Sha256 vulnerability for full rounds (opens in new tab)

(github.com)

16 pointsgiosch8y ago10 comments

10 comments

jey8y ago

Same thing that's explained by https://crypto.stackexchange.com/a/48586 ?

TLDR: It's easy to find fixed points of hashes like SHA-256.

Ah, great link. I was not aware of this "feature" of SHA256:

>To abuse this property you need to get the state of the hash to match a state you get when running the decryption of the blockcipher underlying the compression function. Finding such a match requires a meet-in-the-middle attack with cost 2n/2 and thus isn't cheaper than finding a collision.

amenghra8y ago

laie makes it sound like they found two things (free-start collision attack and circular hash attack).

I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.

dsacco8y ago

Using that philosophy, we have to be cautious about whether or not the Riemann hypothesis has been solved every time someone uploads a paper claiming a proof to arXiv, even if it's nonsensical (which this "proof" is), just because we haven't had a team of mathematicians peer review it.

Let me assure you: there is nothing novel here. There is no vulnerability. You want to start from a place of skepticism with these things, not a place of, "Well we don't have enough information to say it's not true..."

simias8y ago

Extraordinary claims require extraordinary evidence, I think it's fair to dismiss those claims until they're capable of coming with a better justification than "I developed an entirely new type of cryptanalysis theory to achieve this."

jey8y ago

Could you unpack "circular hash attack"? Googling was not very helpful.

1 more reply

grovegames8y ago

How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?

dsacco8y ago

It's not a concern at all. This is not a vulnerability.

amenghra8y ago

It's unfortunate that proof.py doesn't give an example of a message block that leads from h0 to the q._h constant.

I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.

j / k navigate · click thread line to collapse

10 comments

jey8y ago

Same thing that's explained by https://crypto.stackexchange.com/a/48586 ?

TLDR: It's easy to find fixed points of hashes like SHA-256.

simias8y ago

Ah, great link. I was not aware of this "feature" of SHA256:

amenghra8y ago

laie makes it sound like they found two things (free-start collision attack and circular hash attack).

I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.

dsacco8y ago

simias8y ago

jey8y ago

Could you unpack "circular hash attack"? Googling was not very helpful.

1 more reply

grovegames8y ago

How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?

dsacco8y ago

It's not a concern at all. This is not a vulnerability.

amenghra8y ago

It's unfortunate that proof.py doesn't give an example of a message block that leads from h0 to the q._h constant.

I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.

j / k navigate · click thread line to collapse