## Can the Bitcoin network be used for cracking?

13

3

I'm assuming that the Bitcoin economy is rapidly building a computing cluster capable of unprecedented amount of hash searching.

Would it be possible for an attacker to leverage this to crack other systems?

E.g. could an attacker input password hashes into transactions and then deduce useful information from the output of miners with regards to hose hashes?

(I'm not asking about the security of Bitcoin as such, so I don't think it's a duplicate of [1] or [2])

– Murch – 2016-02-17T21:22:30.990

Uhm....so someone says definitely not and the other explains a how to method ! is it a yes or a no simply? – Bannaz – 2016-05-09T17:36:01.727

@Bannaz: It's a "no" for all practical purposes. The example that dionyziz provides is rather academic, and has no practical application. – Murch – 2016-05-09T17:48:41.183

Also remember that the security industry has been trying to eradicate the use of SHA256 for password hashing in favor of "memory hard", adjustable algorithms like bcrypt, scrypt, and pbkdf2. This shift is primarily because of the existence of special purpose SHA256 hardware (aka, asic miners), so it actually is a side effect of the Bitcoin network. Still, that's not using the network directly. – Jestin – 2016-05-09T21:06:57.143

22

1. Blocks are exactly 80 bytes long. When have you ever seen an 80 character password?
2. Blocks start with a bunch of null bytes in the version field. Again, when have you seen that in a password?
3. Each miner is mining a different block. You don't know the merkle root of what they're mining because that contains a hash of a secret address.
4. Bitcoin uses SHA256(SHA256(x)) as a hash function, which is not very common in password hashing.
5. Miners won't publish their results unless they solve a block. They only solve a block if it starts with 12 zeros (at time of writing). The odds of your hash starting with 12 zeros is 0.000000000000003034%.

4

While you cannot use the bitcoin mining power itself to crack selected passwords, bitcoin makes it for the first time possible to encode and ensure monetary rewards for password cracking through self-enforcing contracts.

For example, you could lock up funds in a transaction that are redeemable only provided that a specific puzzle has been cracked. This can be written as a bitcoin script (scriptPubKey) which takes as input a candidate solution to the puzzle (as scriptSig) and checks that it is a solution. In formal languages lingo, given a language L = { x: R(x, w) = 1 } such that R is polynomially computable (and so R being in P and L being in NP), you can solve the search problem of finding a w given an x in L by encoding R as a scriptPubKey and expecting a w as a scriptSig.

As an example, imagine you wish to find the pre-image of a given SHA256 hash. Your bitcoin redeem script could then look like this:

def spend(witness):
if SHA256(witness) == 6fe28c0...00000:
return True
return False


Indeed, the only way to spend this script is by providing a witness that cracks this problem. In formal languages lingo, in this case x = 6fe28c0...00000 and w is the witness.

Coding it in the bitcoin script language, we get:

OP_HASH256
6fe28c0ab6f1b372c1a6a246ae63f74f931e8365e15a089c68d6190000000000
OP_EQUAL


In fact, this very transaction was published on the bitcoin network four years ago and paid 1 BTC to have this puzzle solved.

Interestingly, notice that if the puzzle remains unsolved, the money is forever lost – that money is solely dedicated to the puzzle solver, and if there is no one, then no one can get the money. As a sidenode, notice that this kind of transaction is not secure, as the puzzle solver will have to disclose the scriptSig in order to spend the tx – meaning that anyone can double-spend the same amount immediately before the original tx gets confirmed. There are ways to guard against such attacks by performing more complicated schemata, such as revealing the secret in a two-block process possible in Ethereum.

So this means you can pay any amount you want to get each password cracked (or does it have to be 1 BTC)? Can this be used to solve bcrypt hashes too? Should we watch for these "evil transactions" and stop them somehow? – NH. – 2017-10-23T15:17:39.873

Any amount is possible. In generalized scripting languages (such as Ethereum's), you can encode any puzzle, including bcrypt. It's impossible to "stop these evil transactions", because that would require lack of censorship-resistance and therefore some sort of centralized control. – dionyziz – 2017-10-24T21:23:49.470

3

The processing done by miners is a very highly specific, yet random operation. It could not be reused for a general purpose operation looking for a specific answer.