Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday September 11 2019, @05:54AM   Printer-friendly
from the renaming-it-to-be-NSHA:-the-Not-Secure-Hashing-Algorithm dept.

Arthur T Knackerbracket has found the following story:

The Wall Street fintech Treadwell Stanton DuPont broke silence today as it announced its Research & Development and Science Teams successfully broke the SHA-256[*] hashing algorithm silently in controlled laboratory conditions over a year ago. The announcement aims to secure financial and technological platform superiority to its clients and investors worldwide.

[...] While the best public cryptanalysis has tried to break the hashing function since its inception in 2001, work on searching, developing and testing practical collision and pre-image vulnerabilities on the SHA-256 hashing algorithm began back in 2016 in Treadwell Stanton DuPont's R&D facilities, culminating 2 years later with the successful discovery of a structural weakness and the initial development of the first practical solution space of real world value by its researchers.

"While we have successfully broken all 64 rounds of pre-image resistance," said Seiijiro Takamoto, Treadwell Stanton DuPont's director of newly formed Hardware Engineering Division, "it is not our intention to bring down Bitcoin, break SSL/TLS security or crack any financial sector security whatsoever."

[*] See the SHA-2 page on Wikipedia for background on SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.


Original Submission

Related Stories

Crown Sterling Demos 256-bit RSA Key-cracking at Private Event 20 comments

Submitted via IRC for Bytram

Medicine show: Crown Sterling demos 256-bit RSA key-cracking at private event

On September 19, in a conference room at the Pelican Hill Resort in Newport Beach, California, Crown Sterling CEO Robert Grant, COO Joseph Hopkins, and a pair of programmers staged a demonstration of Grant's claimed cryptography-cracking algorithm. Before an audience that a Crown Sterling spokesperson described as "approximately 100 academics and business professionals," Grant and Hopkins had their minions generate two pairs of 256-bit RSA encryption keys and then derive the prime numbers used to generate them from the public key in about 50 seconds.

In a phone interview with Ars Technica today, Grant said the video was filmed during a "business session" at the event. The "academic" presentation, which went into math behind his claims and a new paper yet to be published, was attended by "mostly people from local colleges," Hopkins said. Grant said that he didn't know who attended both sessions, and the CEO added that he didn't have access to the invitation list.

During the presentation, Grant called out to Chris Novak, the global director of Verizon Enterprise Solutions' Threat Research Advisory Center, naming him as a member of Crown Sterling's advisory board. The shout-out was during introductory remarks that Grant made about a survey of chief information security officers that the company had conducted. The survey found only 3% had an understanding of the fundamental math behind encryption.

The video of the demonstration is here. (The video was briefly marked as private, but is now back again.) The demo was displayed from a MacBook Pro, but it appeared that it was being run in part via a secure shell session to a server. Grant claimed that the work could be used to "decrypt" a 512-bit RSA key in "as little as five hours" using what Grant described as "standard computing."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Funny) by Anonymous Coward on Wednesday September 11 2019, @06:03AM (9 children)

    by Anonymous Coward on Wednesday September 11 2019, @06:03AM (#892561)

    TFA is a *press release* directly from the folks who *claim* to have broken SHA256.

    No evidence is provided and no supporting documentation. To avoid breaking the world, they aren't releasing any details. Trust us, we know best!

    In that spirit, I am announcing that I have built and tested an Alcubierre drive by making the round trip to and from Alpha Centauri in three weeks. [wikipedia.org]

    However, given the disruption FTL travel could cause, I'm not going to release any details or there could be mass panic. Trust me.

    • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:35AM (4 children)

      by Anonymous Coward on Wednesday September 11 2019, @06:35AM (#892572)

      I have heard an independent third party claim it was breakable, although it was still computationally expensive to do. Real-time website handshaking is impractical for now, but any long term signature verification requiring more than a few months of hash security should be looked at as suspect, or ideally combined with multiple checksums from different families, making the likelihood of a union of duplicate collisions next to impossible mathematically speaking.

      • (Score: 1, Informative) by Anonymous Coward on Wednesday September 11 2019, @08:03AM (2 children)

        by Anonymous Coward on Wednesday September 11 2019, @08:03AM (#892589)

        The problem with combining hash functions is two fold: First, you may get weird interactions between the two that can make it even weaker than the system should be in theory. Second is that your hash is only as secure as the weakest hash because you can exploit the weaknesses in that hash to control the outputs of the stronger hash and the system as a whole, in the vast, vast majority of implementations.

        The only exception to the second rule is concatenation of outputs with non-identical inputs, which is not what most people implement. On top of that, the theoretical strength of concatenation of hashes with non-identical inputs is not that much more than the strongest hash by itself, especially when compared to raising the parameters of modern hashes.

        • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @11:52AM (1 child)

          by Anonymous Coward on Wednesday September 11 2019, @11:52AM (#892630)

          Having 2 or more individual hashes, from different ciphers or techniques should not interact in the way you describe. This does mean that tiy either need multiple passes over the data or a specially optimized set of functions that can iterate the data through multiple ciphers side by side, allowing the performance benefit of the current data still being in-memory for each hashing function's pass. Given modern cpu technology the cpu time is negligible but the disk i/o wasted could be dramatic.

          • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:51PM

            by Anonymous Coward on Wednesday September 11 2019, @06:51PM (#892859)

            If you are talking about something like H1(H2(password)), H1(password)||H2(password), H1(password) xor H2(password), etc. then they absolutely do interact that way. There are numerous papers that prove that, which I can find when off work, if you'd like.

      • (Score: 4, Interesting) by FatPhil on Wednesday September 11 2019, @08:37AM

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday September 11 2019, @08:37AM (#892594) Homepage
        The "independent third party" I would trust would be a respected peer-reviewed cryptography journal.
        Which is noticeably absent in both your comment and TFPR (yes, it is a press release).

        So I'm with the "pump & dump" school here.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 3, Funny) by VLM on Wednesday September 11 2019, @12:46PM (3 children)

      by VLM (445) Subscriber Badge on Wednesday September 11 2019, @12:46PM (#892650)

      The evidence of it being broken seems rather homeopathic.

      Something mathematical was created, then pass thru 256 rounds of journalist dilution, and you end up with distilled water containing statistically likely less than one line's worth of actual mathematical proof.

      Still, the lack of anything in the diluted product doesn't imply the original source contained ... something.

      • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @01:06PM (2 children)

        by Anonymous Coward on Wednesday September 11 2019, @01:06PM (#892658)

        A lack of proof for something makes it even more likely in my opinion.

        • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:24PM

          by Anonymous Coward on Wednesday September 11 2019, @07:24PM (#892867)

          A lack of proof for something makes it even more likely in my opinion.

          Which is why you're absolutely certain that every time you kiss your wife/girlfriend, you get my sperm in your mouth.

          Good show!

        • (Score: 2) by VLM on Thursday September 12 2019, @11:21AM

          by VLM (445) Subscriber Badge on Thursday September 12 2019, @11:21AM (#893116)

          Could be a pump and dump scheme, yes. Usually "real results" are not announced this way.

          My guess is to avoid massive SEC legal impact, there is a kernel of truth where they DID bust SHA-256 down to the equivalent of SHA-255.99999 AND SIMULTANEOUSLY theres a chance there might be a pump and dump scheme underway.

  • (Score: 2, Informative) by Anonymous Coward on Wednesday September 11 2019, @06:23AM

    by Anonymous Coward on Wednesday September 11 2019, @06:23AM (#892567)

    According to https://www.ssllabs.com/ssl-pulse/ [ssllabs.com] SHA-256 is used by over 99% of websites on the web. In addition, many clients don't support most of the alternative signature algorithms. You are probably lucky if you have SHA-384 or SHA-512 support, let alone any of the others.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @06:33AM

    by Anonymous Coward on Wednesday September 11 2019, @06:33AM (#892571)

    Oh, great! Looks like I'm going to have to encrypt the White Album again!

  • (Score: 3, Interesting) by Anonymous Coward on Wednesday September 11 2019, @06:36AM (12 children)

    by Anonymous Coward on Wednesday September 11 2019, @06:36AM (#892573)

    it is not our intention to bring down Bitcoin

    And it won't, SHA256 is only used to validate the block (chain)/ proof of work, nothing else. Lots of "investors" won't understand this and I would not be surprised that they start dumping it for other (non-sha256) coins. With a bit of luck one could make a nice bit of coins out of it.*

    Disclaimer: this is not financial advice.

    • (Score: 2, Funny) by Anonymous Coward on Wednesday September 11 2019, @06:45AM (6 children)

      by Anonymous Coward on Wednesday September 11 2019, @06:45AM (#892574)

      Disclaimer: this is not financial advice.

      Of course, it is not even about actual money!

      • (Score: 4, Insightful) by maxwell demon on Wednesday September 11 2019, @07:09AM (5 children)

        by maxwell demon (1608) on Wednesday September 11 2019, @07:09AM (#892578) Journal

        Real estate isn't money either (it doesn't even pretend to be), yet advice for or against buying real estate is generally considered financial advice.

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:31AM (4 children)

          by Anonymous Coward on Wednesday September 11 2019, @07:31AM (#892582)
          Real estate is highly liquid in real money. Bitcoin - not so much.
          • (Score: 2, Touché) by Anonymous Coward on Wednesday September 11 2019, @11:02AM (3 children)

            by Anonymous Coward on Wednesday September 11 2019, @11:02AM (#892610)

            I'll bet I can sell a bitcoin faster than you can sell a house.

            • (Score: 4, Funny) by Acabatag on Wednesday September 11 2019, @12:31PM (2 children)

              by Acabatag (2885) on Wednesday September 11 2019, @12:31PM (#892642)

              I bet I can sell a deck of Magic the Gathering cards faster than you can sell a house.

              Beanie babies, maybe not. They've reached past due date.

              • (Score: 1, Funny) by Anonymous Coward on Wednesday September 11 2019, @05:49PM (1 child)

                by Anonymous Coward on Wednesday September 11 2019, @05:49PM (#892826)

                (turns to Beanie Baby collection) "Don't you listen to teh bad Acabatag, I still love you all my little schnookemsus. There, there, now come and give me a huggles!"

                • (Score: 0) by Anonymous Coward on Thursday September 12 2019, @06:50AM

                  by Anonymous Coward on Thursday September 12 2019, @06:50AM (#893072)

                  That degenerated rather quickly, and in a way almost no one could have predicted.

    • (Score: 5, Interesting) by maxwell demon on Wednesday September 11 2019, @07:07AM (4 children)

      by maxwell demon (1608) on Wednesday September 11 2019, @07:07AM (#892577) Journal

      Breaking SHA256 means that you have a method to generate a specific hash with significantly better than brute force efficiency. Which means that you have put in less work than you "proved". If you are the only one who has it, it certainly gives you a distinct advantage in mining, and might be enough to gain 50% of apparent computing power, and thus gain control of the blockchain. And even if not directly, it might be used to drive the difficulty up enough that many miners give up, and thus 50% is gained that way.

      If the method to break it gets publicly known, it's not that harmful to Bitcoin, as then everyone can use it, and the difficulty will adapt accordingly. But if only select people have it, those select people have the ability to subvert Bitcoin.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:56AM (2 children)

        by Anonymous Coward on Wednesday September 11 2019, @07:56AM (#892588)

        Breaking SHA256 means that you have a method to generate a specific hash with significantly better than brute force efficiency.

        But will that happen? Normally, breaking a hash means you can get (more easilly) a collission. With Bitcoin this doesn't matter. What matters is that the hash generated gets a better score than the difficulty. I'm not sure that breaking SHA256 will get you a better chance at beating the difficulty as you still have to go through the search space to get something that gets accepted.

        • (Score: 3, Interesting) by Anonymous Coward on Wednesday September 11 2019, @08:17AM (1 child)

          by Anonymous Coward on Wednesday September 11 2019, @08:17AM (#892591)

          This is not a collision attack, but a preimage attack. This means that you can take an arbitrary hash and compute a plaintext that when hashed produces the output you want. For Bitcoin, rather than having to repeatedly guess what input will meet your proof of work output, you can work backwards from the proof of work and calculate all valid inputs with a 100% success rate. At higher difficulties, this can be much easier than repeatedly guessing and testing because the probability of a successful guess is so low.

          • (Score: 1) by YttriumOxide on Thursday September 12 2019, @05:52AM

            by YttriumOxide (1165) on Thursday September 12 2019, @05:52AM (#893064) Homepage

            This means that you can take an arbitrary hash and compute a plaintext that when hashed produces the output you want

            Which in the case of a Bitcoin block would still need to be a valid block, massively reducing the space of "useful" preimages you can find for that hash.

            A Bitcoin block will not be accepted by other nodes if it tries to spend from inputs that don't exist; or if it tries to spend more from inputs than they have. Even if you get all of that right, the outputs need to be addresses under your control or you then to additionally break ECDSA to gain access to the coins they represent.

      • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @01:13PM

        by Anonymous Coward on Wednesday September 11 2019, @01:13PM (#892661)

        This was already discussed by Satoshi, just switch to a new algo, the end

  • (Score: 2, Interesting) by Anonymous Coward on Wednesday September 11 2019, @08:28AM (3 children)

    by Anonymous Coward on Wednesday September 11 2019, @08:28AM (#892593)

    1) It's not
    2) "Broken" doesn't always mean useless, sometimes it just means they've reduced the time required to produce a specific hash value from hojillions of years to zillions of years (but it is a warning sign that everyone needs to move to a new hash sooner rather than later)
    3) Bitcoin uses double hashing, which makes preimage attacks much harder, and it probably wouldn't be affected by this attack.
    4) They should release a couple dozen examples of nontrivial hash collisions, and offer to find inputs matching specific hashes chosen by cryptography experts

    • (Score: 2, Insightful) by Anonymous Coward on Wednesday September 11 2019, @12:33PM (2 children)

      by Anonymous Coward on Wednesday September 11 2019, @12:33PM (#892644)

      Definitely trust but verify.

      Show two different hash inputs that make the same output.
      That should not divulge (much) about what they did.

      (Unless there is some other sense of the word 'break' associated with a hash?)

      • (Score: 2) by ElizabethGreene on Wednesday September 11 2019, @12:42PM (1 child)

        by ElizabethGreene (6748) Subscriber Badge on Wednesday September 11 2019, @12:42PM (#892647) Journal

        > Show two different hash inputs that make the same output.

        This is not an unreasonable bar for credibility for someone making a claim of a collision break.

        • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @01:09PM

          by Anonymous Coward on Wednesday September 11 2019, @01:09PM (#892660)

          Bonus points if the two inputs show that you can make the hash collision by only changing a few bits selected bits.
          (For example, flip the first bit in the input and then fix the hash by adjusting the last N bits in the input, when N is about the same size as the hash.)
          Finding a random looking hash collision is neat, but finding one that looks like a real transaction is extraordinary.

          Definitely a high bar to break the hash, but a low bar to show that you did.
          That these folks don't show a result could say that the 2 inputs may show something about the hole they drove the truck through.

          The problem with their story is that if they found a hole, others will also.
          (it's funny how much more possible it is to solve some problems after know know they are solvable.)
          If they really want to save the world, they need to be a bit more convincing.
          As it stands, it sounds more like a cold fusion event.
          Maybe good enough to wake up some bad guys, but not good enough to make the world prepare for them.

  • (Score: 5, Insightful) by The Shire on Wednesday September 11 2019, @10:16AM (2 children)

    by The Shire (5824) on Wednesday September 11 2019, @10:16AM (#892603)

    This kind of financial scam "news" should not be on SN. You're just propping up the con artists.

    https://news.ycombinator.com/item?id=20927236 [ycombinator.com]

    • (Score: 1) by khallow on Wednesday September 11 2019, @12:22PM (1 child)

      by khallow (3766) Subscriber Badge on Wednesday September 11 2019, @12:22PM (#892638) Journal
      On the plus side, breaking hash functions is now worthy of financial scamming. We've come a long way, baby.
      • (Score: 1) by DECbot on Friday September 13 2019, @05:51PM

        by DECbot (832) on Friday September 13 2019, @05:51PM (#893761) Journal

        What this? We're now allowing the economist and bankers enter the cryptology club? Next thing it will be the marketing and sales people followed by the football jocks and cheerleaders. Give me back my punchcard reader, I'm going home!

        --
        cats~$ sudo chown -R us /home/base
  • (Score: 2) by RamiK on Wednesday September 11 2019, @12:29PM (1 child)

    by RamiK (1813) on Wednesday September 11 2019, @12:29PM (#892639)

    I'm guessing they're referencing https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html [googleblog.com] .

    Most distros switched away from MD5 and SHA256 around that time so that's something I suppose.

    Btw, Secure Boot uses SHA256... :D

    --
    compiling...
    • (Score: 2) by eravnrekaree on Wednesday September 11 2019, @04:34PM

      by eravnrekaree (555) on Wednesday September 11 2019, @04:34PM (#892777)

      SHA-1 is known to be broken for some time. SHA-256 is not SHA-1, and it seems like people think SHA-256 still considered secure.

  • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @03:10PM (2 children)

    by Anonymous Coward on Wednesday September 11 2019, @03:10PM (#892720)

    Not releasing details is exactly what any responsible party would do when finding something like this, because there is so much of this stuff in use. So them not releasing any details does not harm their credibility. Once details are released, it could become trivial since off the shelve programs would become widely available to abuse it.

    If they did find way to crack it, its also possible others know about it, since there are even better funded people who are looking for problems like this (states) , but for their own purposes and would themselves likely keep it out of public view as well since they want it for their own uses, since if it did become public information then it would no longer be of use to them.

    Not releasing the details right now would be to keep it out of the hands of every two bit scumbag scammer on the planet until a replacement algorithm is moved to (SHA-3). Always good to have more backups and bigger safety margins. SHA-10000 anyone?

    • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @05:13PM (1 child)

      by Anonymous Coward on Wednesday September 11 2019, @05:13PM (#892797)

      Than why wait over a year to announce it?

      • (Score: 1) by DECbot on Friday September 13 2019, @06:08PM

        by DECbot (832) on Friday September 13 2019, @06:08PM (#893776) Journal

        Because that is the computational time necessary to compute a solution to confirm their findings?

        --
        cats~$ sudo chown -R us /home/base
  • (Score: 4, Interesting) by stormwyrm on Wednesday September 11 2019, @03:25PM

    by stormwyrm (717) on Wednesday September 11 2019, @03:25PM (#892728) Journal

    I'm pretty sure that these people, if they feel that the actual method they used to crack SHA-256 is too risky to publish, ought to still be able to give conclusive proof that they've really cracked SHA-1, in the form of a collision for some SHA-256 hash. Let's see them give a preimage for A6:DC:A5:91:CA:32:85:A1:90:E8:D8:DB:9D:50:95:08:33:F0:F1:26:13:55:98:FE:BC:1C:92:AD:6C:50:91:EA, which is the SHA-256 of PayPal's certificate. I think a paper from Messrs. Takamoto and his colleagues in the Journal of Cryptography with this sort of demonstration would be warmly received, and a spur towards the adoption and development of other hash functions that don't use the classic Merkle–Damgård construction, e.g. SHA-3 (Keccak). But frankly, I'm not holding my breath. The fact that they went straight for the press release rather than publishing a peer-reviewed paper first raises a lot of red flags. They seem to be playing science by press release, which is almost never a good sign.

    --
    Numquam ponenda est pluralitas sine necessitate.
  • (Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:01PM

    by Anonymous Coward on Wednesday September 11 2019, @06:01PM (#892833)

    SHA256 hasnt been cracked. But there are shortcuts that yield a better than brute force method of achieving a given hash. And the fact they are using this to market a bitcoin miner just proves it isnt about preimage or collision.

    Lets examine what a bitcoin miner does using math.
    Given mem = mempool or in otherwords a collection of transactions that have yet to be included in a block.

    Given diff = an arbitrary number between 0 and 2 pow 256 -1.

    Given n = nonce a single use salt.

    Mining proceeds thusly.

    Order mem such that the result of the SHA256 hash of mem[0...]+n is less than diff.

    The way modern miners work is to order mem once, then apply all values for n between 0 and 2 pow 32 in parallel. Gather the outputs and then Compare the output vs diff and if out is greater than diff then reorder mem and re-apply n.

    The key here is it must be below diff and diff is a pretty huge number. That means there are many, many valid numbers that will work and that is by design.

    It seems to be what they have "discovered" if anything at all, is that due to the fixed block size of SHA256, you can compute prehashes in parallel for all possible configurations of mem and then apply all possible values for n, all in parallel.

    This is still brute force but it is more of a scatter, gather type situation.

    And its nothing new. Bitmain has been offering ASIC miners with this feature since at least 2017.

(1)