Hi Ariel,

Thanks for your reply.

You state that once "the entire world" can quickly find a hash that it then "needs to be changed", but that that "won't happen in a day".

It sounds like you believe compromise of the algorithm as a concern provides a _lot_ of time to migrate to a new hash function, and that it is indeed important to do so when it becomes needed.

Let's talk about relaxing the time scale.  Making such plans seems more important than agreeing on how soon they happen.  It's possible it could be decades before having a new hash is actually needed to protect financial security.  Who knows.

How does that land?  Is the idea more available with a looser time scale?

It seems to me with ongoing cryptanalysis research, new things like quantum computers, conventional computer hardware always advancing, that some day far in the future it will be easy to find an sha256 preimage on a personal device, somehow.

Let's improve the security of the blockchain.

On Sun, May 24, 2020, 7:51 PM Ariel Lorenzo-Luaces <arielluaces@gmail.com> wrote:
On May 24, 2020, at 1:26 PM, Karl via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
You mention ASICs becoming commoditized.  I'd remind you that eventually there will be a public mathematical breaking of the algorithm, at which point all ASICs will become obsolete regardless.  Would you agree it would be better to prepare for this by planning algorithm change?

Cryptographic algorithms don't usually break this way. In the case of hash functions it may be possible to find an exploit that reduces the function's security from 256 bits to 128 for example. So an algorithm that could find 80 zero bits per energy unit before can now find 160 zero bits per energy unit with an exploit.

If this exploit can be deployed as a software patch to most ASICs then the issue will sort itself out on the next difficulty adjustment.

If the exploit instead requires an entirely new ASIC then GPUs and FPGAs that could previously find 40 zero bits per energy unit can now compete with the less adaptive ASICs until new ASICs that use the exploit start getting produced and shipped.

There's never any official "public breaking" of a hash function. The function will just loose security over time until it's deemed to not be "secure enough" for certain applications. Thankfully mining is an application where the only important thing is that the difficulty can be increased. In other words, if the entire world can consistently find 256 zero bits of SHA-256 in under 10 minutes then definitely the hash function needs to be changed. But this won't happen in a day.