SHA-256 has never been broken. In twenty-five years, the cryptographic function at the heart of Bitcoin’s proof of work has been hammered by thousands of the best cryptanalysts alive, and not one of them has found a practical crack. It is the lock on the entire system. And here is the uncomfortable thing almost nobody says out loud: no one has ever proven that lock cannot be picked. There is no mathematical theorem guaranteeing SHA-256 is secure — and, stranger still, there cannot be one, until somebody solves a problem that has resisted every tool mathematics possesses. The distance between “never been broken” and “proven unbreakable” runs straight through one of the seven Millennium Problems.
Follow that thread carefully and it arrives somewhere unexpected. Bitcoin’s durability was never meant to rest on proven mathematics at all. It rests on incentives. The cryptography is replaceable; the architecture is the anchor. This is the diagnostic underside of The Cathedral Problem — the recognition that what makes hard money permanent is not the perfection of any one component but the design that survives a component failing.
The Algorithm Is Closed. Its Security Is Not.
The confusion starts the moment people slide from “the algorithm” to “the algorithm’s security.” They are two completely different claims. The algorithm is closed, settled, boring in the best sense — a fixed sequence of bit operations that turns any input into a 256-bit fingerprint, deterministically, with no ambiguity. Feed it the same data twice and you get the same hash twice, on every machine, forever. There is no mystery in the machine.
The mystery lives one level up: in whether the properties we need from that machine can ever be proven rather than merely trusted. Those properties are three — that you cannot run the function backwards (preimage resistance), that given one input you cannot find another with the same output (second-preimage resistance), and that you cannot find any two inputs that collide at all (collision resistance). Bitcoin’s proof of work leans on the first. And not one of the three has ever been mathematically proven. We hold them as true because SHA-256 has survived a quarter-century of assault and nothing has cracked it. That is strong evidence. It is not a proof.
Why No Proof Can Exist
To prove a hash function secure, you would have to prove that reversing it is fundamentally hard — that there is no clever shortcut waiting to be discovered, not now and not ever. Proving the non-existence of a shortcut is a different order of difficulty from simply failing to find one. And it runs directly into the most famous open question in computer science.
P versus NP, in one sentence: can every problem whose solution you can quickly check also be quickly solved? Hashing is the textbook illustration. Verifying that a given input produces a given hash takes microseconds. Finding an input that produces a target hash — or finding a collision — is believed to require effectively brute-force search. If P turned out to equal NP, efficient methods for the hard direction might exist, and a large part of modern cryptography would collapse with it.
Inside One Round
It helps to see the mechanism, because the security story is really a story about information being thrown away. SHA-256 works only with 32-bit words, and every addition is taken modulo 2³² — it wraps around and forgets the overflow. From three primitives — XOR, bitwise rotation, and addition — it builds its mixing and logic functions. The message is padded into 512-bit blocks; eight 32-bit starting values are loaded (the fractional parts of the square roots of the first eight primes); and each block is churned through 64 rounds before a final step locks it.
The round itself is deceptively lopsided. There are eight registers, a through h. Six of them are merely shifted along — b takes the old a, c takes the old b, a conveyor belt. Only two registers are actually computed.
After all 64 rounds, the original eight starting values are added back to the churned registers — a step called feed-forward, and effectively a second lock against running the whole thing in reverse. Forward, it is a deterministic system of equations iterated 64 times: trivial to evaluate. Backward, it dies — and it dies in specific, identifiable places.
Forward: one deterministic pass. Reverse: longer than the universe has existed.
That asymmetry — hard to produce, cheap to check — is the exact NP structure, repurposed from a threat into a feature. The same difficulty that menaces cryptography elsewhere is here turned into the load-bearing mechanism of proof of work: a miner burns energy searching, and every node verifies the answer instantly. This is the thermodynamic anchor explored in Without Proof of Work seen from the mathematical side — the one-way street that makes the 21 million cap cost something to defend.
Why the Proof Is Brutal
The claim that P is not equal to NP is almost trivial to state: there exists a problem in NP that is not in P. One existence quantifier. But the proof would require a universal negative — that no algorithm, none that exists or could ever be written, solves that problem in polynomial time. That is a lower bound over the infinite space of all possible algorithms. Upper bounds are easy: exhibit one algorithm and you are done. Lower bounds are the hardest thing in mathematics, because you must rule out every conceivable approach at once.
And it is worse than merely hard. Whole families of natural proof techniques have themselves been proven incapable of settling it.
The Razborov–Rudich result is the one to sit with: the natural way to prove hardness would, if it worked, break the very cryptography whose hardness you were trying to establish. The problem defends itself with the thing it threatens. A working proof would have to invent a fundamentally new technique that escapes all three barriers at once — and nobody alive knows what that technique would look like.
The Second Unproven Pillar
The same shape appears one layer up, in how the network agrees on history. By the textbook definition, Bitcoin is not Byzantine fault tolerant. Classical BFT — the property a distributed system has when it can keep reaching agreement even while some participants fail or lie arbitrarily — was proven for a specific setting: a known, fixed roster of validators, deterministic finality, and a tolerance of strictly fewer than one-third malicious nodes. Those proofs are real and airtight. Bitcoin satisfies none of their premises. Its participant set is open and permissionless, anyone can join or vanish unannounced, and it offers no deterministic finality at all — only a probability of permanence that deepens with every block stacked on top.
So on paper, Nakamoto consensus has no business solving the Byzantine Generals’ Problem. What it does instead is change the game. Proof of work swaps “who is allowed to vote” for “what did it cost to vote” — identity replaced by energy. Agreement becomes probabilistic and economic rather than deterministic and proven: rewriting the ledger means out-hashing the honest majority indefinitely, which costs far more than any rational attacker stands to gain. Bitcoin is not Byzantine fault tolerant by definition. Proof of work makes it Byzantine fault tolerant de facto — and it has held, with no successful deep reorganisation of the main chain, for seventeen years.
Two of the system’s most load-bearing properties — the unbreakability of the hash and the fault tolerance of the network — are, strictly, not theorems. Both are unproven. Both have nonetheless run in open, adversarial, real-money conditions for the better part of two decades without failing.
That is not luck, and it is not two coincidences. It is the same move twice: take something mathematics cannot guarantee, and wrap it in an architecture that does not need the guarantee. The hash is trusted because attacking it costs more than it yields. The consensus holds because betraying it costs more than it yields. In both cases the proof was never the point — the incentive was.
What It Means
The most common misunderstanding about Bitcoin’s security points in exactly the wrong direction. People imagine the strength lives in the mathematics — that SHA-256 is some proven, unbreakable theorem at the base of the system. It is not. Twenty-five years of failed attacks is powerful evidence, and the right kind of evidence to act on. But it is evidence, not proof, and the gap between the two is not a technicality — it is the entire reason a Millennium Problem stands between us and a real security theorem. Anyone who tells you SHA-256 is “mathematically proven secure” does not understand what proving it would require.
Once you see that clearly, you understand the architecture better, not worse. Because the cryptography is the replaceable part. Bitcoin’s durability was never designed to rest on the permanence of one hash function — if SHA-256 ever weakened, the primitive can be swapped through a coordinated soft fork to a stronger one. The protocol survives the obsolescence of its own cryptography. What it cannot survive losing is its incentive structure, and that is not made of mathematics at all.
Bitcoin’s security does not rest on proven mathematics. It rests on empirically hardened, unproven assumptions — and on an incentive structure that does not need them to be theorems.
— The Cathedral Problem, in one line
It is design, not material. The anchor is the game — the alignment of millions of self-interested actors around a set of rules that make honesty the profitable strategy. The mathematics is the building material, and building materials can be substituted. The architecture is what holds. That is the sentence worth carrying out of this issue, and it is the spine of the book this thread feeds into.
The hash may one day fall; the consensus could, in theory, fracture. Neither is guaranteed by any theorem. Both have held for seventeen years — not because the mathematics was ever proven, but because the architecture was built to carry the load when the mathematics could not.
Flight Log — Dispatch from Altitude
There is a thing pilots learn early that a mathematician would recognise instantly: you can prove an aircraft unsafe, but you can never prove it safe. A single failure demonstrates a flaw beyond argument — a cracked spar, a fuel line that chafes, an actuator that jams. That is an existence proof, and one example settles it. But no number of safe flights proves the next one will be safe. Safety is not a theorem you arrive at. It is a confidence you maintain, hardened by every hour the fleet flies without incident, and never quite closed.
This is exactly the shape of SHA-256. Twenty-five years without a break is twenty-five years of safe flights. It is the strongest reason to trust the function — and it is structurally incapable of becoming a proof, for the same reason a million safe landings never become a guarantee. We are flying on a maintenance record, not a mathematical certificate, and the honest engineer knows the difference.
So how does aviation actually stay safe, if not by proof? Not by trusting any single component to be perfect. It stays safe by architecture — by redundancy, by designing the system so that no one part failing brings down the whole. Two engines, so one can fail. Three independent hydraulic systems. Backups behind the backups. The safety does not live in any single part being unbreakable; it lives in a structure that assumes parts will break and survives it anyway.
Bitcoin is built the same way, and the SHA-256 question is where you see it clearest. The hash function is one component, and like any component it could in principle fail — the probability vanishing, but never provably zero. The system is not designed to depend on that part being eternal. If the primitive weakened, you swap it, the way you replace a component flagged in inspection. The thing that does not get swapped — the thing that is genuinely load-bearing — is the incentive structure that makes honesty pay. That is the airframe. The cryptography is a part bolted to it.
The instruments tell a truth the intuition resists: certainty is not available, in the cockpit or in cryptography, and the engineers who pretend otherwise are the dangerous ones. What is available is design that does not require certainty to hold. You do not build a safe aircraft out of one perfect part. You build it out of a structure that survives imperfect parts. It is design, not material — in the air, and in money.