BEP XXXX: BitTorrent Protocol Version 3.0

Author:: Kevin Hearn <kh@tixati.com>
Status:: Draft
Type:: Standard
Created:: 04-Jan-2026

Abstract

This proposal describes BitTorrent Protocol v3.0, a set of backward-compatible extensions designed to address cryptographic weaknesses in the SHA-1 algorithm. It introduces the piece_hashes multi-hash verification system and an info_pow (Proof of Work) mechanism to prevent info-hash collision attacks.

Rationale

The original BitTorrent protocol (v1) relies exclusively on SHA-1 for piece verification and the info_hash. Recent cryptographic advancements have made finding SHA-1 collisions practical.

While BEP 52 (v2) introduced SHA-256 via Merkle trees, its adoption has been hampered by high implementation complexity. BEP 52 requires a total departure from the flat pieces structure, which is cumbersome for developers to integrate into existing legacy engines. It also mandates padding files, which cause excessive overhead in torrents that contain a large number of files.

BitTorrent v3.0 prioritizes implementability. By using an additive approach, developers can provide modern cryptographic security (SHA-2/SHA-3) without the architectural overhead of Merkle trees or padding files. This ensures a faster, lower-friction path to securing the BitTorrent ecosystem.

Specification

1. The piece_hashes Dictionary

A new key, piece_hashes, is added to the info dictionary. This allows a torrent to include high-security hashes in a flat format similar to the original protocol.

Key: piece_hashes
Value: A dictionary where keys are algorithm specifiers and values are the concatenated binary hashes for each piece.
Algorithm Specifiers: Standard strings such as SHA2-256 or SHA3-256. Specifiers may include a bit-width (e.g., SHA3-256-32 for 32-bit truncation). The bit-width must be a multiple of 8.

2. The info_pow (Proof of Work)

To prevent an attacker from generating two different info dictionaries that result in the same SHA-1 info_hash, a Proof of Work is required.

Key: info_pow
Value: A dictionary where keys are algorithm specifiers and values are the found binary hash with nonce appended.
Algorithm Specifiers: Standard strings such as SHA2-256 or SHA3-256 with a difficulty bit-width appended (e.g., SHA3-256-18 for 18 bits of leading zeros).
Hash A hash of the base hash and the nonce. The base hash is of the entire BEncoded info dictionary, with all hash+nonce values within the info_pow key zeroed.
Nonce This is the nonce that is concatenated to the base hash, which is then hashed again to produce the final hash, which must have adequate zero bits. The nonce can be any length, but generally 8 bytes is sufficient.

To generate:

Select algorithms and difficulty levels based on available CPU resources. A good choice is SHA3-256-20 as it will take under a second to compute on low-power hardware yet is strong enough to make finding collisions very impractical.
Write the info_pow entry into the info dictionary, with a value is a dictionary, containing algorithm specifiers as keys and zerod-out strings of correct length (hash width + 8 bytes of nonce) as values.
For each algorithm, calculate the base hash of the BEncoded info dictionary.
For each algorithm, calculate the hash of the base hash (in binary format) with nonce appended. Keep incrementing the nonce until the calculated hash has the required number of leading zero bits.
For each algorithm, fill in the hash+nonce value in its corresponding info_pow sub-key.

To verify:

Store, then zero out all hash+nonce values for each sub-key in the info_pow dictionary.
For each algorithm, hash the BEncoded info dictionary to create the base hash, append the specified nonce onto the base hash, then calculate the final hash.
Verify that the final hash matches the one specified, and that it has the required number of leading zero bits.

Security Considerations

Collision Resistance

By adding piece_hashes, the protocol moves to multi-hash validation. An attacker attempting a SHA-1 collision for a file piece would simultaneously need to collide the modern hash (e.g., SHA3-256) provided in the piece_hashes map, which is computationally infeasible.

Even when using a truncated hash, such as SHA3-256-32, the collision resistance is substantially improved. To succeed, an attacker must find a data block that yields the identical 160-bit SHA-1 hash AND the identical 32-bit SHA-3 fragment. This "AND" constraint makes finding malicious collisions computationally impractical.

Targeted Info-Hash Attacks

The info_pow mechanism forces an attacker to spend significant CPU time for every attempt to spoof an info-hash. This makes brute-forcing a collision expensive for malicious actors while remaining trivial for legitimate creators to generate during the initial torrent creation.

Backward Compatibility

This protocol is fully backward compatible.

V1-only clients: Ignore piece_hashes and info_pow as unknown keys, continuing to use SHA-1 for all operations.
V3-aware clients: Verify info_pow first. Then use both the original SHA-1 hashes in pieces AND the hashes in piece_hashes for data integrity checks on each piece.

Frequently Asked Questions

Why not just use BEP 52 (v2) "Hybrid" torrents? Hybrid v1+v2 torrents still require "padding files" to align file boundaries with the Merkle tree structure. This complicates the torrent creation process and creates massive overhead in torrents that have a large number of small files. Also, to implement a client that correctly manages a v1 AND v2 swarm simultaneously, while keeping file data and state synchronized, is extremely difficult. V3.0 requires zero changes to underlying file data or alignment and is very easy to add to any existing client, without any major changes to program architecture.

Does info_pow make torrent creation too slow for users? No. A typical difficulty of 20 bits takes less than a second on a modern CPU, but creates a massive cumulative barrier for an attacker.

References

Copyright

This document has been placed in the public domain.