Ask HN: SHA2 vulnerability post was removed. Why? Is it legit?

[benzinschleuder]

Hello. A moment ago someone posted this: https://github.com/laie/WorldsFirstSha2Vulnerability It's now gone from HN.

Is the vulnerability legit?

[lisper]

Yes. It's legit. No idea why it was removed. It was actually deleted, not just flagged to death.

[UPDATE] Turns out I was wrong and this is not a vulnerability at all:

https://crypto.stackexchange.com/questions/48580/fixed-point...

[user5994461]

https://github.com/laie/WorldsFirstSha2Vulnerability

Work by a random dude who pretends to find infinite collision so bad that he can't publish it.

No math. No explanation.

The code is a mix of single letter variables with hardly any comment.

Thank you, I'll pass.

[jstanley]

The code sets up a sha256 state, then adds some input to sha256, and then demonstrates that the sha256 state is the same as it was.

I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but it's a vulnerability.

EDIT: All of this modulo a rigged sha256.py, of course

[lisper]

Yes, but the rigged sha256 seems to produce the same results as a real sha256. And there's nothing obviously hinky in the code that I can see on cursory inspection. If this is rigged, it's rigged in a particularly clever way.

[UPDATE] Turns out this is not a vulnerability at all:

https://crypto.stackexchange.com/questions/48580/fixed-point...

[user5994461]

You can google for existing sha256 collisions, nothing special in hard coding one.

Google it and you'll find the source, if it's a popular collision already published in papers.

[lisper]

I think you're confusing SHA256 with SHA1.

[ctz]

A fixed point in the compression function is not a vulnerability.

Not sure why the post was deleted though.

[dddddaviddddd]

See also https://news.ycombinator.com/item?id=14654696 where it's been reposted with comments.

[8draco8]

New thread here https://news.ycombinator.com/item?id=14655077

[jstanley]

I cloned the repo in case it gets taken down from GitHub as well.

It's also in ipfs at /ipfs/QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW and I've pinned it on both of my ipfs servers.

If you want to do the same:

  ipfs pin add QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW

or to get it from github:

  git clone https://github.com/laie/WorldsFirstSha2Vulnerability
  ipfs add -Hr WorldsFirstSha2Vulnerability/

(-H includes hidden files - i.e. .git/)