Sep 16, 2019

Was SHA-256 cracked? Don’t buy into retraction!

Posted by in categories: bitcoin, cryptocurrencies, encryption, government, hacking, internet, mathematics, military, privacy, security, software

SHA-256 is a one way hashing algorithm. Cracking it would have tectonic implications for consumers, business and all aspects of government including the military.

It’s not the purpose of this post to explain encryption, AES or SHA-256, but here is a brief description of SHA-256. Normally, I place reference links in-line or at the end of a post. But let’s get this out of the way up front:

One day after Treadwell Stanton DuPont claimed that a secret project cracked SHA-256 more than one year ago, they back-tracked. Rescinding the original claim, they announced that an equipment flaw caused them to incorrectly conclude that they had algorithmically cracked SHA-256.

All sectors can still sleep quietly tonight,” said CEO Mike Wallace. “Preliminary results in this cryptanalytic research led us to believe we were successful, but this flaw finally proved otherwise.

Yeah, sure! Why not sell me that bridge in Brooklyn while you backtrack?

The new claim makes no sense at all—a retraction of an earlier claim about a discovery by a crack team of research scientists (pun intended). The clues offered in the original claim, which was issued just one day earlier, cast suspicion on the retraction. Something fishy is going on here. Who pressured DuPont into making the retraction—and for what purpose? Something smells rotten in Denmark!

Let’s deconstruct this mess by reviewing the basic facts:

  • Wall Street, financial services firm claims they have solved a de facto contest in math & logic
  • They cracked the code a year ago, yet— incredibly—kept it secret until this week
  • A day later (with no outside review or challenge),* they admit the year-old crack was flawed

Waitacottenpickensec, Mr. DuPont!! The flaw (an ‘equipment issue’) was discovered a year after the equipment was configured and used—but just one day after you finally decided to disclose their past discovery? Poppycock!

I am not given to conspiracy theories (a faked moon landing, suppressing perpetual motion technology, autism & vaccinations, etc)—But I recognize government pressure when I see it! Someone with guns and persuasion convinced DuPont to rescind the claim and offer a silly experimental error.

Consider the fallout, if SHA-256 were to suddenly lose public confidence…

  • A broken SHA-256 would wreak havoc on an entrenched market. SHA-256 is a foundational element in the encryption used by consumers & business
  • But for government, disclosing a crack to a ubiquitous standard that they previously discovered (or designed) would destroy a covert surveillance mechanism—because the market would move quickly to replace the compromised methodology.

I understand why DuPont would boast of an impressive technical feat. Cracking AES, SSL or SHA-256 has become an international contest with bragging rights. But, I cannot imagine a reason to wait one year before disclosing the achievement. This, alone, does not create a conundrum. Perhaps DuPont was truly concerned that it would undermine trust in everyday communications, financial transactions and identity/access verification…

But retracting the claim immediately after disclosing it makes no sense at all. There is only one rational explanation. The original claim undermines the interests of some entity that has the power or influence to demand a retraction. It’s difficult to look at this any other way.

What about the everyday business of TS DuPont?

If the purpose of the original announcement was to generate press for DuPont’s financial services, then they have succeeded. An old axiom says that any press is good press. In this case, I don’t think so! Despite the potential for increased name recognition (Who knew that any DuPont was into brokerage & financial services?) I am not likely to think positively of TS DuPont for my investment needs.

* The cryptographic community could not challenge DuPont’s original claim, because it was not accompanied by any explanation of tools, experimental technique or mathematical methodology. Recognizing that SHA-256 is baked into the global infrastructure banking, of commerce and communications, their opaque announcement was designed to protect the economy. Thank you, Mr. DuPont, for being so noble!

Philip Raymond co-chairs CRYPSA, hosts the Bitcoin Event and is keynote speaker at Cryptocurrency Conferences. He is a top writer at Quora.


Comments — comments are now closed.

  1. Randall says:

    Totally agree. I’m not quite buying it. Just because we don’t want our bitcoin investment going up in smoke doesn’t mean we have to hide our heads in the dirt and pretend it’s not happening. Am I the only one noticing strange details in their retraction? “We are being forced…”, “…all sectors can still sleep quietly tonight”, “specially appointed cryptographers and observers”. Anyone notice the upper right image too? Bitcoin chart tanking just to recover with the judge gravel? Center image with the eye of providence and the dollar? Really?

    1. Hi Randall. Thank you for commenting on my Lifeboat post.

      Like you, I sense a hand forcing TS DuPont to retract the claim — and I do believe that it is the hand of a 3-letter agency based in Maryland. But I suspect that your suspicions go a bit further than mine. I chuckled at the imagery of the eye floating over the pyramid on the dollar bill. That has always been a bit spooky. I think that the current engraving was updated to be the image of Dick Cheney’s eye!

  2. Hector says:

    Wow Philip, were you right on the money:

    Great post!

  3. “Wow!!” is a proper exclamation, Hector. Not in a million years could I have predicted the development of a 3rd announcement. It certainly appears that TS DuPont is acknowledging that they were forced to recant.

    This is an unbelievable development. But I am troubled that their new announcement is wrapped in a plea for donations. For Ch**st sake, This is not a non-profit. Why are they begging for money, and what does it have to do with cracking SHA-256?

    I plan to get to the bottom of this.

  4. milton says:

    It seems a bit obvious to me. These guys went from ten grand a month to 200 bucks. They want to put their technology out there but will go broke in the process. Hard to beat the “system” without drying your funds up. Just my 2¢.

  5. Darren says:

    God bless them!

  6. This whole affair has gone from fishy to downright weird.

    In yet another announcement (their 3rd), Tredwell Stanton DuPont implicitly retracts their retraction. Now, they claim that my suspicion was correct — and that they were forced to retract the previous discovery of an SHA-256 crack.

    Sept 11: Original disclosure
    Sept 11: Community skepticism
    Sept 12: Claim retracted: [announcement] [press]
    Sept 17: New 3rd announcement retracts the retraction*

    * In case this “donation” page has been removed or modified, I have placed a permanent copy here: [web archive] [PDF copy]
    …captured on 17-Sep-2019 @ 6:45 PM ET

    This story is not over, folks!