Bitcoin Forum
November 06, 2024, 07:28:51 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Hardened SHA-1 vs weakened SHA-256: How to test them?  (Read 115 times)
vjudeu (OP)
Copper Member
Legendary
*
Offline Offline

Activity: 898
Merit: 2236



View Profile
September 24, 2023, 08:26:37 AM
Merited by NotATether (10), digaran (1), DaCryptoRaccoon (1)
 #1

Many people wonder, what will happen, when SHA-256 will be broken. One of my responses was often "just test it", also in many previous topics on bitcointalk. Today, I will try to add more details, and show exactly, how SHA-1 was hardened, and how SHA-256 could be weakened, so you could write some tests, and see, how your nodes would behave.

The first step is to understand SHA-1 and hardened SHA-1. Because it is easier to grasp than SHA-256, and because a lot of things are similar. Also because it is easier for me to explain some topics, based on SHA-1, because I started my journey from this particular hash function. The easiest attacks, and a lot of basic theory, related to hash functions, are explained in my previous topic: https://bitcointalk.org/index.php?topic=5402178

Quote
For example, reduce SHA-256 into the first 16 rounds, and then try to attack your own, vulnerable nodes.
This part is easy. For SHA-1, I demonstrated a practical attack on the first 16 rounds, you can find all details in the topic linked above. To reach the same step for SHA-256, all you need is just implementing SHA-256, instead of SHA-1 first, and then just commenting out the code related to everything what happens after the 16th round. To make it clear, I will show you my console output, so you can compare it with your results.
Code:
 0   6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19
 1   00000000 6a09e667 bb67ae85 3c6ef372 9cbf5a55 510e527f 9b05688c 1f83d9ab
 2   00000000 00000000 6a09e667 bb67ae85 126d4d6d 9cbf5a55 510e527f 9b05688c
 3   00000000 00000000 00000000 6a09e667 bb67ae85 126d4d6d 9cbf5a55 510e527f
 4   00000000 00000000 00000000 00000000 6a09e667 bb67ae85 126d4d6d 9cbf5a55
 5   00000000 00000000 00000000 00000000 00000000 6a09e667 bb67ae85 126d4d6d
 6   00000000 00000000 00000000 00000000 00000000 00000000 6a09e667 bb67ae85
 7   00000000 00000000 00000000 00000000 00000000 00000000 00000000 6a09e667
 8   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 9   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
10   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
11   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
12   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
13   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
14   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
15   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
16   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
17   6bcf588f 00000000 00000000 00000000 6bcf588f 00000000 00000000 00000000
18   7c0ab1bb 6bcf588f 00000000 00000000 581ffbc5 6bcf588f 00000000 00000000
19   dadb5392 7c0ab1bb 6bcf588f 00000000 fab1a13c 581ffbc5 6bcf588f 00000000
20   448b1417 dadb5392 7c0ab1bb 6bcf588f 82517927 fab1a13c 581ffbc5 6bcf588f
You probably wonder, which message produced something like that, so you can test it by yourself. I printed also next rounds, up to 20, to show non-zero values for comparison, but you only need the first 16 rounds to compute those w-values below:
Code:
03f777b3 eec88896 2ebcf339 38b0c4f5
99cddf33 d839f21d 484ee870 ead9bac4
27f85568 ed7ca4ff dbce7a42 aaf3823d
8d41a28c 7f214e02 6423f959 3e640e8c
The notation for w-values is identical as in my previous topic. Also, for SHA-256, there are pages, where you can test all of that, for example https://sha256algorithm.com/ Then, you can switch into "hex" mode, and type "03f777b3eec888962ebcf33938b0c4f599cddf33d839f21d484ee870ead9bac427f85568ed7ca4f fdbce7a42aaf3823d8d41a28c7f214e026423f9593e640e8c" as your input. Then, after calculating w-values, in 51th step, you will see a-value full of zeroes, this is just what you can see as "a[1]" in my console output. Then, you will see a stream of zeroes, up to the 67th step, where you will see, that "a[17]" is equal to 0x6bcf588f, and then you will see it as "01101011110011110101100010001111" in binary, and "6b cf 58 8f" if you hover your mouse on that label. Also note that in this particular case, you will reach two 512-bit blocks, one exactly matching your input, and the second one identical to what you could observe with SHA-1: a leading one, some zeroes for padding, and the size of the message in bits.

Now, it is a good time to go back into SHA-1 vs hardened SHA-1. How exactly the attack on SHA-1 looked like? Well, as a Bitcoiner, you can directly explore that, because there is a puzzle address 37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP, so all you need is just exploring the chain, finding that address as an input in some transaction, and then getting the data. So, let's do that: https://mempool.space/tx/9ec2a0db0c4c3423a6b2c3cb2a26fc626b037121b4b5f3f57b08916196ff14e0

We can see two OP_PUSHDATA2, followed by OP_PUSHBYTES_8, that contains the Script under P2SH. We focus on the first two pushes, and write them in my notation for w-values, to see, what is going on. Also, I splitted it into 512-bit blocks, and added init and exit hash between them. Then, I also placed both messages side-by-side, to make it easier to analyze them.
Code:
 firstHash: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0
secondHash: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0

+-------------------------------------+-------------------------------------+
| 25504446 2d312e33 0a25e2e3 cfd30a0a | 25504446 2d312e33 0a25e2e3 cfd30a0a |
| 0a312030 206f626a 0a3c3c2f 57696474 | 0a312030 206f626a 0a3c3c2f 57696474 |
| 68203220 3020522f 48656967 68742033 | 68203220 3020522f 48656967 68742033 |
| 20302052 2f547970 65203420 3020522f | 20302052 2f547970 65203420 3020522f |
+-------------------------------------+-------------------------------------+

 firstHash: 86d9d255 e2214ecd 4cca107e c732990e 044af3b4
secondHash: 86d9d255 e2214ecd 4cca107e c732990e 044af3b4

+-------------------------------------+-------------------------------------+
| 53756274 79706520 35203020 522f4669 | 53756274 79706520 35203020 522f4669 |
| 6c746572 20362030 20522f43 6f6c6f72 | 6c746572 20362030 20522f43 6f6c6f72 |
| 53706163 65203720 3020522f 4c656e67 | 53706163 65203720 3020522f 4c656e67 |
| 74682038 20302052 2f426974 73506572 | 74682038 20302052 2f426974 73506572 |
+-------------------------------------+-------------------------------------+

 firstHash: 453012e6 38524c1f eef312bd 2561990c 22b0ae50
secondHash: 453012e6 38524c1f eef312bd 2561990c 22b0ae50

+-------------------------------------+-------------------------------------+
| 436f6d70 6f6e656e 7420383e 3e0a7374 | 436f6d70 6f6e656e 7420383e 3e0a7374 |
| 7265616d 0affd8ff fe002453 48412d31 | 7265616d 0affd8ff fe002453 48412d31 |
| 20697320 64656164 21212121 21852fec | 20697320 64656164 21212121 21852fec |
| 09233975 9c39b1a1 c63c4c97 e1fffe01 | 09233975 9c39b1a1 c63c4c97 e1fffe01 |
+-------------------------------------+-------------------------------------+

 firstHash: 4ea96269 7c876e26 74d107f0 fec67984 14f5bf45
secondHash: 4ea96269 7c876e26 74d107f0 fec67984 14f5bf45

+-------------------------------------+-------------------------------------+
| 7f46dc93 a6b67e01 3b029aaa 1db2560b | 7346dc91 66b67e11 8f029ab6 21b2560f |
| 45ca67d6 88c7f84b 8c4c791f e02b3df6 | f9ca67cc a8c7f85b a84c7903 0c2b3de2 |
| 14f86db1 690901c5 6b45c153 0afedfb7 | 18f86db3 a90901d5 df45c14f 26fedfb3 |
| 6038e972 722fe7ad 728f0e49 04e046c2 | dc38e96a c22fe7bd 728f0e45 bce046d2 |
+-------------------------------------+-------------------------------------+

 firstHash: 8d64d617 ffed5352 ebc85915 5ec7eb34 f38a5a7b
secondHash: 8d64c821 ffed52e2 ebc85915 5ec7eb36 738a5a7b

+-------------------------------------+-------------------------------------+
| 30570fe9 d41398ab e12ef5bc 942be335 | 3c570feb 141398bb 552ef5a0 a82be331 |
| 42a4802d 98b5d70f 2a332ec3 7fac3514 | fea48037 b8b5d71f 0e332edf 93ac3500 |
| e74ddc0f 2cc1a874 cd0c7830 5a215664 | eb4ddc0d ecc1a864 790c782c 76215660 |
| 61309789 606bd0bf 3f98cda8 044629a1 | dd309791 d06bd0af 3f98cda4 bc4629b1 |
+-------------------------------------+-------------------------------------+

 firstHash: 1eacb25e d5970d10 f1736963 5771bc3a 17b48ac5
secondHash: 1eacb25e d5970d10 f1736963 5771bc3a 17b48ac5
That means, the first three 512-bit blocks are just a setup, and then, the real collision happens in the last two blocks. Also, as you can easily note, there is no need to worry about the size of the message in bits. If you manipulate some blocks in the middle, then the size of the message does not matter, and you can freely modify all 512 bits in your block. After the attack, "1eacb25e d5970d10 f1736963 5771bc3a 17b48ac5" will be used to compute further hashes, so all next blocks are unaffected, and the size of the whole message will be somewhere at the end of the file, and potentially could be gigabytes away from the place, where the attack happens.

Also, it is probably possible to mount a better attack, designed especially for Bitcoin, and produce two 512-bit blocks, that will start from "67452301 efcdab89 98badcfe 10325476 c3d2e1f0", and will end with the same hash. But as you can see, those data were grabbed from the famous PDF, and that's why you can see 0x25504446, which is "%PDF" in ASCII.

For our purposes, we are interested only in the last two 512-bit blocks. So, that means "4ea96269 7c876e26 74d107f0 fec67984 14f5bf45" is our initialization vector, and then we compute all rounds side-by-side for those two messages, and compare our results. Also, to better show, how many things are similar, and how exactly that hash function was attacked, let's put a dot if both characters are identical, and show only those cases, where the second char is different than the first.
Code:
 0   4ea96269 7c876e26 74d107f0 fec67984 14f5bf45 | ........ ........ ........ ........ ........
 1   baac7a3a 4ea96269 9f21db89 74d107f0 fec67984 | ae.....8 ........ ........ ........ ........
 2   9400000e baac7a3a 53aa589a 9f21db89 74d107f0 | d3ffffdc ae.....8 ........ ........ ........
 3   a1fff7a0 9400000e aeab1e8e 53aa589a 9f21db89 | f....172 d3ffffdc 2b...... ........ ........
 4   1efff7df a1fff7a0 a5000003 aeab1e8e 53aa589a | 5....81d f....172 34fffff7 2b...... ........
 5   82f63dfa 1efff7df 287ffde8 a5000003 aeab1e8e | c.....a8 5....81d bc...c5c 34fffff7 2b......
 6   9a3d458a 82f63dfa c7bffdf7 287ffde8 a5000003 | c.....98 c.....a8 5....e0. bc...c5c 34fffff7
 7   7e37a200 9a3d458a a0bd8f7e c7bffdf7 287ffde8 | f....... c.....98 3.....6a 5....e0. bc...c5c
 8   efe1b305 7e37a200 a68f5162 a0bd8f7e c7bffdf7 | f....... f....... 32.....6 3.....6a 5....e0.
 9   da00537c efe1b305 1f8de880 a68f5162 a0bd8f7e | f....... f....... 3....... 32.....6 3.....6a
10   b3e35ad9 da00537c 7bf86cc1 1f8de880 a68f5162 | ........ f....... .f...... 3....... 32.....6
11   4850d044 b3e35ad9 368014df 7bf86cc1 1f8de880 | 6....... ........ .e...... .f...... 3.......
12   09c17f32 4850d044 6cf8d6b6 368014df 7bf86cc1 | 4....... 6....... ........ .e...... .f......
13   edb48aac 09c17f32 12143411 6cf8d6b6 368014df | 6....... 4....... .a...... ........ .e......
14   1dfc8056 edb48aac 82705fcc 12143411 6cf8d6b6 | 3....... 6....... 9....... .a...... ........
15   8bcaa7f8 1dfc8056 3b6d22ab 82705fcc 12143411 | 0....... 3....... 1....... 9....... .a......
16   86385307 8bcaa7f8 877f2015 3b6d22ab 82705fcc | 4....... 0....... .f...... 1....... 9.......
17   9c93f2b2 86385307 22f2a9fe 877f2015 3b6d22ab | 1....... 4....... 0....... .f...... 1.......
18   6ce962ba 9c93f2b2 e18e14c1 22f2a9fe 877f2015 | c....... 1....... d....... 0....... .f......
19   44eb00a1 6ce962ba a724fcac e18e14c1 22f2a9fe | c....... c....... 8....... d....... 0.......
20   75558023 44eb00a1 9b3a58ae a724fcac e18e14c1 | 5....... c....... b3...... 8....... d.......
21   45831ae0 75558023 513ac028 9b3a58ae a724fcac | ........ 5....... 7....... b3...... 8.......
22   f5eb0c8e 45831ae0 dd556008 513ac028 9b3a58ae | d....... ........ .5...... 7....... b3......
23   50282425 f5eb0c8e 1160c6b8 dd556008 513ac028 | d....... d....... ........ .5...... 7.......
24   b865f1e9 50282425 bd7ac323 1160c6b8 dd556008 | d....... d....... .5...... ........ .5......
25   ea72e116 b865f1e9 540a0909 bd7ac323 1160c6b8 | ........ d....... 7....... .5...... ........
26   58181588 ea72e116 6e197c7a 540a0909 bd7ac323 | ........ ........ 76...... 7....... .5......
27   214c89bb 58181588 ba9cb845 6e197c7a 540a0909 | a....... ........ ........ 76...... 7.......
28   2acab7f7 214c89bb 16060562 ba9cb845 6e197c7a | a....... a....... ........ ........ 76......
29   bb7dc14f 2acab7f7 c853226e 16060562 ba9cb845 | ........ a....... e....... ........ ........
30   dcad95d0 bb7dc14f cab2adfd c853226e 16060562 | ........ ........ e....... e....... ........
31   45e4780c dcad95d0 eedf7053 cab2adfd c853226e | ........ ........ ........ e....... e.......
32   042ace9d 45e4780c 372b6574 eedf7053 cab2adfd | ........ ........ ........ ........ e.......
33   d3d9b48a 042ace9d 11791e03 372b6574 eedf7053 | ........ ........ ........ ........ ........
34   7672710f d3d9b48a 410ab3a7 11791e03 372b6574 | f....... ........ ........ ........ ........
35   83225ba2 7672710f b4f66d22 410ab3a7 11791e03 | ........ f....... ........ ........ ........
36   80ab6776 83225ba2 dd9c9c43 b4f66d22 410ab3a7 | 0....... ........ f....... ........ ........
37   77624d3e 80ab6776 a0c896e8 dd9c9c43 b4f66d22 | ........ 0....... ........ f....... ........
38   2765f0b8 77624d3e a02ad9dd a0c896e8 dd9c9c43 | a....... ........ 8....... ........ f.......
39   35706647 2765f0b8 9dd8934f a02ad9dd a0c896e8 | ........ a....... ........ 8....... ........
40   7b0fe851 35706647 09d97c2e 9dd8934f a02ad9dd | 3....... ........ 2....... ........ 8.......
41   59fa0e60 7b0fe851 cd5c1991 09d97c2e 9dd8934f | ........ 3....... ........ 2....... ........
42   a26700c3 59fa0e60 5ec3fa14 cd5c1991 09d97c2e | ........ ........ 4....... ........ 2.......
43   41f4a789 a26700c3 167e8398 5ec3fa14 cd5c1991 | c....... ........ ........ 4....... ........
44   4d0ace5b 41f4a789 e899c030 167e8398 5ec3fa14 | ........ c....... ........ ........ 4.......
45   2c1c4d6e 4d0ace5b 507d29e2 e899c030 167e8398 | ........ ........ 7....... ........ ........
46   ee2faa2e 2c1c4d6e d342b396 507d29e2 e899c030 | ........ ........ ........ 7....... ........
47   bafcb771 ee2faa2e 8b07135b d342b396 507d29e2 | ........ ........ ........ ........ 7.......
48   3549c548 bafcb771 bb8bea8b 8b07135b d342b396 | b....... ........ ........ ........ ........
49   12faf0c7 3549c548 6ebf2ddc bb8bea8b 8b07135b | ........ b....... ........ ........ ........
50   ffaf7cc4 12faf0c7 0d527152 6ebf2ddc bb8bea8b | ........ ........ 2....... ........ ........
51   83096d95 ffaf7cc4 c4bebc31 0d527152 6ebf2ddc | ........ ........ ........ 2....... ........
52   cfa75299 83096d95 3febdf31 c4bebc31 0d527152 | ........ ........ ........ ........ 2.......
53   d572e5ea cfa75299 60c25b65 3febdf31 c4bebc31 | ........ ........ ........ ........ ........
54   5a1ee329 d572e5ea 73e9d4a6 60c25b65 3febdf31 | d....... ........ ........ ........ ........
55   c5ae579b 5a1ee329 b55cb97a 73e9d4a6 60c25b65 | ........ d....... ........ ........ ........
56   cbd5a62a c5ae579b 5687b8ca b55cb97a 73e9d4a6 | 4....... ........ 7....... ........ ........
57   41da8e24 cbd5a62a f16b95e6 5687b8ca b55cb97a | ........ 4....... ........ 7....... ........
58   35938b70 41da8e24 b2f5698a f16b95e6 5687b8ca | ........ ........ 9....... ........ 7.......
59   d2474e42 35938b70 1076a389 b2f5698a f16b95e6 | ........ ........ ........ 9....... ........
60   50952b1b d2474e42 0d64e2dc 1076a389 b2f5698a | ........ ........ ........ ........ 9.......
61   b24b802b 50952b1b b491d390 0d64e2dc 1076a389 | ........ ........ ........ ........ ........
62   fd4c0cdb b24b802b d4254ac6 b491d390 0d64e2dc | ........ ........ ........ ........ ........
63   381c7466 fd4c0cdb ec92e00a d4254ac6 b491d390 | ........ ........ ........ ........ ........
64   638e6ffb 381c7466 ff530336 ec92e00a d4254ac6 | ........ ........ ........ ........ ........
65   2f54687c 638e6ffb 8e071d19 ff530336 ec92e00a | ........ ........ ........ ........ ........
66   7f8b5b5e 2f54687c d8e39bfe 8e071d19 ff530336 | ........ ........ ........ ........ ........
67   ed136ecf 7f8b5b5e 0bd51a1f d8e39bfe 8e071d19 | ........ ........ ........ ........ ........
68   876723e6 ed136ecf 9fe2d6d7 0bd51a1f d8e39bfe | .......5 ........ ........ ........ ........
69   d40df72b 876723e6 fb44dbb3 9fe2d6d7 0bd51a1f | ........ .......5 ........ ........ ........
70   56085031 d40df72b a1d9c8f9 fb44dbb3 9fe2d6d7 | ........ ........ 6....... ........ ........
71   dec7725b 56085031 f5037dca a1d9c8f9 fb44dbb3 | .......9 ........ ........ 6....... ........
72   a468adb7 dec7725b 5582140c f5037dca a1d9c8f9 | .......6 .......9 ........ ........ 6.......
73   174666ea a468adb7 f7b1dc96 5582140c f5037dca | ........ .......6 7....... ........ ........
74   6658d3c1 174666ea e91a2b6d f7b1dc96 5582140c | .......5 ........ a....... 7....... ........
75   35ce3bc4 6658d3c1 85d199ba e91a2b6d f7b1dc96 | .......6 .......5 ........ a....... 7.......
76   7a526cdb 35ce3bc4 599634f0 85d199ba e91a2b6d | .......9 .......6 .......1 ........ a.......
77   8005c6c1 7a526cdb 0d738ef1 599634f0 85d199ba | .......9 .......9 8....... .......1 ........
78   dbdd4495 8005c6c1 de949b36 0d738ef1 599634f0 | ........ .......9 5....... 8....... .......1
79   8365e52c dbdd4495 600171b0 de949b36 0d738ef1 | .....4b. ........ .......2 5....... 8.......
80   3ebb73ae 8365e52c 76f75125 600171b0 de949b36 | ....65b8 .....4b. ........ .......2 5.......
81   8d64d617 ffed5352 ebc85915 5ec7eb34 f38a5a7b | ....c821 .....2e. ........ .......6 7.......

 0   8d64d617 ffed5352 ebc85915 5ec7eb34 f38a5a7b | ....c821 .....2e. ........ .......6 7.......
 1   16c9a022 8d64d617 bffb54d4 ebc85915 5ec7eb34 | a2.7e144 ....c821 ......b8 ........ .......6
 2   567a5ece 16c9a022 e3593585 bffb54d4 ebc85915 | 1.427752 a2.7e144 6....208 ......b8 ........
 3   a2411708 567a5ece 85b26808 e3593585 bffb54d4 | .3..e.4. 1.427752 28.1f.51 6....208 ......b8
 4   9bfffbbf a2411708 959e97b3 85b26808 e3593585 | 8c000aee .3..e.4. 8..0.dd4 28.1f.51 6....208
 5   8632263e 9bfffbbf 289045c2 959e97b3 85b26808 | c.....fa 8c000aee ..d.79d. 8..0.dd4 28.1f.51
 6   4bbfc602 8632263e e6fffeef 289045c2 959e97b3 | 0.....33 c.....fa a30002bb ..d.79d. 8..0.dd4
 7   40ff6846 4bbfc602 a18c898f e6fffeef 289045c2 | 1.....67 0.....33 b.....be a30002bb ..d.79d.
 8   c878b626 40ff6846 92eff180 a18c898f e6fffeef | d.....07 1.....67 c......c b.....be a30002bb
 9   d9d6faf9 c878b626 903fda11 92eff180 a18c898f | 9......8 d.....07 c4.....9 c......c b.....be
10   f66fde57 d9d6faf9 b21e2d89 903fda11 92eff180 | ........ 9......8 f6.....1 c4.....9 c......c
11   18b9d6d0 f66fde57 7675bebe b21e2d89 903fda11 | 3....... ........ 2....... f6.....1 c4.....9
12   d29443af 18b9d6d0 fd9bf795 7675bebe b21e2d89 | ........ 3....... ........ 2....... f6.....1
13   3f37b363 d29443af 062e75b4 fd9bf795 7675bebe | b....... ........ .e...... ........ 2.......
14   476a6b31 3f37b363 f4a510eb 062e75b4 fd9bf795 | 6....... b....... ........ .e...... ........
15   b931f9f5 476a6b31 cfcdecd8 f4a510eb 062e75b4 | 3....... 6....... e....... ........ .e......
16   8303d07f b931f9f5 51da9acc cfcdecd8 f4a510eb | 4....... 3....... .9...... e....... ........
17   b43e250a 8303d07f 6e4c7e7d 51da9acc cfcdecd8 | 3....... 4....... 4....... .9...... e.......
18   abaf9f48 b43e250a e0c0f41f 6e4c7e7d 51da9acc | 0....... 3....... d....... 4....... .9......
19   e211c3f9 abaf9f48 ad0f8942 e0c0f41f 6e4c7e7d | 6....... 0....... 8....... d....... 4.......
20   e8587fd2 e211c3f9 2aebe7d2 ad0f8942 e0c0f41f | 4....... 6....... 02...... 8....... d.......
21   1f6a934d e8587fd2 788470fe 2aebe7d2 ad0f8942 | ........ 4....... 5....... 02...... 8.......
22   6958bccc 1f6a934d ba161ff4 788470fe 2aebe7d2 | 4....... ........ 92...... 5....... 02......
23   b0a4a9e1 6958bccc 47daa4d3 ba161ff4 788470fe | 3....... 4....... ........ 92...... 5.......
24   a44b1ecc b0a4a9e1 1a562f33 47daa4d3 ba161ff4 | c....... 3....... .2...... ........ 92......
25   e5b180a4 a44b1ecc 6c292a78 1a562f33 47daa4d3 | ........ c....... 4....... .2...... ........
26   faf1c4b4 e5b180a4 2912c7b3 6c292a78 1a562f33 | ........ ........ 31...... 4....... .2......
27   5cf2d24c faf1c4b4 396c6029 2912c7b3 6c292a78 | d....... ........ ........ 31...... 4.......
28   74ea83e3 5cf2d24c 3ebc712d 396c6029 2912c7b3 | f....... d....... ........ ........ 31......
29   07d69f01 74ea83e3 173cb493 3ebc712d 396c6029 | ........ f....... 3....... ........ ........
30   2af1f0bf 07d69f01 dd3aa0f8 173cb493 3ebc712d | ........ ........ f....... 3....... ........
31   f5ce43f0 2af1f0bf 41f5a7c0 dd3aa0f8 173cb493 | ........ ........ ........ f....... 3.......
32   82819796 f5ce43f0 cabc7c2f 41f5a7c0 dd3aa0f8 | ........ ........ ........ ........ f.......
33   459e5d18 82819796 3d7390fc cabc7c2f 41f5a7c0 | ........ ........ ........ ........ ........
34   c4507a75 459e5d18 a0a065e5 3d7390fc cabc7c2f | 4....... ........ ........ ........ ........
35   43a040aa c4507a75 11679746 a0a065e5 3d7390fc | ........ 4....... ........ ........ ........
36   6d9bf87b 43a040aa 71141e9d 11679746 a0a065e5 | e....... ........ 5....... ........ ........
37   82f57b3f 6d9bf87b 90e8102a 71141e9d 11679746 | ........ e....... ........ 5....... ........
38   e3250fdd 82f57b3f db66fe1e 90e8102a 71141e9d | 6....... ........ f....... ........ 5.......
39   0f04eaec e3250fdd e0bd5ecf db66fe1e 90e8102a | ........ 6....... ........ f....... ........
40   2a015f47 0f04eaec 78c943f7 e0bd5ecf db66fe1e | 6....... ........ 5....... ........ f.......
41   b2cf3243 2a015f47 03c13abb 78c943f7 e0bd5ecf | ........ 6....... ........ 5....... ........
42   77f74470 b2cf3243 ca8057d1 03c13abb 78c943f7 | ........ ........ d....... ........ 5.......
43   729c1a5a 77f74470 ecb3cc90 ca8057d1 03c13abb | f....... ........ ........ d....... ........
44   ba6dcb6d 729c1a5a 1dfdd11c ecb3cc90 ca8057d1 | ........ f....... ........ ........ d.......
45   0c15d3ca ba6dcb6d 9ca70696 1dfdd11c ecb3cc90 | ........ ........ b....... ........ ........
46   0d16d87b 0c15d3ca 6e9b72db 9ca70696 1dfdd11c | ........ ........ ........ b....... ........
47   0316046c 0d16d87b 830574f2 6e9b72db 9ca70696 | ........ ........ ........ ........ b.......
48   9ae38fa4 0316046c c345b61e 830574f2 6e9b72db | 1....... ........ ........ ........ ........
49   a40e45b4 9ae38fa4 00c5811b c345b61e 830574f2 | ........ 1....... ........ ........ ........
50   47187a4c a40e45b4 26b8e3e9 00c5811b c345b61e | ........ ........ 0....... ........ ........
51   b97fce11 47187a4c 2903916d 26b8e3e9 00c5811b | ........ ........ ........ 0....... ........
52   eec2acf8 b97fce11 11c61e93 2903916d 26b8e3e9 | ........ ........ ........ ........ 0.......
53   50e6b76f eec2acf8 6e5ff384 11c61e93 2903916d | ........ ........ ........ ........ ........
54   96a14625 50e6b76f 3bb0ab3e 6e5ff384 11c61e93 | 1....... ........ ........ ........ ........
55   6c5e973b 96a14625 d439addb 3bb0ab3e 6e5ff384 | ........ 1....... ........ ........ ........
56   2fd3d405 6c5e973b 65a85189 d439addb 3bb0ab3e | a....... ........ 4....... ........ ........
57   eecaf715 2fd3d405 db17a5ce 65a85189 d439addb | ........ a....... ........ 4....... ........
58   00794081 eecaf715 4bf4f501 db17a5ce 65a85189 | ........ ........ 6....... ........ 4.......
59   7280d918 00794081 7bb2bdc5 4bf4f501 db17a5ce | ........ ........ ........ 6....... ........
60   b2c09d11 7280d918 401e5020 7bb2bdc5 4bf4f501 | ........ ........ ........ ........ 6.......
61   df32e121 b2c09d11 1ca03646 401e5020 7bb2bdc5 | ........ ........ ........ ........ ........
62   140d431f df32e121 6cb02744 1ca03646 401e5020 | ........ ........ ........ ........ ........
63   9c5f9bbe 140d431f 77ccb848 6cb02744 1ca03646 | ........ ........ ........ ........ ........
64   4d3a7d2d 9c5f9bbe c50350c7 77ccb848 6cb02744 | ........ ........ ........ ........ ........
65   5707f29b 4d3a7d2d a717e6ef c50350c7 77ccb848 | ........ ........ ........ ........ ........
66   5767d031 5707f29b 534e9f4b a717e6ef c50350c7 | ........ ........ ........ ........ ........
67   9cf16825 5767d031 d5c1fca6 534e9f4b a717e6ef | ........ ........ ........ ........ ........
68   490ea7d5 9cf16825 55d9f40c d5c1fca6 534e9f4b | .......4 ........ ........ ........ ........
69   0be3b8a0 490ea7d5 673c5a09 55d9f40c d5c1fca6 | ........ .......4 ........ ........ ........
70   4aba1cfa 0be3b8a0 5243a9f5 673c5a09 55d9f40c | ........ ........ 1....... ........ ........
71   351330b2 4aba1cfa 02f8ee28 5243a9f5 673c5a09 | .......0 ........ ........ 1....... ........
72   6a8d4576 351330b2 92ae873e 02f8ee28 5243a9f5 | .......7 .......0 ........ ........ 1.......
73   53368ebb 6a8d4576 8d44cc2c 92ae873e 02f8ee28 | ........ .......7 0....... ........ ........
74   b02fcd7b 53368ebb 9aa3515d 8d44cc2c 92ae873e | .......7 ........ d....... 0....... ........
75   b101e1ad b02fcd7b d4cda3ae 9aa3515d 8d44cc2c | .......f .......7 ........ d....... 0.......
76   90a8c128 b101e1ad ec0bf35e d4cda3ae 9aa3515d | .......a .......f .......d ........ d.......
77   e2a7441b 90a8c128 6c40786b ec0bf35e d4cda3ae | .......3 .......a e....... .......d ........
78   16ac4138 e2a7441b 242a304a 6c40786b ec0bf35e | ........ .......3 a....... e....... .......d
79   d5a9b9be 16ac4138 f8a9d106 242a304a 6c40786b | .....a2. ........ .......4 a....... e.......
80   9147dc47 d5a9b9be 05ab104e f8a9d106 242a304a | ....ea3d .....a2. ........ .......4 a.......
81   1eacb25e d5970d10 f1736963 5771bc3a 17b48ac5 | ........ ........ ........ ........ ........
We can read a lot of things from this console output. First, we should note that a lot of things are repeated. We start, and end with identical hash, so we can see the fully dotted line at the beginning, and in the end. But if we explore, what is happening in the middle, we can easily note, that even in hexadecimal view, only single bits are flipped here and there, everything else stays the same, and the dotted area is very large.

More than that: we can see the whole areas, where many rounds are just identical. By analyzing it further, we can notice, which rounds exactly are the weakest link, and how they were attacked. So, now the question is: how hardened SHA-1 was built on top of that?

The good starting point is this post: https://crypto.stackexchange.com/questions/44141/what-is-hardened-sha-1-how-does-it-work-and-how-much-protection-does-it-offer Also, there is ready to use source code for hardening SHA-1, and for detecting, if some file was manipulated or not: https://github.com/cr-marcstevens/sha1collisiondetection

Quote
More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1:
Code:
I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0),
I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2),
II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0),
II(46,2), II(49,2), II(50,2), II(51,2)
The possibility of false positives can be neglected as the probability is smaller than 2^-90.
What does it mean? Well, those "disturbance vectors" just change the internal state of some 32-bit values inside SHA-1, with some probability. Sometimes those values stay the same, sometimes they are tweaked a little bit. And what does it mean in the context of this topic? Well, not only you can use those vectors to create some hardened SHA-1, based on the original one. You can also use different vectors, in a similar way, to actually weaken your hash function!

So, how to weaken SHA-256 for testing? Well, you start with original SHA-256, and you run some regtest node. Then, you create a "disturbance vector", that will flip some SHA-256 internal states, with some probability. And then, your hash function would behave in a very similar way as the original SHA-256, but it will be slightly weaker, and then, you can test a scenario of reaching a successful SHA-256 collision or preimage, even if you are unable to find it for the original SHA-256.

Also, if "disturbance vectors" seems too hard, then there are some other low-hanging-fruits, for example k-values. You can even find an example, where someone tweaked SHA-1 constants, and created collisions in that way. So, you can do the same thing with SHA-256, if you don't want to dig into "disturbance vectors", and create something easier: https://malicioussha1.github.io/ And if that thing also seems to be hard, then you can note, that if you disable k-values entirely, by setting all of them to zero, then for zero initialization vector, you will reach zero hash. I think based on that, you can start digging deeper in this topic.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
digaran
Copper Member
Hero Member
*****
Offline Offline

Activity: 1330
Merit: 899

🖤😏


View Profile
September 26, 2023, 05:25:39 AM
Merited by vjudeu (1)
 #2

Last year I was working with WIF keys and learned how to generate a WIF with any checksum, 8 zeros, 1s, 2s etc.
Using Wifsolver cuda, then I started thinking, what if we used 16 first chars of second hash as checksum, 32 first chars even, wouldn't that help us in solving any ( at least any second hash with our desired 16 chars ) by brute forcing a key using a similar approach as wifsolver?

I know this is stupid, I could find any WIF with my desired checksum in matter of seconds, that's why I thought about this.

But is it easier to find some custom long checksum by combining a curve into it?  I know this topic is about something else, but I haven't seen sha256 related topics. And someone who knows enough.

🖤😏
vjudeu (OP)
Copper Member
Legendary
*
Offline Offline

Activity: 898
Merit: 2236



View Profile
September 26, 2023, 05:43:57 AM
 #3

Quote
what if we used 16 first chars of second hash as checksum, 32 first chars even, wouldn't that help us in solving any ( at least any second hash with our desired 16 chars ) by brute forcing a key using a similar approach as wifsolver?
It doesn't matter, because checksum is based on hash, and is completely separated from that. If you have zero checksum, then your address is as strong as it was previously. If you have 2^160 addresses, and you have some 32-bit checksum, that means for checksum equal to zero, you will have something around 2^128 addresses. So, it won't help you with anything. Vanity addresses are as good as vanity checksums.

Also, if you would have N first chars as your checksum, then why you need that "checksum" in the first place, if nothing is really "checked", but only repeated? You can even have 160-bit "checksum" that is just a copy of your address. Does it change everything? No, your address is then as safe as some address with no checksum, but it is just longer.

So, the current checksum is as good as it is. You should use it to make sure that your address is correct, but after that, you can just drop it, and focus on your 160-bit hash. Also, in case of bech32 addresses, the whole checksum can not only detect, that your address does not match your checksum, but can also be used to fix it, in case of some errors.

Quote
But is it easier to find some custom long checksum by combining a curve into it?
Not at all. Curves and hashes are two different things, and usually you use different attacks on them. So, if you want for example all zeroes as your checksum, then you should focus on hash functions, and forget entirely about elliptic curves, because they are not used in this specific case. The closest area where you need both, is making signatures. Because when it comes to checksums, you can have any 160-bit hash, even some random, where you don't know, what Script or key is behind it, and explore it without using any elliptic curves. Also, in some altcoins, you could have addresses with checksums, but those altcoins could use completely different elliptic curves, for example if you have Monero.

Quote
I know this topic is about something else, but I haven't seen sha256 related topics. And someone who knows enough.
Well, you can use some weakened SHA-256 to test checksums, and see all of that in practice. Because then, it is possible to for example create any checksums by computing single hash, instead of 2^32 hashes.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!