The parent said 20 years, which is just barely long enough to to be the time for which reasonably secure hash functions have been available. If they had said 30 years, they'd have an excellent argument.

Chains of blocks and merkle trees are distinguishable from linked lists and binary trees purely by the use of hash functions instead of pointers. But that turns out to be really powerful in a way that the pointer versions aren't, if those hash functions are cryptographically secure.

Being “cryptographically secure” is a relative thing: during the 90s, md5 was cryptographically secure, until it wasn't in the early 2000s. What we take for granted in terms of cryptographic security could collapse after one breakthrough (that's why SHA-3 was designed completely different from SHA-2, to have a replacement handy when the later will be broken).

The difference is that with MD5, attacks were found relatively quickly. Introduced in 1992, and by 1996 cryptographers were already recommending that people switch to a replacement such as SHA-1 or RIPEMD-160.

SHA256 meanwhile was introduced in 2001, and since then no significant attacks have been found. So not only has it withstood attack for much longer, cryptography has advanced greatly compared to what we knew in 1992.

That still isn't a guarantee of future success. But look at it this way: I don't think you could have introduced Bitcoin in 1998. Hash functions were just too new to be trusted to the extent that Bitcoin requires.

Cryptography as a field advances and the next generations are better than the previous. But even if md5 was pretty poor compared to modern hash functions, AFAIK there is still no working preimage on md5 (correct me if I'm wrong, maybe there's been recent development I'm not aware of), which means bitcoin would still be fine if it was launched in 1995 with md5 as its hash function! (assuming it had transitioned to a better scheme later to avoid collisions attacks).

In fact bitcoin is a pretty good counter-example to your point. It was launched too early, with a poor hash function[1], and yet is still a success.

[1] because bitcoin didn't used a brute-force resistant hash function, Satoshi's dream of “everyone is a miner” quickly disappeared a was replaced by a monopolistic cartel of professional miners.

> assuming it had transitioned to a better scheme later to avoid collisions attacks

Exactly. Collision attacks are fatal to Bitcoin, because they can make it impossible to achieve consensus over what is the valid version of the blockchain data. If you get advanced warning, transition is possible with some caveats. But hoping for advanced warning is risky when money is on the line (collision attacks can even be used to steal money in certain scenarios, eg with certain ways of doing multisig).

> because bitcoin didn't used a brute-force resistant hash function

That's really a topic in of itself. There is no such thing as a non-"brute-force-resistant" PoW function.

Collisions only affect new transactions, they aren't able to tamper with the existing blocks (you need preimage attack for that), and for the record the first collision on md5 only came in 2004 and 2017 for sha1, way after the theoretical vulnerability was proven. There's plenty of time to move from one hashing scheme to another.

> There is no such thing as a non-"brute-force-resistant" PoW function.

Well, maybe on the semantic debate, but there's a big difference between fast hash functions (sha-2 and the likes) and slow-by-design ones: ASIC.