1 of 24

An Analysis and Breakdown of SHA Hashing in Bitcoin

By: Jeremy Gabalski

Cryptocurrency - Spring 2015

2 of 24

SHA-2 Analysis

  • SHA-2 is an entire family. Includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

  • Same algorithmic structure, with different initial values, rounds, and digest lengths

  • Emphasis on SHA-256, the type of hashing that Bitcoin relies on

3 of 24

SHA256 Use in Bitcoin (Review)

  • Proof Of Work
    • T = Target, d = difficulty
    • r = header + transactions
    • Header is a hash of the previous block

  • Merkle Tree:
    • Leaves are hashes of transactions
    • Interior nodes are hashes of the sum of two child leaves
    • Leads to the creation of the merkle root
    • Merkle Root used to verify the authenticity of transactions

4 of 24

SHA256 Basics

  • Takes in 512 bits and returns 256 bits of encrypted text
  • Published in 2001 by the NSA
  • 64 identical rounds of data obfuscation

5 of 24

SHA256 Variations

  • SHA256: output digest of 256 bits. Uses 64 rounds
  • SHA224: output digest of 224 bits. Uses 64 rounds. Simply a concatenated version of SHA256
  • SHA512: output digest of 512 bits. Uses 80 rounds
  • SHA384: concatenation of SHA512 (80 rounds)
  • SHA512/224 and SHA512/256 are concatenated versions of SHA512, but their initial values are generated differently

** SHA256 and SHA512 use different values in the XOR and bit-shift operations

6 of 24

Algorithm Prep: Constant Explanation

6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19

  • Initial bit string that all instances oh SHA256 start with
  • First 32 bits of the fractional part of the square root of the first eight primes
  • Each round, a constant is drawn from a constant table filled in similar fashion
  • constant values are arbitrary, irrational, and independant

7 of 24

Algorithm Prep: Input Manipulation

-SHA256 takes in input strings 512 bits long. The preprocessing stage ensures the string length is a multiple of 512

-Each SHA round draws a value from the ‘word table’�

8 of 24

The Round

A B C D E F G H

Examine bit position for all three. Output the majority of the bit values at each position

Take A and rotate it right by 2, 13, and 22 bits. Sum these new values and take that sum modulo 2

For every place, examine the E bit. If 1, take the corresponding F bit, else, take the corresponding G bit

Rotate the bits of E to the right by 6,11, and 25 bits. Sum these new values.

K(i)

+

W(i)

9 of 24

How Good is SHA256?

Pre-Image Attack

Collision Attack

  • Brute force. Given a digest, you try every possible input to attempt to find the one that produces the correct hashed value
  • Find any two arbitrary inputs x and y such that SHA256(x) = SHA256(y)

10 of 24

How Good is SHA256- Continued

  • Searching through 2^256 input combinations (pre-image) is impractical

  • Best known collision attack worked with 52 rounds

  • Collisions gets interesting - pigeonhole principle

  • SHA256 is not a provably hard algorithm

11 of 24

Technology and Energy Analysis

12 of 24

ASIC Chips - Application Specific Integrated Circuit

CPU→ GPU → FPGA → ASIC→ ???

Technological developments developed solely based on how quickly each version of hardware could calculate a SHA256 hash

13 of 24

What Makes These Chips Better?

  • No Magic
  • SHA256 is composed of simple mathematical calculations
  • 100% chip dedication
  • Loop unrolling (of the 64 SHA256 rounds)
  • Pipelining - doing whatever can be done in parallel appropriately

14 of 24

The King of the Castle (For Now)

  • SP35 Yukon
  • 5.5 TH/s
  • Pre-installed mining software
  • Includes 30 Asic chips
  • The chips have a 28 nm process node (distance between the source and drain terminals in the processor).

15 of 24

Effects and Consequences of ASIC

16 of 24

Pre- 2013

17 of 24

2013 - 2015

18 of 24

2013 - The Year of the ASIC

  • June 2012: Butterfly Labs Announced Its First ASIC Product
  • Early models saw production delays (Melting cases, trouble meeting power specifications, production trouble to meet demand).

19 of 24

You Want Moore? Technical Considerations

  • Moore’s Law - Number of transistors per square inch doubles every ~ 2 years
  • ** Rate of advancement with ASIC chips cannot persist
  • More (smaller and denser chips), transistors, and HEAT
  • Eventually cooling becomes hard, and even impractical (due to electricity costs).
  • We will reach a point where advancements in cooling and maintaining peak performance will take precedence

20 of 24

ASICS - Fundamental Considerations

  • Ultrafast hashing equipment renders more and more hardware obsolete
  • When mining is impractical, you ‘shut the lights off’
  • Results: increased centralization, less investment incentives

**In order to realistically speculate, you need to factor in energy costs, hashing equipment price, hash/s limits, and bitcoin’s macro level of popularity

21 of 24

Future Speculations

-SHA256, is algorithmically strong (For now).

- **Bitcoin will continue to grow in mainstream popularity (as the pool grows so can the difficulty)

- Number of hashes each person is willing to pay for and contribute effects the difficulty, not simply that person’s interest.

**You can always include more chips into a single unit to increase hashing power. The energy cost will remain a linear multiple of each individual chips power draw. Efficiency per chis is more important

22 of 24

How Small Can Asic’s Get?

Collective data mapping hashing power per unit of energy (hashes/Kw) to the release date of the hardware model, is difficult to find.

Most models currently include 28nm process nodes. 22 and 20 nm nodes have been mentioned and experimented with, but have yet to be implemented mainstream

These chips with smaller nodes may bring another round of hashing increase, but manufacturing these smaller transistors is much more expensive and eats into profitability margins. For now, the 28nm nodes will remain the benchmark for realistically profitable bitcoin hardware.

23 of 24

Thank You!

24 of 24

Sources

http://bitcoin.stackexchange.com/questions/17132/is-bitcoin-mining-itself-compromising-the-security-of-sha256

http://gizmodo.com/mining-bitcoin-with-pencil-and-paper-1640353309

http://crypto.stackexchange.com/questions/5338/why-are-these-specific-values-used-to-initialise-the-hash-buffer-in-sha-512

http://web.cs.ucdavis.edu/~rogaway/papers/relates.pdf

http://www.coindesk.com/bitcoin-mining-can-longer-ignore-moores-law/

http://www.topbitcoinmininghardware.com/the-sp300-yukon-review-by-spondoolies-mining-enhanced/

http://bitcoin.stackexchange.com/questions/1293/how-many-integer-operations-on-a-gpu-are-necessary-for-one-hash

http://www.coindesk.com/data/bitcoin-mining-difficulty-time/

https://www.dom.com/library/domcom/pdfs/virginia-power/rates/residential-rates/schedule-1.pdf

https://bitcointalk.org/index.php?topic=85758.20

https://bitcointalk.org/index.php?topic=283950.0