Is bitcoin mining itself compromising the security of SHA256

Following good scientific practice I propose a Theory/Hypothesis and now ask you to test it.

Initially this is a "thought" experiment but may progress to real testing depending on your thoughts. Back to the initial question first; My question: Is bitcoin mining itself compromising the security of SHA256?

Possible answers:

Yes (maybe qualified by "in some way" ,etc).
No (Not at all because...xxx ,Not unless...YYY).
Maybe (??).

The hypothesis is this:

SHA256 is extensively used in many applications (including Bitcoin). It would be of great advantage for many persons, organisations and (not least) governments/military/NSA (etc) to be able to "crack" it.

Cryptographic experts have so far failed to crack SHA256 and only a small number of defects (possible collision scenarios) have been declared which although reducing the theoretical security (of a brute force attack) do not compromise SHA256 in practical use.

SHA256 look up tables exist for e.g. dictionary attacks and are very fast to use particularly for shorter passwords (<8 character). To extend the possibility of using look up tables for longer inputs a huge amount of computing power is needed to run many Terra inputs through SHA256.

This power is impractical to set up and run (cost of hardware, manpower, etc) and if it were set up e.g. by NSA using a super-computer it existence would be apparent and therefore usage of SHA256 would decline as it would be assumed that they wouldn't do that unless they thought they would get a result so users of SHA256 would migrate to a more secure system (e.g. SHA3 series). Therefore what NSA (or whoever) need is a "covert" way of "testing/running" SHA256 and gathering the results.

Is bitcoin mining with its daily 4000+ TH/s power, funded and manned entirely by users of the hardware hoping to gain Bitcoins (and hoping they are worth some real $$) really performing a service for the NSA (or someone) and effectively "hiding in plain sight"?

Methods of testing this hypothesis are invited.

user3023094

Posted 2013-11-23T08:57:22.577

Reputation: 247

Related question: Has mining created enough technology to solve SHA256, such as ASICs, that SHA256 is weaker for other purposes than it would be otherwise? In other words, can the NSA, its foreign counterparts and other hackers now break some encryption more easily than before the advent of SHA256 ASICs? – Random Walker – 2013-11-23T10:12:01.907

This should maybe be posted as a separate question and linked. – LJNielsenDk – 2013-11-23T11:53:29.843

Thanks Random Walker for putting a different spin on my question. Certainly there is now a lot of SHA256 specific hardware about in the hands of bitcoin miners and the development of ASIC for SHA256 has been enhanced. Who knows how much of the ASIC chips have been sold "elsewhere" (other than mining rig manufacture) ? It certainly helps offset the developement cost if we have a real world customer base (miners) as well as XXX code cracking company. – user3023094 – 2013-11-23T19:24:57.460

possible duplicate http://bitcoin.stackexchange.com/questions/9320/can-the-bitcoin-network-be-used-for-cracking

– Nick ODell – 2015-02-08T19:18:07.710

Answers

With a look up table you can avoid calculating the hash of a given input twice. Indeed, the block chain can be considered as a giant look up table, but one with very special forms of inputs: It links blocks and transactions to their hashes.

Though, why should someone choose a transaction or block as her password? Further, why would an attacker even try to look up a hash of a password in the block chain? He would have to assume in advance that the password is a transaction or a block (don't forget that even looking something up consumes some resources).

jnnk

Posted 2013-11-23T08:57:22.577

Reputation: 1 860

True, but the target has a very specific format starting with many 0000 so you are also testing hash inputs to create a specific subset of possible outputs. I'm not suggesting the results of bitcoin mining hashes are the raw data for the lookup table but are useful in creating a bigger lookup table. Generally used passwords are often under 12 characters length so SHA256 hashing of 2 different short passwords has a huge amount of the same (blank characters) input c.f. target 000000s. – user3023094 – 2013-11-23T09:58:27.967

For a 12 character password, even assuming each character uses a full 8 bits, you can exhaustively try every hash faster (evaluating 2^96 hashes) than finding a single random collision in the full hash (which, on average, would require evaluating 2^128 hashes). The other miners give you less advantage than you'd get from using their machines to try and record every single hash they do, and even then this computing power would be far too slow to help. – pyramids – 2013-11-23T10:21:11.737

It would reduce the amount of work you would need to make a complete table if that is what you're trying to do. How useful this part is itself is a good question. – LJNielsenDk – 2013-11-23T11:15:36.530

Have a look at crackstation.net. They have a partial lookup table for SHA256 for short passwords, it works and is fast. – user3023094 – 2013-11-23T19:15:20.987

Hardly. Whilst you are correct that what people are doing is a massively parallel search for double-SHA256 hash collisions to hash outputs near zero, you can only take advantage of the result if you actually find a collision.

So how often can we get a collision? If it were not for Bitcoin, with 2^256 possible inputs and the hash believed to not have any weaknesses, you'd statistically expect you have to try 2^128 or about 10^38 hashes to find a single collision in what is called a birthday attack. Hopeless today and tomorrow.

With Bitcoin, you might hope to take advantage of hashes that miners found and published in the blockchain. There are two problems: First of all, you only see these published blocks, so the advantage goes into having helpers to reduce the 2^256 possibilities, not the square root of the resulting number (the expected number of known hashes you need for a birthday attack). But for the sake of the argument, let us say you are the miners and record every hash you try. Then all that Bitcoin gives you is some reward for running your machine, currently with about 6000 Tera hashes per second. With such computing, you will still, statistically, need >10^15 years to get a single hash collision. I'd say there is zero danger to double-SHA256 from this (and, by the same argument, SHA256 which you could attack by recording the intermediate single-SHA256 results).

pyramids

Posted 2013-11-23T08:57:22.577

Reputation: 2 978

I consider a collision to be only one possible weakness of any SHA. All SHA must by definition have possible collisions where the output is shorter than the input. Discovering one or more will be a weakness than can be exploited but the probability of collisions is already lower than 2^128, I think I saw a reference to 2^50ish somewhere. Clearly still a massive number for a brute force attack even taking account of birthday probability. However there may be other weaknesses in SHA256 (we do not know yet) and the use of massive computing power like mining may well reveal something else. – user3023094 – 2013-11-23T18:58:48.157

Can you elaborate? Or, better yet, reference? To the best of my knowledge, not even the obsolete SHA-1 familiy is that badly broken, only SHA-0. – pyramids – 2013-11-23T19:20:06.883

I will see if I can find it again, saw it a couple of days ago. – user3023094 – 2013-11-23T19:44:31.507

From my limited understanding, the OP's presumption has a possibility of actually becoming a risk (in the sense the OP mentioned) IF there are "other weaknesses in SHA256".

Of course, appending a "which yet have not been made public" to the original phrase changes the perspective of this idea.

Why would the NSA care to use the network to their services when all one needs to evade this would be encrypting what needs to be encrypted using SHA3 (example mentioned) and leave bitcoin mining on SHA-256? – Gaia – 2013-11-23T19:45:06.653

User A requires a secret code to send messages to it's allies A',A", etc.Enemy B ditto B',B". A wants to crack B's and visa versa. A also wishes to promote another code which it claims is secret for its own people, commerce, etc but which isnt secret really (known backdoor or crack). Ditto B. – user3023094 – 2013-11-23T19:56:39.630

When you have worked out who is A, etc,B,etc. where SHA256 and SHA3 fit in etc we will have a better understanding. Cryptography is only 40% of this, at least 40% is Psychology and the rest is a sort of multi-layered Game Playing. Try standing back and looking at things from a different perspective than that which you are used to, be open minded and see what looks interesting/strange/different. – user3023094 – 2013-11-23T20:04:20.380

"you can only take advantage of the result if you actually find a collision." Currently, this would be pure luck. If this happened, we'd be no further in knowing how to generate them. I guess a massive frenzy would begin to try to find out, but that'd be all. It may still just be the universe playing a joke on us by making something extremely improbable happen. – Luc – 2013-12-02T08:06:32.453

Theoretical answer: yes and no.

Practical answer: not at all.

SHA-2, or specifically SHA-256, is a good hashing algorithm as far as we know. It has all the properties desired and there are no real attacks on it. It has already been battle-tested a lot in the past years. That Bitcoin uses SHA-256 makes it an even more interesting algorithm to try to crack (there is 'money' behind it now), and with all the ASIC producers popping up it becomes less work to also create ASICs that try to crack passwords hashed with this.

So with all the extra attention SHA-256 gets, it is now more likely that flaws are found rather sooner than later. However, SHA-2 is a very widely used algorithm as it is, regardless of its use in Bitcoin. If there were any great and obvious flaws, they would have been found already.

It can be compared with RSA, which now powers many of today's financial transactions and encrypted connections. That too draws a lot of attention to it, but good algorithms don't become bad just because they are in the picture.

So while all the extra ASIC production for Bitcoin mining may also provide for better password cracking tools and brings more people to look at the algorithm, this is no practical problem. Also, you should not use SHA-2 directly as a password hashing mechanism anyway. For that, see this question: https://security.stackexchange.com/q/211/10863

Edit: Read your question more thoroughly now instead of responding to the title.

Is bitcoin mining with its daily 4000+ TH/s power, funded and manned entirely by users of the hardware hoping to gain Bitcoins (and hoping they are worth some real $$) really performing a service for the NSA (or someone) and effectively "hiding in plain sight"?

No. That's just tinfoil hattery and not even worth the "thought experiment" (nice try, conspiracy theorist) since it can readily be disproved. See other answers about what we're hashing (hint: we're not finding hashes for actual passwords or other purposes).

Luc

Posted 2013-11-23T08:57:22.577

Reputation: 638

Regardless of any conspiracy theory. The fact that ASIC machines are now commercially available (both hardware and completed systems) makes it easier for any agency to buy them and use them. In my opinion, this does compromise SHA-256.

Peter

Posted 2013-11-23T08:57:22.577

Reputation: 21

1Yes, it makes a sha256 has easier to guess, by buying dedicated ASICS. Scrypt is a better hash because you can tweak the ram requirement up to the point where ASICs are not practical. – Erik Aronesty – 2013-12-23T17:40:16.430