upvote

points

by pavel_lishin3 hours ago |
comments
upvoteby jrexilius3 hours ago|
next
[-]
Is a partial collision an indicator that it could be broken? The "we broke it" seems an exageration, but maybe that's a failure of my understanding.
reply
upvoteby skeledrew2 hours ago|
parent|
[-]
Possible. It's up to people to decide if they're OK with a known 92% collision out there (with the unknown being there could be a 100%), or go for something stronger.
reply
upvoteby logicallee2 hours ago|
parent|
[-]
Thanks, you have this exactly right. The unknown part is especially worrying because we didn't implement many of the strongest ways to make to the final stretch yet, i.e. Wang-style message modification. Our result is basically a very strong direction in this cryptographic research, but not a full break yet.
reply
upvoteby logicallee2 hours ago|
prev|
[-]
Thank you for pointing out that that section could be clearer. I've now updated it. It now reads:

>We've just gotten 92% of the way to finding a single collision (this means that there is no full collision yet.). This has security ramifications in that other researchers are expected to be able to complete the work through similar methods as explored in the paper, and eventually produce collisions at will. We weren't sure if this was a remarkable result, since it's not a full collision, but we shared the work with the leading cryptographer in the field, who holds the world records in reduced-round attacks, and got great encouragement to proceed to publish it as a paper, so we did so.

(if we had found a single full collision, we would have just written "we broke SHA-256". This is 92% of the way to a full collision. Any collision is considered a great reduction in the security of the hash, because it means that there two different files with the same cryptographic hash. This is what happened to other algorithms such as MD5, as demonstrated in the linked tool.)

reply
upvoteby thenewnewguy2 hours ago|
parent|
next
[-]
What does "92% of the way" mean? 92% of what? How is that percentage measured?
reply
upvoteby goalieca40 minutes ago|
parent|
prev|
[-]
Well, try sha2-224. It’s 87% of the way to sha2-256. /s
reply
upvoteby logicallee24 minutes ago|
parent|
[-]
This is a really funny comment. In setting the world record for Li's 39-round collision[1] (still unbroken, and one of our favorite papers), he also set some records in sha-224, reaching 40 rounds in that one. Of course, saying sha-224 is "87% of the way" to sha-256 is correct in a sense, and that's why his record is slightly larger in reduced-round full-schedule collisions on that metric, 40 rounds for sha-224 and only 39 in sha-256. At the same time, the fact that he reached only 39/40 rounds on those shows the difficulty of getting through the full 64 rounds, which is what our paper does with a slightly relaxed schedule adherence.

[1] https://eprint.iacr.org/2024/349.pdf

reply