Topic: SHA256 Collision Attack (Read 13522 times)
Yes I know, but it gives such a great feeling to find dependencies within sets of bits that were possibly unintended.
I'm still attacking SHA-2 (256). Of course I know it's not going to work out, but it's a nice and learnful hobby.
Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.
Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.
good luck cracking sha 256. it probably won't ever work.
I'm still attacking SHA-2 (256). Of course I know it's not going to work out, but it's a nice and learnful hobby.
Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.
Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.
My 10 BTC is expired, it's already spent 
But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
An arbitrary collision on SHA-256 gives a collision on SHA-256d. But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
My 10 BTC is expired, it's already spent
But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
Are these bounties still on? If so, could you post expiry dates and/or expiry events?
Give it to a 3yr old kid, if anyone can break it, they can.
I don't have the time right now to read it, but somehow I think the attack isn't related to the 160-bit but more to the algoritm.
Well, fortunately, the SHA-2 algorithm (which also includes SHA-256) is completely different than SHA-1.Quote
So if a flaw is found in SHA-1 with 160-bit, and you make a SHA-1b with 320-bit, a collision can be found in somewhat the same time.
I doubt it - the described possible future attack abuses some weak properties of SHA-1, to reduce the number of brute force attempts from 280 to 252.If you do the same with a 320-bit hash, you're still dealing with 2132 (reduced from 2160) attempts or maybe 2104 in best case scenario (if the weak properties extend to additional SHA rounds in the 320-bit version).
Well, 2104 is still a HECK of a lot more than 280
Once we can do 280 in one day (which we can't, not even in 6-9 years cause the described scenario only deals with the reduced 252 case), the 2104 would still take 45.000 years. Good luck with that sir
I don't have the time right now to read it, but somehow I think the attack isn't related to the 160-bit but more to the algoritm.
So if a flaw is found in SHA-1 with 160-bit, and you make a SHA-1b with 320-bit, a collision can be found in somewhat the same time.
So if a flaw is found in SHA-1 with 160-bit, and you make a SHA-1b with 320-bit, a collision can be found in somewhat the same time.
So, any news on this?
I just noticed an article by Bruce Schneier, where he states that we might start seeing the first successful SHA-1 attacks in 6-9 years from now.
Now remember, SHA-1 is just 160-bit. The SHA-2 variant used in Bitcoin is 256-bit, that's almost a hundred million billion trillion (!!) more possibilities. Somehow I doubt the stories about SHA256 collisions that some people were claiming here
I just noticed an article by Bruce Schneier, where he states that we might start seeing the first successful SHA-1 attacks in 6-9 years from now.
Now remember, SHA-1 is just 160-bit. The SHA-2 variant used in Bitcoin is 256-bit, that's almost a hundred million billion trillion (!!) more possibilities. Somehow I doubt the stories about SHA256 collisions that some people were claiming here
Unfortunately I'm in no position to prove this yet, as I don't know how to 'sign a message'
and have no BTC to spend...
and have no BTC to spend...
You now have 0.0638 BTC from me... assuming you have the private key to that address. Send it anywhere, and your claim that you own the address is proven correct.
Hi, I've just made a test send.
I guess this proves that I do own the key to that address.
It must be a very secret band as there are no Google results found for "Jompin Dox"
+1! I call bluff... But I still just donated a few bitcents to that mystery address, in case you're the real deal
It must be a very secret band as there are no Google results found for "Jompin Dox"
Do the bets made in this thread apply to me
if I can successfully prove my claim?
No, well at least not my part if I can successfully prove my claim?
My bounty was on a pure sha256 collision. That is: two different sequences of bytes (not necessarily of the same length) which have the same sha256 hash.
A vanity address is something entirely different (although a 11+ digit vanity address is impressive if you indeed have the corresponding private key).
I'll add another 1000 BTC is you can generate a collision for a specific sha256 hash
Let's say, for example, if you can generate data (a sequence of bytes) which has this sha256 hash: 7bf3c0394237866352e95d84c91648bc141ab32f64e1b56ac198bb618571846d
Quote
Being totally broke (I was devastated by a $350,000 loss last year, but that's another story)
Damn man, sounds shitty
I've also just found these:
16L48ssoSeG1worstVpsENv1rewVsw7nMa
1GpacsJetrebeLcV15FSmw3vjLmPsineCp
Don't know if that's impressive or not
16L48ssoSeG1worstVpsENv1rewVsw7nMa
1GpacsJetrebeLcV15FSmw3vjLmPsineCp
Don't know if that's impressive or not
Interesting... Watching this too
I've never been able to find a vanity address longer than 5 characters with my prehistoric laptop...
I've never been able to find a vanity address longer than 5 characters with my prehistoric laptop...
I don't know about the others, but you can have my 10BTC if you can show a sha256 collision.
But the bitcoin address is something else, I don't bet about that (yet?).
It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.
But the bitcoin address is something else, I don't bet about that (yet?).
It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.
Lol of course I'm not able to do that
I don't have that kind of superpower... Or it would mean the end of Bitcoin...
I don't know about the others, but you can have my 10BTC if you can show a sha256 collision.
But the bitcoin address is something else, I don't bet about that (yet?).
It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.
But the bitcoin address is something else, I don't bet about that (yet?).
It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.
I do have a question first.
Do the bets made in this thread apply to me
if I can successfully prove my claim?
Casascius himself stated that my claim was "incredible".
However, I didn't actually break SHA256 or anything, so how much
you're willing to bet on my claim that I did find that address
and own the key to it is up to you.
Being totally broke (I was devastated by a $350,000 loss last year,
but that's another story), I'm naturally very curious about that.
Do the bets made in this thread apply to me
if I can successfully prove my claim?
Casascius himself stated that my claim was "incredible".
However, I didn't actually break SHA256 or anything, so how much
you're willing to bet on my claim that I did find that address
and own the key to it is up to you.
Being totally broke (I was devastated by a $350,000 loss last year,
but that's another story), I'm naturally very curious about that.
Unfortunately I'm in no position to prove this yet, as I don't know how to 'sign a message'
and have no BTC to spend...
and have no BTC to spend...
You now have 0.0638 BTC from me... assuming you have the private key to that address. Send it anywhere, and your claim that you own the address is proven correct.
How easy would it be to "vanitygen a bunch of 9-character semi-pronounceable string and pick one that looks best"?
The base58 part contains out of the characters "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"vowels : 3 uppercase, 5 lowercase. (AEUaeiou)
consonants : 21 uppercase, 20 lowercase.
numbers : 9
If you want it like JompinDox, 3x (consonant vowel consonant) with the first and seventh characters uppercase, your chance will be
21/58 * 5/58 * 20/58 * 20/58 * 5/58 * 20/58 * 21/58 * 5/58 * 20/58 = (5^3 * 20^4 * 21^2) / (58^9) = 8820000000 / 7427658739644928 = 1.1874535851954921019166981507839e-6
1 / 1.1874535851954921019166981507839e-6 = 842138 tries.
But IIRC the bitcoin address is a 1 followed by 33 characters of the base58 string.
So you have 25 places it can occur, making it 842138 / 25 = 33685.52 tries.
(about the last part I'm not 100% sure, but I know for sure it gives you a better chance so lowering your tries needed)
Jump to: