GoFuckYourself.com - Adult Webmaster Forum - View Single Post

dyna mo · 04-06-2013, 07:34 AM

sha-3 for btc?

Quote:

The only known way to ascertain the security of a cryptographic algorithm is to leave it under close scrutiny of hundreds of cryptographers for several years, and see what comes out. So the right perspective here is historical.

MD5 was published in 1992; it was actually designed the year before (1991). In 1993, first weaknesses were spotted, then bigger weaknesses in 1996 (collisions on the compression function, found by Dobbertin). It took 8 years for these weaknesses to be turned into actual collisions by Wang, in 2004. Seven years later, in 2011, we can create MD5 collisions at will (and much more efficiently than with Wang's original method), but preimage and second-preimage resistances of MD5 are still as good as ever.

From this we can infer that when weaknesses are found in hash function, they do not appear overnight: we have quite some time to react. Also, the first MD5 weaknesses were discovered only one year after its publication, and that was in the early 1990s when the public research in cryptography involved much fewer people than nowadays.

Let's see what this gives for SHA-256: first published in 2001; ten years later (2011), we still have no clue whatsoever on the slightest hint of a weakness. This would be suggestive that SHA-256 is indeed robust, and collisions for SHA-256 are not just right around the corner. Also, I have not looked in full details at the Bitcoin protocol, but it seems that collisions are not a real danger for Bitcoin -- it rather relies on preimage resistance, for which not only SHA-256 is rock solid, but even MD5 would still be reliable.

However, it is dangerous to make statistics on a single measure. In 2007, it was estimated that there was a relatively high risk that the attacks on MD5 could be transported to SHA-1 and then SHA-256/512 -- this prompted NIST to organize the SHA-3 competition. It turned out that attacks on SHA-1 have somehow stopped progressing, and there is no attack on SHA-2. Whether this is because SHA-2 is really robust, or because all the cryptographers are busy trying to break the SHA-3 candidates, is not known (but my opinion is the former: SHA-2 is a secure hash algorithm).