Sha256 vulnerability for full rounds

Sha256 vulnerability for full rounds(github.com)

16 points by giosch 8 years ago | 10 comments

jey 8 years ago |

Same thing that's explained by https://crypto.stackexchange.com/a/48586 ?

TLDR: It's easy to find fixed points of hashes like SHA-256.

simias 8 years ago | |

Ah, great link. I was not aware of this "feature" of SHA256:

>To abuse this property you need to get the state of the hash to match a state you get when running the decryption of the blockcipher underlying the compression function. Finding such a match requires a meet-in-the-middle attack with cost 2n/2 and thus isn't cheaper than finding a collision.

amenghra 8 years ago | |

laie makes it sound like they found two things (free-start collision attack and circular hash attack).

I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.

dsacco 8 years ago | | |

Using that philosophy, we have to be cautious about whether or not the Riemann hypothesis has been solved every time someone uploads a paper claiming a proof to arXiv, even if it's nonsensical (which this "proof" is), just because we haven't had a team of mathematicians peer review it.

Let me assure you: there is nothing novel here. There is no vulnerability. You want to start from a place of skepticism with these things, not a place of, "Well we don't have enough information to say it's not true..."

simias 8 years ago | | |

Extraordinary claims require extraordinary evidence, I think it's fair to dismiss those claims until they're capable of coming with a better justification than "I developed an entirely new type of cryptanalysis theory to achieve this."

jey 8 years ago | | |

Could you unpack "circular hash attack"? Googling was not very helpful.

grovegames 8 years ago |

How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?

dsacco 8 years ago | |

It's not a concern at all. This is not a vulnerability.

amenghra 8 years ago |

It's unfortunate that proof.py doesn't give an example of a message block that leads from h0 to the q._h constant.

I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.