
SHA256 vulnerability - jstanley
https://github.com/laie/WorldsFirstSha2Vulnerability?dup=0
======
bascule
This is not a vulnerability in SHA-256. See:

[https://en.wikipedia.org/wiki/One-
way_compression_function#D...](https://en.wikipedia.org/wiki/One-
way_compression_function#Davies.E2.80.93Meyer)

"A notable property of the Davies–Meyer construction is that even if the
underlying block cipher is totally secure, it is possible to compute fixed
points for the construction"

That is all that has been done here.

------
loeg
Duplicate
[https://news.ycombinator.com/item?id=14654696](https://news.ycombinator.com/item?id=14654696)
.

~~~
minxomat
This post keeps getting flagged and or deleted. There have been dozens of
submissions of this in the past hour alone.

------
andreser-mit
Oh, look who is adding "original" "research" to wikipedia:
[https://en.wikipedia.org/wiki/Special:Contributions/220.71.9...](https://en.wikipedia.org/wiki/Special:Contributions/220.71.95.180)

------
lisper
AFAICT it checks out.

[UPDATE] I was wrong. Turns out this is not a vulnerability at all:

[https://crypto.stackexchange.com/questions/48580/fixed-
point...](https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-
sha-256-compression-function)

~~~
simias
How did you validate it exactly? The first thing would be to validate the
sha256 implementation used I guess. If it's true it's huge but I find it hard
to trust a random github repo with such an extraordinary claim, especially the
very vague "I developed an entirely new type of cryptanalysis theory to
achieve this. It has a similar form comparing to differential analysis."
Raises many red flags as far as I'm concerned.

Even if it's true I'm not sure I understand how broad this attack vector could
be. Can we generate collisions for any given hash or just a subset?

Given that SHA256 is used in cryptocurrencies it makes me even more skeptical,
it could be an attempt at making the market crash with some FUD I guess.

~~~
lisper
> How did you validate it exactly?

I ran the example. Then I looked at the code. Then I ran random test vectors
against hashlib.sha256.

It's not a slam-dunk, but if it's a hoax it's a damn good hoax.

~~~
dsacco
It's not a good hoax at all. You can calculate fixed points for SHA256. This
is a quirk, but it's not less costly than actually finding a collision, which
means this is a non-vulnerability.

The author effectively hard-coded values.

~~~
lisper
> You can calculate fixed points for SHA256

Really? How?

[UPDATE] Heh, you're right.

[https://crypto.stackexchange.com/questions/48580/fixed-
point...](https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-
sha-256-compression-function)

