Ask HN: SHA2 vulnerability post was removed. Why? Is it legit? Hello. A moment ago someone posted this: https://github.com/laie/WorldsFirstSha2Vulnerability
It's now gone from HN. Is the vulnerability legit? |
Ask HN: SHA2 vulnerability post was removed. Why? Is it legit? Hello. A moment ago someone posted this: https://github.com/laie/WorldsFirstSha2Vulnerability
It's now gone from HN. Is the vulnerability legit? |
[UPDATE] Turns out I was wrong and this is not a vulnerability at all:
https://crypto.stackexchange.com/questions/48580/fixed-point...
Work by a random dude who pretends to find infinite collision so bad that he can't publish it.
No math. No explanation.
The code is a mix of single letter variables with hardly any comment.
Thank you, I'll pass.
I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but it's a vulnerability.
EDIT: All of this modulo a rigged sha256.py, of course
[UPDATE] Turns out this is not a vulnerability at all:
https://crypto.stackexchange.com/questions/48580/fixed-point...
Google it and you'll find the source, if it's a popular collision already published in papers.
Not sure why the post was deleted though.
It's also in ipfs at /ipfs/QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW and I've pinned it on both of my ipfs servers.
If you want to do the same:
ipfs pin add QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW
git clone https://github.com/laie/WorldsFirstSha2Vulnerability
ipfs add -Hr WorldsFirstSha2Vulnerability/