Arthur T Knackerbracket has found the following story:
The Wall Street fintech Treadwell Stanton DuPont broke silence today as it announced its Research & Development and Science Teams successfully broke the SHA-256[*] hashing algorithm silently in controlled laboratory conditions over a year ago. The announcement aims to secure financial and technological platform superiority to its clients and investors worldwide.
[...] While the best public cryptanalysis has tried to break the hashing function since its inception in 2001, work on searching, developing and testing practical collision and pre-image vulnerabilities on the SHA-256 hashing algorithm began back in 2016 in Treadwell Stanton DuPont's R&D facilities, culminating 2 years later with the successful discovery of a structural weakness and the initial development of the first practical solution space of real world value by its researchers.
"While we have successfully broken all 64 rounds of pre-image resistance," said Seiijiro Takamoto, Treadwell Stanton DuPont's director of newly formed Hardware Engineering Division, "it is not our intention to bring down Bitcoin, break SSL/TLS security or crack any financial sector security whatsoever."
[*] See the SHA-2 page on Wikipedia for background on SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
(Score: 5, Funny) by Anonymous Coward on Wednesday September 11 2019, @06:03AM (9 children)
TFA is a *press release* directly from the folks who *claim* to have broken SHA256.
No evidence is provided and no supporting documentation. To avoid breaking the world, they aren't releasing any details. Trust us, we know best!
In that spirit, I am announcing that I have built and tested an Alcubierre drive by making the round trip to and from Alpha Centauri in three weeks. [wikipedia.org]
However, given the disruption FTL travel could cause, I'm not going to release any details or there could be mass panic. Trust me.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:35AM (4 children)
I have heard an independent third party claim it was breakable, although it was still computationally expensive to do. Real-time website handshaking is impractical for now, but any long term signature verification requiring more than a few months of hash security should be looked at as suspect, or ideally combined with multiple checksums from different families, making the likelihood of a union of duplicate collisions next to impossible mathematically speaking.
(Score: 1, Informative) by Anonymous Coward on Wednesday September 11 2019, @08:03AM (2 children)
The problem with combining hash functions is two fold: First, you may get weird interactions between the two that can make it even weaker than the system should be in theory. Second is that your hash is only as secure as the weakest hash because you can exploit the weaknesses in that hash to control the outputs of the stronger hash and the system as a whole, in the vast, vast majority of implementations.
The only exception to the second rule is concatenation of outputs with non-identical inputs, which is not what most people implement. On top of that, the theoretical strength of concatenation of hashes with non-identical inputs is not that much more than the strongest hash by itself, especially when compared to raising the parameters of modern hashes.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @11:52AM (1 child)
Having 2 or more individual hashes, from different ciphers or techniques should not interact in the way you describe. This does mean that tiy either need multiple passes over the data or a specially optimized set of functions that can iterate the data through multiple ciphers side by side, allowing the performance benefit of the current data still being in-memory for each hashing function's pass. Given modern cpu technology the cpu time is negligible but the disk i/o wasted could be dramatic.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:51PM
If you are talking about something like H1(H2(password)), H1(password)||H2(password), H1(password) xor H2(password), etc. then they absolutely do interact that way. There are numerous papers that prove that, which I can find when off work, if you'd like.
(Score: 4, Interesting) by FatPhil on Wednesday September 11 2019, @08:37AM
Which is noticeably absent in both your comment and TFPR (yes, it is a press release).
So I'm with the "pump & dump" school here.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Funny) by VLM on Wednesday September 11 2019, @12:46PM (3 children)
The evidence of it being broken seems rather homeopathic.
Something mathematical was created, then pass thru 256 rounds of journalist dilution, and you end up with distilled water containing statistically likely less than one line's worth of actual mathematical proof.
Still, the lack of anything in the diluted product doesn't imply the original source contained ... something.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @01:06PM (2 children)
A lack of proof for something makes it even more likely in my opinion.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:24PM
Which is why you're absolutely certain that every time you kiss your wife/girlfriend, you get my sperm in your mouth.
Good show!
(Score: 2) by VLM on Thursday September 12 2019, @11:21AM
Could be a pump and dump scheme, yes. Usually "real results" are not announced this way.
My guess is to avoid massive SEC legal impact, there is a kernel of truth where they DID bust SHA-256 down to the equivalent of SHA-255.99999 AND SIMULTANEOUSLY theres a chance there might be a pump and dump scheme underway.
(Score: 2, Informative) by Anonymous Coward on Wednesday September 11 2019, @06:23AM
According to https://www.ssllabs.com/ssl-pulse/ [ssllabs.com] SHA-256 is used by over 99% of websites on the web. In addition, many clients don't support most of the alternative signature algorithms. You are probably lucky if you have SHA-384 or SHA-512 support, let alone any of the others.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 11 2019, @06:33AM
Oh, great! Looks like I'm going to have to encrypt the White Album again!
(Score: 3, Interesting) by Anonymous Coward on Wednesday September 11 2019, @06:36AM (12 children)
And it won't, SHA256 is only used to validate the block (chain)/ proof of work, nothing else. Lots of "investors" won't understand this and I would not be surprised that they start dumping it for other (non-sha256) coins. With a bit of luck one could make a nice bit of coins out of it.*
Disclaimer: this is not financial advice.
(Score: 2, Funny) by Anonymous Coward on Wednesday September 11 2019, @06:45AM (6 children)
Of course, it is not even about actual money!
(Score: 4, Insightful) by maxwell demon on Wednesday September 11 2019, @07:09AM (5 children)
Real estate isn't money either (it doesn't even pretend to be), yet advice for or against buying real estate is generally considered financial advice.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:31AM (4 children)
(Score: 2, Touché) by Anonymous Coward on Wednesday September 11 2019, @11:02AM (3 children)
I'll bet I can sell a bitcoin faster than you can sell a house.
(Score: 4, Funny) by Acabatag on Wednesday September 11 2019, @12:31PM (2 children)
I bet I can sell a deck of Magic the Gathering cards faster than you can sell a house.
Beanie babies, maybe not. They've reached past due date.
(Score: 1, Funny) by Anonymous Coward on Wednesday September 11 2019, @05:49PM (1 child)
(turns to Beanie Baby collection) "Don't you listen to teh bad Acabatag, I still love you all my little schnookemsus. There, there, now come and give me a huggles!"
(Score: 0) by Anonymous Coward on Thursday September 12 2019, @06:50AM
That degenerated rather quickly, and in a way almost no one could have predicted.
(Score: 5, Interesting) by maxwell demon on Wednesday September 11 2019, @07:07AM (4 children)
Breaking SHA256 means that you have a method to generate a specific hash with significantly better than brute force efficiency. Which means that you have put in less work than you "proved". If you are the only one who has it, it certainly gives you a distinct advantage in mining, and might be enough to gain 50% of apparent computing power, and thus gain control of the blockchain. And even if not directly, it might be used to drive the difficulty up enough that many miners give up, and thus 50% is gained that way.
If the method to break it gets publicly known, it's not that harmful to Bitcoin, as then everyone can use it, and the difficulty will adapt accordingly. But if only select people have it, those select people have the ability to subvert Bitcoin.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @07:56AM (2 children)
But will that happen? Normally, breaking a hash means you can get (more easilly) a collission. With Bitcoin this doesn't matter. What matters is that the hash generated gets a better score than the difficulty. I'm not sure that breaking SHA256 will get you a better chance at beating the difficulty as you still have to go through the search space to get something that gets accepted.
(Score: 3, Interesting) by Anonymous Coward on Wednesday September 11 2019, @08:17AM (1 child)
This is not a collision attack, but a preimage attack. This means that you can take an arbitrary hash and compute a plaintext that when hashed produces the output you want. For Bitcoin, rather than having to repeatedly guess what input will meet your proof of work output, you can work backwards from the proof of work and calculate all valid inputs with a 100% success rate. At higher difficulties, this can be much easier than repeatedly guessing and testing because the probability of a successful guess is so low.
(Score: 1) by YttriumOxide on Thursday September 12 2019, @05:52AM
Which in the case of a Bitcoin block would still need to be a valid block, massively reducing the space of "useful" preimages you can find for that hash.
A Bitcoin block will not be accepted by other nodes if it tries to spend from inputs that don't exist; or if it tries to spend more from inputs than they have. Even if you get all of that right, the outputs need to be addresses under your control or you then to additionally break ECDSA to gain access to the coins they represent.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @01:13PM
This was already discussed by Satoshi, just switch to a new algo, the end
(Score: 2, Interesting) by Anonymous Coward on Wednesday September 11 2019, @08:28AM (3 children)
1) It's not
2) "Broken" doesn't always mean useless, sometimes it just means they've reduced the time required to produce a specific hash value from hojillions of years to zillions of years (but it is a warning sign that everyone needs to move to a new hash sooner rather than later)
3) Bitcoin uses double hashing, which makes preimage attacks much harder, and it probably wouldn't be affected by this attack.
4) They should release a couple dozen examples of nontrivial hash collisions, and offer to find inputs matching specific hashes chosen by cryptography experts
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 11 2019, @12:33PM (2 children)
Definitely trust but verify.
Show two different hash inputs that make the same output.
That should not divulge (much) about what they did.
(Unless there is some other sense of the word 'break' associated with a hash?)
(Score: 2) by ElizabethGreene on Wednesday September 11 2019, @12:42PM (1 child)
> Show two different hash inputs that make the same output.
This is not an unreasonable bar for credibility for someone making a claim of a collision break.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @01:09PM
Bonus points if the two inputs show that you can make the hash collision by only changing a few bits selected bits.
(For example, flip the first bit in the input and then fix the hash by adjusting the last N bits in the input, when N is about the same size as the hash.)
Finding a random looking hash collision is neat, but finding one that looks like a real transaction is extraordinary.
Definitely a high bar to break the hash, but a low bar to show that you did.
That these folks don't show a result could say that the 2 inputs may show something about the hole they drove the truck through.
The problem with their story is that if they found a hole, others will also.
(it's funny how much more possible it is to solve some problems after know know they are solvable.)
If they really want to save the world, they need to be a bit more convincing.
As it stands, it sounds more like a cold fusion event.
Maybe good enough to wake up some bad guys, but not good enough to make the world prepare for them.
(Score: 5, Insightful) by The Shire on Wednesday September 11 2019, @10:16AM (2 children)
This kind of financial scam "news" should not be on SN. You're just propping up the con artists.
https://news.ycombinator.com/item?id=20927236 [ycombinator.com]
(Score: 1) by khallow on Wednesday September 11 2019, @12:22PM (1 child)
(Score: 1) by DECbot on Friday September 13 2019, @05:51PM
What this? We're now allowing the economist and bankers enter the cryptology club? Next thing it will be the marketing and sales people followed by the football jocks and cheerleaders. Give me back my punchcard reader, I'm going home!
cats~$ sudo chown -R us /home/base
(Score: 2) by RamiK on Wednesday September 11 2019, @12:29PM (1 child)
I'm guessing they're referencing https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html [googleblog.com] .
Most distros switched away from MD5 and SHA256 around that time so that's something I suppose.
Btw, Secure Boot uses SHA256... :D
compiling...
(Score: 2) by eravnrekaree on Wednesday September 11 2019, @04:34PM
SHA-1 is known to be broken for some time. SHA-256 is not SHA-1, and it seems like people think SHA-256 still considered secure.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @03:10PM (2 children)
Not releasing details is exactly what any responsible party would do when finding something like this, because there is so much of this stuff in use. So them not releasing any details does not harm their credibility. Once details are released, it could become trivial since off the shelve programs would become widely available to abuse it.
If they did find way to crack it, its also possible others know about it, since there are even better funded people who are looking for problems like this (states) , but for their own purposes and would themselves likely keep it out of public view as well since they want it for their own uses, since if it did become public information then it would no longer be of use to them.
Not releasing the details right now would be to keep it out of the hands of every two bit scumbag scammer on the planet until a replacement algorithm is moved to (SHA-3). Always good to have more backups and bigger safety margins. SHA-10000 anyone?
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @05:13PM (1 child)
Than why wait over a year to announce it?
(Score: 1) by DECbot on Friday September 13 2019, @06:08PM
Because that is the computational time necessary to compute a solution to confirm their findings?
cats~$ sudo chown -R us /home/base
(Score: 4, Interesting) by stormwyrm on Wednesday September 11 2019, @03:25PM
I'm pretty sure that these people, if they feel that the actual method they used to crack SHA-256 is too risky to publish, ought to still be able to give conclusive proof that they've really cracked SHA-1, in the form of a collision for some SHA-256 hash. Let's see them give a preimage for A6:DC:A5:91:CA:32:85:A1:90:E8:D8:DB:9D:50:95:08:33:F0:F1:26:13:55:98:FE:BC:1C:92:AD:6C:50:91:EA, which is the SHA-256 of PayPal's certificate. I think a paper from Messrs. Takamoto and his colleagues in the Journal of Cryptography with this sort of demonstration would be warmly received, and a spur towards the adoption and development of other hash functions that don't use the classic Merkle–Damgård construction, e.g. SHA-3 (Keccak). But frankly, I'm not holding my breath. The fact that they went straight for the press release rather than publishing a peer-reviewed paper first raises a lot of red flags. They seem to be playing science by press release, which is almost never a good sign.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Wednesday September 11 2019, @06:01PM
SHA256 hasnt been cracked. But there are shortcuts that yield a better than brute force method of achieving a given hash. And the fact they are using this to market a bitcoin miner just proves it isnt about preimage or collision.
Lets examine what a bitcoin miner does using math.
Given mem = mempool or in otherwords a collection of transactions that have yet to be included in a block.
Given diff = an arbitrary number between 0 and 2 pow 256 -1.
Given n = nonce a single use salt.
Mining proceeds thusly.
Order mem such that the result of the SHA256 hash of mem[0...]+n is less than diff.
The way modern miners work is to order mem once, then apply all values for n between 0 and 2 pow 32 in parallel. Gather the outputs and then Compare the output vs diff and if out is greater than diff then reorder mem and re-apply n.
The key here is it must be below diff and diff is a pretty huge number. That means there are many, many valid numbers that will work and that is by design.
It seems to be what they have "discovered" if anything at all, is that due to the fixed block size of SHA256, you can compute prehashes in parallel for all possible configurations of mem and then apply all possible values for n, all in parallel.
This is still brute force but it is more of a scatter, gather type situation.
And its nothing new. Bitmain has been offering ASIC miners with this feature since at least 2017.