash value or digest. Hashing plays a crucial role in the security & integrity of blockchain networks. EG, in the context of Bitcoin mining, miners use hash functions (such as SHA-256) to hash transaction data & create a new block in the blockchain. This process involves solving complex mathematical puzzles to find a hash value that meets certain criteria, known as the "proof of work." Hash functions have several key properties that make them important in cryptography & blockchain technology, including: 1. Deterministic: Given the same input, a hash function will always produce the same output. 2. Quick to compute: Hash functions can generate hash values quickly, making them suitable for use in blockchain networks. 3. Collision-resistant: It is computationally infeasible to find two different inputs that produce the same hash value. 4. Irreversible: It should be nearly impossible to reverse-engineer the original input data from the hash value. In summary, hashes play a critical role in ensuring data integrity, security, and consensus in cryptocurrency systems by providing a unique and tamper-proof representation of transaction data and other information on the blockchain. Blockchain is a hype up word which is just based on hash. As you can see, this has limitations because it is not reversible or scalable so it will struggle to transact as fast as VISA. When it's not reversible, you can't do a refund.

generalveers07

See I think this is one of the issues in helping others understand Bitcoin. I've only ever seen detailed explanations like this, or extremely simplified explanations like "lock and key" kind of stuff. Can you explain like I'm 15? I mean, I understand the basics of cryptography... ABCD becomes CADB. I understand that binary is just ON/OFF for computers... but I don't know what "hash" means. So I really just get lost after "cryptographic hash function". I really don't intend to sound insulting at all, I'm just mostly ignorant of what SHA256 is because I don't have a reference point. I don't know what SHA is, or hash, I don't know the name for things that SHA is *not* (like water is not tea is not coffee, but they are all liquid drinks). If that doesn't make sense, I don't really have a starting point for what I don't understand.

SharpText7100

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that belongs to the SHA-2 (Secure Hash Algorithm 2) family of hash functions. It is widely used in various digital security applications, including digital signatures, message integrity checks, and password security. SHA-256 generates a fixed-size output (256 bits or 64 characters) from an input message of any size. This output, called a hash value or digest, is unique to the input message and serves as a digital fingerprint that can verify the integrity of data. Even a small change in the input message will result in a significantly different hash value. SHA-256 is considered to be secure and resistant to collision attacks, where different inputs produce the same hash value. It is commonly used in blockchain technology, such as in the mining process for cryptocurrencies like Bitcoin, where SHA-256 is used to hash transactions and create new blocks in the blockchain. In summary, SHA-256 is a powerful cryptographic hash function that plays a vital role in ensuring the security and integrity of digital data and communications.

ShaidarHaran2

Quantum isn't magic, it would still take a very long time unless there's a flaw in SHA256. And post quantum encryption already exists.

CointestMod

#Dogecoin Con-Arguments Below is a Dogecoin con-argument written by Chysce. > Dogecoin was [launched in 2013](https://en.wikipedia.org/wiki/Dogecoin#:~:text=In%20addition%2C%20they%20wanted%20to,making%20the%20idea%20a%20reality) as a satirical response to the hype surrounding crypto. In 2015, its creators stepped away from the project. The aim of its creators was to develop a coin that would not be taken seriously by investors, however despite their intentions, Dogecoin still attracted a significant number of speculators. In fact, it became the world's largest memecoin during the first half of 2021, with its value rocketing over 15,000%. > > Like Bitcoin Dogecoin uses the proof-of-work to validate transactions. Doge is merge mined at the same time with litecoin. There are [speculations](https://cointelegraph.com/news/rumor-has-it-that-dogecoin-could-shift-to-proof-of-stake-what-does-that-mean-for-miners) that Doge will switch to Proof of Stake soon but there is no definitive news on this as of yet. > > **>> Doge has no intrinsic value** > > In the very essence Doge has no value. Apart from [sporadic use](https://coingate.com/blog/post/doge-support-much-wow) for online tipping or as a means of payment for some businesses, it does not have a unique use case or solve any real-world problems. Its value is solely based on its popularity. While this can produce exciting short-term gains it is not a viable strategy for long-term investing. > > **>> High Volatility** > > The price of Doge is highly volatile, making it a risky investment. It's price is mostly driven by the Elon Musk's tweets and memes. Nowadays there are even bots that market buy Doge whenever Elon tweets something about it. These pumps are short lived and can cause a big spike in liquidations for unprepared investors. Elon Musk also appears to have distanced himself from Dogecoin in recent times. He did not include Dogecoin as a payment option for Twitter, and he also [tweeted](https://twitter.com/elonmusk/status/1631720134636367872?lang=en) that he is more interested in AI than crypto as of late. > > **>> Unlimited supply** > > Unlike Bitcoin, Dogecoin has no hard cap [no hard cap](https://www.sofi.com/learn/content/will-dogecoin-ever-be-capped/) on the total supply, which means it could potentially be inflated indefinitely. It's current supply increase is [\~4% per year](https://www.analyticsinsight.net/heres-what-you-need-to-know-about-dogecoin-inflation/#:~:text=For%20anyone%20buying%20Dogecoin%20to,4%25%20in%20price%20each%20year). > > \>> **Lack of Development and future narratives** > > Dogecoin has a relatively small development team, and the project has not seen significant updates or improvements in recent years. Additionally very few people run full nodes. Finally there is no clear long-term narrative that could cause its wide adoption > > \>> **Security** > > Dogecoin's mining algorithm is less secure than others, making it more susceptible to 51% attacks. Doge uses a different mining algorithm than Bitcoin, called [Scrypt](https://learn.bybit.com/altcoins/how-to-mine-dogecoin/), which is generally considered less secure than Bitcoin's SHA-256 algorithm. [Scrypt was designed to be more memory-intensive](https://cryptobook.nakov.com/mac-and-key-derivation/scrypt), making it harder for ASIC miners to dominate the network and creating a more level playing field for CPU and GPU miners. However, this also makes it easier for attackers to launch 51% attacks. > > On top of that Doge has a much smaller mining community and less overall network hash rate than Bitcoin. This means that it could be more vulnerable to attacks from miners who control a large portion of the network's hashrate. > > And finally Doge's unlimited supply means that there is less of an incentive for miners to secure the network. ***** Would you like to learn more? Check out the [Cointest archive](/r/CointestOfficial/wiki/cointest_archive#wiki_Dogecoin) to find submissions for other topics.

generalveers07

It's built into the way Bitcoin was designed to be distributed. The "mining" process is designed to only yield Bitcoin when you solve a cypher (coded formula) and arrive at a certain answer, specifically an answer that is very rare. Think like a mining tunnel, you don't know where a vein of gold is. You just have to keep cutting away until you find that sweet spot. So a cypher text is created, and your computer has to run an algorithm to figure out the "answer" to it. Let's say you could *guess* at it, you'd be trying to find a number between 0000000000000001 and 9999999999999999. So guessing is not possible. Basically "solving" the problem means taking the cypher and applying several mathematical formulas to arrive at the answer! The correct answer is usually a low number, beginning with about 6-7 zeros. The difficulty of the cypher text is updated frequently, by the program that generates the cypher text, to be more or less difficult to arrive at that rare number. Think like an escape room vault that you have 10 minutes to break out of. There are 8 security measures you have to get past to get out of the vault. If it's just you, the Escape Room makes it not too difficult to get through each one and escape, so that any one person could do it in about 10 minutes. If there are 100 people, the odds that people could do it much faster increase, so the Escape Room makes it more difficult, because the first person out gets the reward! This is by design, so that rewards are given out approximately every 10 minutes. Currently, there are a lot of "miners", so the process that generates the cypher creates a problem that requires an answer that is more rare (longer codes on the vault doors). Having more processing power means that you can run the algorithm more times per second, and therefore you have more opportunity to solve the problem before others do. This, in turn makes it a faster process, so difficult increases. When there are fewer "miners", difficulty decreases and your odds of finding the block reward (the vein of gold, or the correct codes to the Escape Room) increase. I hope that's helpful! I'm not a Bitcoin engineer, so my analogies may not be spot on, but this is the easiest way I can think to describe it while still understanding what is happening. If you want to dive further you'll need an understanding of SHA256, and I cannot help you there because that's above my head.

CodexFive

Exactly, imagine the first time a quantum computer starts looking at SHA256, but at that point, we’ve got bigger problems

intersticio

When I say "2048" I'm talking about the number of PBKDF2 SHA-512 iterations. See: [https://stuff.birkenstab.de/pbkdf2/](https://stuff.birkenstab.de/pbkdf2/)

intersticio

Thanks again! > "Data = S". It defines "S" in the immediately previous line (but again, with BIP 39, S comes from the procedure you implemented instead of an RNG). Data is one of the arguments to the HMAC-SHA512() function, and it's saying to set it equal to S. Similarly, set Key equal to the string "`Bitcoin seed`". Is data S what the PBKDF2 calls a "salt"?

fllthdcrb

> I have no idea what "(P)RNG", "Data = S" and "parse256" mean * (P)RNG = (pseudo-)random number generator. * "Data = S". It defines "S" in the immediately previous line (but again, with BIP 39, S comes from the procedure you implemented instead of an RNG). "Data" is one of the arguments to the HMAC-SHA512() function, and it's saying to set it equal to S. Similarly, set Key equal to the string "Bitcoin seed". * parse256() is another function, defined elsewhere in the BIP, which just treats a 32-byte sequence as a 256-bit number. That said, BIP 32 is not the easiest to read if you don't have a background in cryptography (or at least math writing in general). I, too, have trouble with it. But the main thing to get out of that section is: seed goes in, master extended private key comes out.

intersticio

Thank you. I've been reading that for the last 40 minutes, but some things are confusing. Sometimes it says "seed" but I don't know if it's talking about the mnemonic words or the result we get when we put the mnemonic words through PBKDF2 SHA-512. Also, I don't get if "extended private key" and "master extended private key" are the same thing.

fllthdcrb

The image shows an implementation of [how BIP 39 specifies to convert a mnemonic phrase to a BIP 32 seed value](https://en.bitcoin.it/wiki/BIP_0039#From_mnemonic_to_seed), which is exactly what a large number of Bitcoin wallets do. While Bitcoin itself runs on SHA-256, the processing of mnemonics uses SHA-512.

Real-Hat-6749

Do you know where are SHA-256 and secpk256 a and b parameters coming from? Funny enough, you trust something that we do not know if there are backdoors (sadly, I would not be surprised there are...), while you do not trust closed source organizations.

turpin23

He did use NSA methods though. SHA-2 is made by NSA and two rounds of SHA-2 in case SHA-2 becomes slightly less secure than it seems now is just obvious if you read and understand what the NSA published openly.

SmoothGoing

Mining is less of an issue with QC than pubkey reversal. Harping about SHA when QC is mentioned is what is referred to as "confidently incorrect." ECDSA is at much higher risk.

HSuke

This is a different topic. This is talking about SHA-256, mining, and 10-minute windows. That's not where Bitcoin is most vulnerable. What we're concerned about are the older public-private key pairs, and elliptic curve cryptography associated with asymmetric encryption.

bitcoin_barry

Depends on what you're thinking about. I don't think quantum computers will overtake bitcoin mining. It would simply cost too much. One think I tend not to hear actually is about how efficient quantum computing is compared to bit computing. For sure it will be faster, but how much power does it take to reach that speed? If we're talking about cracking addresses, there's SHA256, there's the ECC algorithm, there's usually some SHA512 in HD wallets (which is basically all wallets now) So cracking an address is hard and cracking a wallet is even harder. I just don't think it's worth being worried about right now.

crazydrummer15

One of the most significant threats quantum computers pose to SHA-256 is their ability to efficiently perform Shor’s algorithm. Shor’s algorithm can factor large numbers exponentially faster than the best-known classical algorithms, which could compromise the security of widely used encryption methods like RSA and ECC. These encryption methods often rely on the difficulty of factoring large numbers for their security. Quantum computers also threaten the security of hash functions like SHA-256 by utilizing Grover’s algorithm. Grover’s algorithm can search unsorted databases quadratically faster than classical algorithms, making brute-force attacks on hash functions more feasible. While a 256-bit hash is still considered secure against classical attacks, it is theoretically as secure as a 128-bit hash against quantum attacks.

bitcoin_barry

1. Yes 2. No, People are starting to understand that they should value bitcoin, also as the perceived value goes up, people can afford less and so they lose less. It's not a concern. 3. No, quantum computing can break certain cryptographic algorithms, but we know which algorithms might be cracked because there are programs pre-written that just need a certain level of resources. We're not there yet, but they will be the first to be attacked, then maybe more algorithms will become vulnerable as people learn more about quantum computing beyond just theory. That's another thing really, these programs are theoretical, they may not be as reliable as we expect them to be even with resources. Things do not always scale predictably in nature. SHA256 is not one of those algorithms that can be cracked with quantum computing afaik, there are no shortcuts in a system based around randomness unless we discover some universal fact that randomness is not really random. There are things to be concerned about with Bitcoin, scaling is a real problem and altcoins/shitcoins are NOT the solution, never have been, never will be. Researchers, developers, investors, we need them all to keep pushing and finding ways to advance in this area. We have a fund for research into "cross input signature aggregation" which would be a massive win, we have lots of people researching and trying to get their heads around all of the covenants specs out there. These things take time to develop and so as much as we want everyone to get on board with Bitcoin, we don't want adoption to come too quickly either. We need to make sure people don't settle with custodial solutions on top of Bitcoin, because then they don't really have bitcoin, but they do really think they have it and understand it which makes educating people about it even harder than it is now.

na3than

>doesn't that mean the seedphrase is on the blockchain or floating around somewhere online? It's understandable that you would think this, because very few of us are familiar with the existence of "one way" mathematics operations such as those used in cryptographically secure hash operations. Your seed phrase represents, in human-friendly form, "entropy" that is input to an algorithm that deterministically (that is, reproducibly, not randomly) produces a secret number from a REALLY, REALLY big number space. The algorithm is irreversible; there is no known math that can be used to rediscover the entropy from the seed. The [BIP-39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#user-content-From_mnemonic_to_seed) sums it up as: > To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes). So that's how a wallet -- ANY wallet -- can recreate a seed without having to consult the blockchain or a server somewhere. Likewise, the seed (a number) is used as input to another algorithm that, along with an index number (0, 1, 2, ...) deterministically produces private keys. > This seed can be later used to generate deterministic wallets using BIP-0032 or similar methods. The fascinating consequence of the "one way math" functions used in these algorithms is that, while private key #2 and private key #1 can always and at any time be recreated from the seed by following the algorithm, there is no known algorithm for directly linking private key #2 to private key #1, or for producing private key #2 from private key #1, or for reverse engineering the seed from any (or all!) of its private keys.

ske66

If quantum computers become mainstream, crypto is the absolute least of our concerns. SHA1 Algos could be brute forced in seconds. Passwords, encrypted messaging, secure WiFi, all would be an open book

purzeldiplumms

I just love SHA256 <3

HaleBopp22

Definitely safer than using SHA-57

viewmodeonly

Read The Price of Tomorrow by Jeff Booth. It isn't even primarily a Bitcoin book, it just talks about life and technology being deflationary. Once you understand that the base layer of what we call "money" is broken, you can understand why we might need something like Bitcoin. Be extremely cautious of anyone who suggests to you that Bitcoin is outdated. How many people alive do you think can accurately describe what SHA-256 hash algorithms are or what the difficulty adjustment is without Googling? If you don't know what these things are, you don't understand what Bitcoin is on the very most basic level. This is about 99 out of 100 people on this planet. People will con you into believing that the best gains are to be found in some shitcoin that is an unregistered tech company or an outright rugpull scam. People's greed and ego often will make this arguments sound compelling. You have to put your ego aside and realize there is no real get rich quick scheme. Bitcoin isn't going to make you rich, but it can guarantee that over long periods of time, government monetary policies won't make you poorer. Stack your sats, stay humble.

viewmodeonly

He is helping people out, you're just trying very hard to not understand on purpose. If you have spent the many, many, many hours it takes to understand what Bitcoin is and WHY - you know that we are still very early. Bitcoin is still the "next Bitcoin." Less than 5% of humans (and that is an extremely generous number) hold any amount of satoshis. How many humans alive out of 100 can accurately describe what SHA-256 hash alrgorithms are or what the BTC difficulty adjustment is without Googling? If you still are wondering "what the next Bitcoin is," you don't even know what Bitcoin is for now.

throwaway1776abc

Without electricity there's no need to have something as complex as SHA256 for hashing and ESCDA for signing. Networks existed before electricity, started around agricultural age So, yes, version of Bitcoin can run on steam and mail pigeons

cryptokid2140

I use the dice roll method for entropy. Run a string of 99 dice rolls through SHA256 and you have 256-bit security. then [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) from there. [seedsigner](https://seedsigner.com/) has an easy-to-read [python version of this](https://github.com/SeedSigner/seedsigner). Disclaimer: many experts such as Andreas and Kratter do not recommend this since you could screw it up if you don't know what you're doing

cryptokid2140

its a good point. I have always preferred running 99 dice rolls through a SHA256 as init entropy. this way I know 100% that its not compromised by illicit manufacturing, since I can verify the computation against public known seeds. I actually scraped some code from [seedsigner](https://seedsigner.com/) to do this for my own wallets. However, the Jade does use a few sources of [personal and environmental entropy](https://help.blockstream.com/hc/en-us/articles/9640569620761-How-does-Blockstream-Jade-generate-it-s-recovery-phrase) such as user input, photos, temp, etc., in addition to the [virtual secure element model](https://help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element), I wonder if it satisfies your concern about an untrustworthy manufacturer. People probably think these discussions are crazy, but imo if you're going to be a little paranoid, you might as well be all the way paranoid and make sure your set-up is completely trustless.

na3than

It doesn't change the process for generating the mnemoic sentence. A passphrase is (optionally) used later, when the wallet calculates a 512-bit seed from the mnemoic. See [From mnemonic to seed](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#user-content-From_mnemonic_to_seed): > A user may decide to protect their mnemonic with a passphrase. If a passphrase is not present, an empty string "" is used instead. > To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).

na3than

>1, Would flipping a coin 256 times BUT each alternate flip I reverse the result, would I eliminate coin side bias from my new number? ie be as random as possible? No. Think about this in the extreme: a coin so biased that it ALWAYS lands on "heads". The naïve user cluelessly records the outcome as HTHTHTHT.... which is a guessable pattern. To eliminate coin side bias you'd have to RANDOMLY (not periodically) reverse the result of the coin flip ... which brings you right back to the original problem. But if you find your 256 flip outcomes are between 45% and 55% heads, I wouldn't worry about it. >2, If I were to flip a coin 256 times how do I convert offline resulting binary number into bip39? Short answer: see [Generating the mnemonic ](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic). Long answer: 1. Compute the SHA256 hash of your 256 bits of entropy. The first 8 bits of this hash output will be your checksum value. 2. Append the 8-bit checksum to the 256 bits of entropy, creating a 264-bit number. 3. Partition the 264-bit number into groups of 11 bits. 4. Convert each 11-bit number to a decimal number (0 to 2047), then add 1. 5. Use each number as the index for a word in one of the BIP-39 [word lists](https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md).

na3than

They come from the HMAC-SHA512 hashing algorithm. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#user-content-From_mnemonic_to_seed: > To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).

na3than

Do you know how a wallet (specifically, an HD wallet) normally uses a seed phrase? 1. Calculate I = HMAC-SHA512(Key = "Bitcoin seed", Data = <seed>) 2. Split I into two 32-byte sequences, IL and IR. Use parse256(IL) as master secret key, and IR as master chain code. 3. In case parse256(IL) is 0 or parse256(IL) ≥ n, the master key is invalid. Why is your suggestion - to use a SHA-256 hash of the seed as THE ONE AND ONLY private key, better than the standard?

Alfador8

SHA256 hashes are not useful for training AI. At least as I understand it.

na3than

>Is it possible to create a seed that is not bip39 interpretable? That depends on what you mean by "interpretable". A seed is just a number. Of you give a number to a function which is expecting a BIP-39 mnemonic sentence, it will not "interpret" it as such. >As I understand it, seed addresses are 256 1s & 0s? Seeds are. "Seed addresses" aren't a thing. > So if those 256 digits are split to create a 39 seed phrase, presumably all possible seed addresses can be converted to a BIP 39 pass phrase? That's not how BIP-39 works. 128 to 256 bits of *entropy*--not the seed--are split into 11-bit chunks. Each chunk identifies a word in the 2048-word word list. 12, 15, 18, 21 or 24 words from that list form a mnemonic sentence. > what is the additional cutstom 25th word doing to the original 24 words? The [algorithm](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#user-content-From_mnemonic_to_seed) that converts a mnemonic sentence - or seed phrase - into a seed starts with a *salt* value. If you provide a passphrase, the salt is "mnemonic" + <<passphrase≥>. If you don't provide one, the salt is "mnemonic": >To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes).

GarugasRevenge

I've always felt it was backed by a lot of things but mainly the transactional network is where it gets its worth. It's backed by SHA256, considered a very secure encryption. It's value is backed by it's set scarcity, making it more valuable than gold one day, yet more gold can be found and money can be overprinted. It's backed by the blockchain concept, only one miner has to survive to regrow the transactional network, an EMP blast can then be survived. The same could not be said about the banking system, if an EMP hit then they would probably destroy evidence as it acts as a smokescreen to steal everyone's money.

CUbuffGuy

This is the essence of BTC. The problems being solved are defined by the code which birthed BTC, written by Satoshi Nakomoto. The specific fancy math problem is called SHA-256 if you’d like to read more about it. The process of solving this problem is called “proof of work”. I was going to write out my own explanation but I think this did it better than I could: “The mathematical problems in Bitcoin mining are actually cryptographic hash functions which are needed for transaction verification so that new blocks can be added to the Bitcoin blockchain. Bitcoin miners compete with one another to find a value that, when hashed with the SHA-256, the previous block’s hash, and the current block’s data, produces a result that passes certain criteria (called the difficulty target) set by the Bitcoin network. For security reasons, the math problems in Bitcoin mining change with every new block created. This process of continuity is made possible by the ever-changing hash functions of previous and current blocks. All in all, Bitcoin miners aim to find the correct “number only used once” (also called nonce) to meet the requirements of a condition known as Proof of Work (POW). This process entails high computational power and energy due to its trial-and-error method.”

steevithak

After some googling, I turned up a research paper noting that while it's highly improbably a quantum computer could ever compromise Bitcoin's SHA256 hashes, there really is an attack vector for Bitcoin's transaction encryption that might be more likely. Here's the relevant quote: &#x200B; >Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) that relies on the hardness of the Elliptic Curve Discrete Log Problem (ECDLP), and a modified version of Shor's algorithm can provide an exponential speedup using a quantum computer for solving this problem. However, the attack would have to succeed within the 10 minute window that the transaction is held in the blockchain's mempool. The researchers noted that even a 300 million qubit quantum computer would need an hour to perform the calculation. I believe the largest known quantum computers today are more like 1000 qubits, so it's still quite a ways off and we should have plenty of warning before computers like that are available. Here's a link to the paper for those interested in the math: [https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching](https://pubs.aip.org/avs/aqs/article/4/1/013801/2835275/The-impact-of-hardware-specifications-on-reaching)

steevithak

Isn't it more a question of finding SHA256 hash collisions rather than breaking encryption? And even if you have a working quantum computer, you're going to need an algorithm that can reverse an SHA256 hash. I haven't kept up with latest quantum computer algorithms but as far as I know, no one has any idea how to do that. There are some general purpose quantum algorithms which could shave some time off brute force attacks but not enough to be practical (maybe it takes a million years instead of billions to reverse one hash or something like that). But even if we get a big enough working quantum computer AND someone invents a quantum algorithm that can reverse the SHA256 hash, I assume Bitcoin could just swap to one of the quantum-proof hash algorithms. Ideally you'd be able to see it coming soon enough to start developing ASICs that run the new algorithm so you could build new miners but, otherwise, it would just be software upgrades.

HemphillD

Here's a hint. SHA-256 is the encryption algorithm used by the network that you erroneously claimed doesn't exist. Come back when you learn a thing or two.

HemphillD

Quantum computing is not broad spectrum. It requires a very specific application to be successful. One can safely assume that if SHA-256 is cracked, something else will take its place that presents a greater challenge.