Pages:
Author

Topic: SHA256 Collision Attack (Read 13555 times)

member
Activity: 86
Merit: 10
September 01, 2013, 11:29:45 AM
#54
Yes I know, but it gives such a great feeling to find dependencies within sets of bits that were possibly unintended.
b!z
legendary
Activity: 1582
Merit: 1010
September 01, 2013, 10:02:24 AM
#53
I'm still attacking SHA-2 (256). Of course I know it's not going to work out, but it's a nice and learnful hobby.

Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.

good luck cracking sha 256. it probably won't ever work.
member
Activity: 86
Merit: 10
September 01, 2013, 08:06:30 AM
#52
I'm still attacking SHA-2 (256). Of course I know it's not going to work out, but it's a nice and learnful hobby.

Sometimes while hobbying, I run into stupid questions. Like this one:
Wikipedia claims that the best preimage attack on SHA-2 is actually reduced (41 rounds) in time 2^(253.5).
It seems trivial to have a full 2^256 attack (so where do I go wrong?) if SHA is really a bit pseudorandom. Input to SHA is 447 (free) bits; output is 256 (fixed) bits. I make some propagators to rule out trivially conflicting bit assignments. I make 191 non-locally-conflicting random bit-assignments (propagating after each assignment). I have 256 free bits left. Since there are 256 free bits and the output is also 256 bits, I expect to have 1.0 solution left. I search for it with brute-force.
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
July 15, 2013, 11:14:23 PM
#51
My 10 BTC is expired, it's already spent Tongue
But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
An arbitrary collision on SHA-256 gives a collision on SHA-256d.
hero member
Activity: 1596
Merit: 502
July 15, 2013, 11:08:22 PM
#50
My 10 BTC is expired, it's already spent Tongue
But you can probably get a lot more than the few thousand bitcoins you get here.
Also, a normal SHA-256 isn't that interesting for bitcoin. For bitcoin you need SHA-256d which is SHA-256(SHA-256())
member
Activity: 86
Merit: 10
July 15, 2013, 04:53:38 PM
#49
Are these bounties still on? If so, could you post expiry dates and/or expiry events?
newbie
Activity: 42
Merit: 0
October 07, 2012, 02:21:20 PM
#48
Give it to a 3yr old kid, if anyone can break it, they can.
legendary
Activity: 1176
Merit: 1011
October 06, 2012, 10:50:15 AM
#47
I don't have the time right now to read it, but somehow I think the attack isn't related to the 160-bit but more to the algoritm.
Well, fortunately, the SHA-2 algorithm (which also includes SHA-256) is completely different than SHA-1.

Quote
So if a flaw is found in SHA-1 with 160-bit, and you make a SHA-1b with 320-bit, a collision can be found in somewhat the same time.
I doubt it - the described possible future attack abuses some weak properties of SHA-1, to reduce the number of brute force attempts from 280 to 252.
If you do the same with a 320-bit hash, you're still dealing with 2132 (reduced from 2160) attempts or maybe 2104 in best case scenario (if the weak properties extend to additional SHA rounds in the 320-bit version).

Well, 2104 is still a HECK of a lot more than 280 Smiley
Once we can do 280 in one day (which we can't, not even in 6-9 years cause the described scenario only deals with the reduced 252 case), the 2104 would still take 45.000 years. Good luck with that sir Smiley
hero member
Activity: 1596
Merit: 502
October 06, 2012, 08:24:42 AM
#46
I don't have the time right now to read it, but somehow I think the attack isn't related to the 160-bit but more to the algoritm.
So if a flaw is found in SHA-1 with 160-bit, and you make a SHA-1b with 320-bit, a collision can be found in somewhat the same time.
legendary
Activity: 1176
Merit: 1011
October 06, 2012, 07:47:00 AM
#45
So, any news on this?

I just noticed an article by Bruce Schneier, where he states that we might start seeing the first successful SHA-1 attacks in 6-9 years from now.

Now remember, SHA-1 is just 160-bit. The SHA-2 variant used in Bitcoin is 256-bit, that's almost a hundred million billion trillion (!!) more possibilities. Somehow I doubt the stories about SHA256 collisions that some people were claiming here Grin
member
Activity: 107
Merit: 10
July 04, 2012, 06:04:56 AM
#44
Unfortunately I'm in no position to prove this yet, as I don't know how to 'sign a message'
and have no BTC to spend... Sad

You now have 0.0638 BTC from me... assuming you have the private key to that address.  Send it anywhere, and your claim that you own the address is proven correct.


Hi, I've just made a test send.
I guess this proves that I do own the key to that address.
legendary
Activity: 1092
Merit: 1016
090930
June 29, 2012, 11:18:05 AM
#43
It must be a very secret band as there are no Google results found for "Jompin Dox"



+1!  I call bluff...  But I still just donated a few bitcents to that mystery address, in case you're the real deal Smiley
member
Activity: 66
Merit: 10
June 29, 2012, 11:15:50 AM
#42
It must be a very secret band as there are no Google results found for "Jompin Dox"

legendary
Activity: 1176
Merit: 1011
June 29, 2012, 10:09:48 AM
#41
Do the bets made in this thread apply to me
if I can successfully prove my claim?
No, well at least not my part Smiley

My bounty was on a pure sha256 collision. That is: two different sequences of bytes (not necessarily of the same length) which have the same sha256 hash.

A vanity address is something entirely different (although a 11+ digit vanity address is impressive if you indeed have the corresponding private key).

I'll add another 1000 BTC is you can generate a collision for a specific sha256 hash Smiley
Let's say, for example, if you can generate data (a sequence of bytes) which has this sha256 hash: 7bf3c0394237866352e95d84c91648bc141ab32f64e1b56ac198bb618571846d

Quote
Being totally broke (I was devastated by a $350,000 loss last year, but that's another story)
Damn man, sounds shitty Sad
member
Activity: 107
Merit: 10
June 29, 2012, 08:26:55 AM
#40
I've also just found these:

 16L48ssoSeG1worstVpsENv1rewVsw7nMa

 1GpacsJetrebeLcV15FSmw3vjLmPsineCp

Don't know if that's impressive or not
legendary
Activity: 1092
Merit: 1016
090930
June 29, 2012, 07:50:20 AM
#39
Interesting... Watching this too

I've never been able to find a vanity address longer than 5 characters with my prehistoric laptop... Sad
member
Activity: 107
Merit: 10
June 29, 2012, 02:34:35 AM
#38
I don't know about the others, but you can have my 10BTC if you can show a sha256 collision.
But the bitcoin address is something else, I don't bet about that (yet?).

It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.

Lol of course I'm not able to do that Smiley I don't have that kind of superpower... Or it would mean the end of Bitcoin...
hero member
Activity: 1596
Merit: 502
June 29, 2012, 02:30:40 AM
#37
I don't know about the others, but you can have my 10BTC if you can show a sha256 collision.
But the bitcoin address is something else, I don't bet about that (yet?).

It is possible you have the keypair for the address with you name in it, but I don't know how you made it. It still is possible for you to have choosen your name because of that address.
However, if you really think you can generate a specific address, I can make a new address and put some bitcoins on it. Then I tell you the address and you generate the keypair and have the bitcoins.
But if it is possible to do that, why not just choose some used addresses and use the coins on it.
member
Activity: 107
Merit: 10
June 29, 2012, 02:18:08 AM
#36
I do have a question first.

Do the bets made in this thread apply to me
if I can successfully prove my claim?

Casascius himself stated that my claim was "incredible".

However, I didn't actually break SHA256 or anything, so how much
you're willing to bet on my claim that I did find that address
and own the key to it is up to you.

Being totally broke (I was devastated by a $350,000 loss last year,
but that's another story), I'm naturally very curious about that.
hero member
Activity: 1596
Merit: 502
June 28, 2012, 04:07:57 PM
#35
Unfortunately I'm in no position to prove this yet, as I don't know how to 'sign a message'
and have no BTC to spend... Sad

You now have 0.0638 BTC from me... assuming you have the private key to that address.  Send it anywhere, and your claim that you own the address is proven correct.
Following, http://blockchain.info/address/1ELECeJompinDox61L73eAUyaWpe3Q5HZB


How easy would it be to "vanitygen a bunch of 9-character semi-pronounceable string and pick one that looks best"?
The base58 part contains out of the characters "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
vowels : 3 uppercase, 5 lowercase. (AEUaeiou)
consonants : 21 uppercase, 20 lowercase.
numbers : 9

If you want it like JompinDox, 3x (consonant vowel consonant) with the first and seventh characters uppercase, your chance will be
21/58 * 5/58 * 20/58 * 20/58 * 5/58 * 20/58 * 21/58 * 5/58 * 20/58 = (5^3 * 20^4 * 21^2) / (58^9) = 8820000000 / 7427658739644928 = 1.1874535851954921019166981507839e-6
1 / 1.1874535851954921019166981507839e-6 = 842138 tries.

But IIRC the bitcoin address is a 1 followed by 33 characters of the base58 string.
So you have 25 places it can occur, making it 842138 / 25 = 33685.52 tries.

(about the last part I'm not 100% sure, but I know for sure it gives you a better chance so lowering your tries needed)
Pages:
Jump to: