
Sha256 vulnerability for full rounds - giosch
https://github.com/laie/WorldsFirstSha2Vulnerability/blob/master/proof.py
======
jey
Same thing that's explained by
[https://crypto.stackexchange.com/a/48586](https://crypto.stackexchange.com/a/48586)
?

TLDR: It's easy to find fixed points of hashes like SHA-256.

~~~
amenghra
laie makes it sound like they found two things (free-start collision attack
and circular hash attack).

I agree the free-start part isn't very interesting but I don't think we have
enough information to confirm or dismiss whether the circular hash attack part
is novel.

~~~
jey
Could you unpack "circular hash attack"? Googling was not very helpful.

~~~
amenghra
"circular hash attack" left me confused and waiting to hear the full story. I
totally agree with "Extraordinary claims require extraordinary evidence".

------
grovegames
How much of a concern is this? Do we now need to use SHA512 for everything, or
is this more of an academic vulnerability that we won't see in the wild?

~~~
dsacco
It's not a concern at all. This is not a vulnerability.

------
amenghra
It's unfortunate that proof.py doesn't give an example of a message block that
leads from h0 to the q._h constant.

I.e. Free-start collisions don't let you create two PDFs with the same sha256
hash.

