Sha256 vulnerability for full rounds
github.comSame thing that's explained by https://crypto.stackexchange.com/a/48586 ?
TLDR: It's easy to find fixed points of hashes like SHA-256.
Ah, great link. I was not aware of this "feature" of SHA256:
>To abuse this property you need to get the state of the hash to match a state you get when running the decryption of the blockcipher underlying the compression function. Finding such a match requires a meet-in-the-middle attack with cost 2n/2 and thus isn't cheaper than finding a collision.
laie makes it sound like they found two things (free-start collision attack and circular hash attack).
I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.
Using that philosophy, we have to be cautious about whether or not the Riemann hypothesis has been solved every time someone uploads a paper claiming a proof to arXiv, even if it's nonsensical (which this "proof" is), just because we haven't had a team of mathematicians peer review it.
Let me assure you: there is nothing novel here. There is no vulnerability. You want to start from a place of skepticism with these things, not a place of, "Well we don't have enough information to say it's not true..."
Extraordinary claims require extraordinary evidence, I think it's fair to dismiss those claims until they're capable of coming with a better justification than "I developed an entirely new type of cryptanalysis theory to achieve this."
Could you unpack "circular hash attack"? Googling was not very helpful.
"circular hash attack" left me confused and waiting to hear the full story. I totally agree with "Extraordinary claims require extraordinary evidence".
How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?
It's not a concern at all. This is not a vulnerability.
It's unfortunate that proof.py doesn't give an example of a message block that leads from h0 to the q._h constant.
I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.