Ah, great link. I was not aware of this "feature" of SHA256:
>To abuse this property you need to get the state of the hash to match a state you get when running the decryption of the blockcipher underlying the compression function. Finding such a match requires a meet-in-the-middle attack with cost 2n/2 and thus isn't cheaper than finding a collision.
laie makes it sound like they found two things (free-start collision attack and circular hash attack).
I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.
Extraordinary claims require extraordinary evidence, I think it's fair to dismiss those claims until they're capable of coming with a better justification than "I developed an entirely new type of cryptanalysis theory to achieve this."
"circular hash attack" left me confused and waiting to hear the full story. I totally agree with "Extraordinary claims require extraordinary evidence".
Using that philosophy, we have to be cautious about whether or not the Riemann hypothesis has been solved every time someone uploads a paper claiming a proof to arXiv, even if it's nonsensical (which this "proof" is), just because we haven't had a team of mathematicians peer review it.
Let me assure you: there is nothing novel here. There is no vulnerability. You want to start from a place of skepticism with these things, not a place of, "Well we don't have enough information to say it's not true..."
How much of a concern is this? Do we now need to use SHA512 for everything, or is this more of an academic vulnerability that we won't see in the wild?
11 comments
[ 70.8 ms ] story [ 912 ms ] threadTLDR: It's easy to find fixed points of hashes like SHA-256.
>To abuse this property you need to get the state of the hash to match a state you get when running the decryption of the blockcipher underlying the compression function. Finding such a match requires a meet-in-the-middle attack with cost 2n/2 and thus isn't cheaper than finding a collision.
I agree the free-start part isn't very interesting but I don't think we have enough information to confirm or dismiss whether the circular hash attack part is novel.
Let me assure you: there is nothing novel here. There is no vulnerability. You want to start from a place of skepticism with these things, not a place of, "Well we don't have enough information to say it's not true..."
I.e. Free-start collisions don't let you create two PDFs with the same sha256 hash.