Yes, but the rigged sha256 seems to produce the same results as a real sha256. And there's nothing obviously hinky in the code that I can see on cursory inspection. If this is rigged, it's rigged in a particularly clever way.
[UPDATE] Turns out this is not a vulnerability at all:
13 comments
[ 0.17 ms ] story [ 61.4 ms ] thread[UPDATE] Turns out I was wrong and this is not a vulnerability at all:
https://crypto.stackexchange.com/questions/48580/fixed-point...
It's also in ipfs at /ipfs/QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW and I've pinned it on both of my ipfs servers.
If you want to do the same:
or to get it from github: (-H includes hidden files - i.e. .git/)Not sure why the post was deleted though.
Work by a random dude who pretends to find infinite collision so bad that he can't publish it.
No math. No explanation.
The code is a mix of single letter variables with hardly any comment.
Thank you, I'll pass.
I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but it's a vulnerability.
EDIT: All of this modulo a rigged sha256.py, of course
Google it and you'll find the source, if it's a popular collision already published in papers.
[UPDATE] Turns out this is not a vulnerability at all:
https://crypto.stackexchange.com/questions/48580/fixed-point...