Why don't any of the SHA-256 vulnerabilities matter for mining?



Wikipedia lists several vulnerabilities in SHA-256. Presumably, none of them can be used to mine faster, or it would be done already. Why don't these vulnerabilities lead to a problem for mining?


Posted 2014-11-12T05:34:01.143

Reputation: 348



The attacks are against a "poor man's" version of SHA-256, where less rounds are performed than in the real SHA-256. They are useless for breaking SHA-256 itself, and more so for the double SHA-256 used in Bitcoin mining.

Also, what would be most useful for mining is a preimage attack, and those are much harder than collision attacks. You can see in the table on Wikipedia that the proposed preimage attacks, though faster than pure brute force, are still impossibly complex.

Meni Rosenfeld

Posted 2014-11-12T05:34:01.143

Reputation: 19 132


  1. Sha256 has no known vulnerabilities as of yet. As Meni Rosenfeld mentioned, the mentioned attacks only concern part of the rounds of Sha256, in order to have an actuall effective attack you'd have to fully break all rounds (64 in case of Sha256).

  2. Even if Sha256 was broken, it still wouldn't directly affect mining, as Bitcoin uses double Sha256 hashing:
    Sha256d(x) = Sha256(Sha256(x))

  3. Even if a full preimage attack on Sha256 was found, it still most likely would not affect Bitcoin, as in the mining process there is very little freedom to forge the input data. You can shuffle around some txs, vary the nonce, but not much else. It is extremely unlikely that whatever means the preimage attack uses to construct input data (to match the required hash value) is compatible with the way Bitcoin blocks are built up.

This gives us more than enough time to migrate to another hashing algorithm, if regular Sha256 were ever to be compromised.


Posted 2014-11-12T05:34:01.143

Reputation: 789

2Assuming whoever discovers it is nice enough not to pick the millions they could get by mining ... Also, why couldn't you apply a preimage twice to undo a double hash? – ike – 2014-11-12T15:42:33.717

If it was compromised in terms of a full preimage attack, then yes. But then still there's another factor at play, added it as nr.3 – Madzi Konjo – 2014-11-13T05:37:38.453