Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

If SHA256 was ever broken, much of the world would break down. This is especially true of many blockchain protocols as well. Why is this bad?

Contracts could be deployed to the same address, resulting in funds getting stolen. Geth has a fix that makes this impossible, but still interesting. Bridges using Txn ids would only see one transaction vs. two. There are application specific reasons why this would be bad.

Most things use 256 bits, such as object IDs in Sui. However, even Ethereum addresses are 2 ** 80 or 160 bits of security. The authors show that the cost of this would be in the range of 1-10 million dollars. They show some math from Bitcoin hashing profits and Facebook research. Anything under a billion dollars is a real threat.

What makes a hash function secure then?

1. Preimage resistence. Find an arbitrary message m that can output x. This is typically 2 ** length.
2. 2nd-preimage resistance. Find two messages that share the same hash. This is typically 2 ** length as well.
3. Multi-target 2nd-preimage resistance. Given a set of hashes, can be find a matching hash for any of them? This is typically 2**(n-k) where n is the length of the hash and K is the size of the set we're checking against.
4. Collision resistance. The birthday paradox. For 160 bit hashes, the effort is 2**80, for instance.

Overall, an interesting threat modeling of hash collisions. Many of the things listed above are annoying buzz words and I liked how it was explained in the article.