Цена на подправяне

Цена на подправяне ↔ криптиране ↔ блокчейн, одитирани честно с квантови сравнения. Сайтът твърди „максимална цена на подправяне“; тук това се проверява. Доказуемо при подправяне не е защитено от подправяне: съдържателното адресиране открива промяна, криптографската сигурност (SHA-256: 2^128/2^256) ѝ устоява. FNV toUuid не е криптографски — поправката (SHA-256 адрес, Ed25519 подпис) вече е изградена. Квантово: Гроувър отслабва хешовете, Шор чупи подписите; NIST постквантови стандарти (ML-KEM, ML-DSA, SLH-DSA). Документираното остава, легендата е отбелязана.

☵KǎnБездънното

☶GènПокоят

Двоен торус · локален криптоанализ в реално време

Криптопредизвикателства — атакуваме собствения адрес, на живо

Три вълни, изпълнени в браузъра ти — без сървър, без токени, детерминистично. Всяка ЕКСПЛОАТИРА реална слабост във FNV адреса и показва поправката SHA-256/Ed25519 (вече изградена в src/0) да ѝ устоява. Не твърдение: колизията е намерена чрез търсене, бит-бюджетът изчислен, фалшификатът подправен.

Вълна 1 · експлойт

Гледай как се случва колизия

Forge a collision: two distinct inputs sharing a content-address word.

търсене…0 хеширани семенамащаб 16-bit

Проверено (пълна 32-битова дума):i3jz ≡ k8r5 → 3315175185 (20 ≈ log₂ опити)

решение SHA-256 НЕ дава колизия за двойката: 18136dfadd44… ≠ d063ea7065b2…

hash32 (FNV-1a core + a MurmurHash3 finalizer) is fast and well-distributed but not collision-resistant.

Вълна 2 · одит

„128 бита“ всъщност са 122

Quantify the collision resistance behind the "128-bit / maximum tampering cost" claim.

• toUuid (този сайт)122-bit · колизия ~2⁶¹
• toUuidSha256128-bit · колизия ~2⁶⁴
• sha256 (full)256-bit · колизия ~2¹²⁸

toUuid masks 6 bits (UUID version + variant) → 122 effective bits → birthday ~2^61; and hash32 has no cryptanalytic resistance, so the true cost is at or below that. — 6-те маскирани бита са версията на UUID + 2 варианта; ширината в битове не е сила на сигурност.

Вълна 3 · фалшификат

Изкови валиден корен за подправено съдържание

Prove a root is YOURS — that an authority, not just anyone, produced it.

оторизирано82e840af-8a04-82d1-94c8-9d12bcb28c82валиден uuid

подправеноe7d9e281-7a4c-8c00-ba03-07ac6f980c8dвалиден uuid

Content-addressing gives integrity, not authenticity: the function is public + deterministic, so an adversary recomputes a valid root for tampered content (both roots below are equally valid).

решениеEd25519 signing (ed25519Sign/Verify, built in src/0): a root SIGNED by a private key cannot be forged without it. HONEST RESIDUAL: needs persistent key custody (deployment, not code).

• The collision is FOUND, not asserted: a deterministic birthday search returns two distinct seeds whose 32-bit content-address word is identical (the 32-bit birthday bound is ~2^16). A non-cryptographic hash (FNV-1a) gives no collision resistance — the FNV spec itself says "not suitable for cryptographic use".
• Bit-width is not security strength. The "128-bit" toUuid masks 6 bits (the UUID version nibble + 2 variant bits), so its effective width is 122 bits and its birthday-collision bound is ~2^61 — feasible for a resourced adversary (SHA-1, 160-bit, was broken at ~2^63 by SHAttered), where SHA-256 (2^128) is not.
• Integrity is not authenticity. A content-address proves content maps to a root (any honest party recomputes it); it does NOT prove WHO produced it — anyone can mint a valid root for tampered content. Authenticity needs a signature (Ed25519), where forging requires the private key. (Git's author: its hash "has nothing to do with security".)
• Every solution is already built and verified in src/0 — sha256Sync / toUuidSha256 (the drop-in), sha256MerkleRoot / verifySha256Proof, ed25519Sign / Verify, the transparency-log structure. The found collision does NOT collide under SHA-256: the same cheap attack fails against the vetted hash. The residual is a deliberate cutover + key custody, not missing cryptography.

• Do NOT read the found 32-bit collision as a full toUuid break: it collides ONE of the four words, proving the building block is weak; a full 128-bit collision is ~2^61 (computed, not brute-forced here), not demonstrated by this pair.
• "Maximum tampering cost / T_max = ∞" as a SECURITY claim is refused: against an adversary the FNV forge cost is ≤2^61 and likely far less, not infinite. The honest claim is tamper-EVIDENT plus the reproduction cost, not cryptographic unforgeability.
• The cutover is NOT performed here. Migrating toUuid → toUuidSha256 globally is a deliberate breaking change that invalidates every committed baseline; these challenges prove the fix RESISTS the exploit, they do not flip the default.

атакувано ✓ The crypto challenges, red-teamed in waves: each EXPLOITS a real weakness in the site's content-address and GENERATES the solution already built in src/0, proving the fix resists. Wave 1 FINDS a collision in the FNV building block (SHA-256 does not collide the same pair); wave 2 computes that the "128-bit" address is really 122 bits (birthday ~2^61, not 2^128); wave 3 mints a valid root for tampered content, exposing that integrity is not authenticity (the fix is Ed25519 signing). Not assertions — runnable exploits with the vetted fix beside each.

☴XùnНежното

Двоен торусус · цена на подправяне ↔ криптиране ↔ блокчейн ↔ квантово

Доказуемо при подправяне — не е защитено от подправяне

Сайтът твърди „максимална цена на подправяне“. Честно: съдържателното адресиране прави всяка промяна откриваема — но FNV хешът не е криптографски, така че това е доказуемост при подправяне, не сигурност. Поправката (SHA-256 адрес, Ed25519 подпис) вече е изградена в src/0.

Три различни неща, наречени една „цена на подправяне“

• proof-of-recomputation

  integrity / provenance

  recompute the deterministic fold and compare

  redo the computation — real, but an honest verifier pays it too

  този сайт ✓доказуемост

• cryptographic unforgeability

  security

  collision / second-preimage / preimage hardness of a vetted hash

  SHA-256: 2^128 to collide, 2^256 to invert (birthday bound = L/2)

  не и туксигурност

• confidentiality

  secrecy

  encryption with a secret key

  key secrecy — a different axis entirely

  не и туксигурност

Стълбата на цената — от FNV днес до икономически консенсус

Докосни стъпало за подробности и хармоничен тон (432·n).

1. Цена за фалшифициране: negligible for a dedicated forger — FNV is non-cryptographic; 128 bits is structural WIDTH, not a work factor

   Открива: accidental corruption · Устоява на: nothing adversarial

2. Цена за фалшифициране: ~2^128 (collision) / ~2^256 (preimage) operations

   Открива: any change · Устоява на: forged collisions

3. Цена за фалшифициране: forge a signature without the private key — infeasible

   Открива: unauthorized change · Устоява на: substitution by anyone but the key-holder

4. Цена за фалшифициране: redo the PoW + out-race the network (~$1.35M/hr to match BTC hashrate; deeper blocks exponentially safer)

   Открива: any rewrite · Устоява на: rewrite below ~51% hashrate

5. Цена за фалшифициране: the slashed stake (~$112B staked; ~34% destroyed to double-finalize)

   Открива: any equivocation · Устоява на: rewrite below the stake threshold

Квантово: Гроувър отслабва · Шор чупи

Grover (1996) — ОТСЛАБВА

Цел: symmetric ciphers + hashes

halves the security level — SHA-256 → ~2^128, AES-256 → ~2^128

Отговор: use larger outputs/keys (SHA-384/512, AES-256)

Shor (1994) — ЧУПИ

Цел: RSA, Diffie-Hellman, elliptic-curve (ECDSA/ECDH)

derives the private key from the public key — breaks TLS key exchange, digital signatures, blockchain wallets

Отговор: replace with post-quantum algorithms

Изложеност на блокчейна

• ECDSA signatures — Shor-vulnerable (BREAK)
  a revealed public key → forged private key → stolen funds; ~6.7M BTC (~34% of supply) sit in addresses with exposed pubkeys (~1.7M BTC in legacy P2PK alone, plus reused addresses)
• Proof-of-Work hashing — Grover-weakened (NOT broken)
  at most a quadratic mining edge; ASIC speed + Grover's poor parallelism keep it minor

Постквантови стандарти (NIST, 2024)

• FIPS 203 ML-KEM (CRYSTALS-Kyber)
  lattice key-encapsulation — заменя RSA/ECDH key exchange
• FIPS 204 ML-DSA (CRYSTALS-Dilithium)
  lattice signatures — заменя RSA/ECDSA signatures (primary)
• FIPS 205 SLH-DSA (SPHINCS+)
  hash-based signatures — заменя signatures (conservative backup)

Хардуерът, честно: NISQ — hundreds of noisy physical qubits, no large-scale error correction. RSA-2048: ~20 million noisy qubits / 8 hours (Gidney–Ekerå, Quantum 2021) → <1 million noisy qubits / <1 week (Gidney 2025) — the estimate is falling. not imminent, but "harvest now, decrypt later" makes migrating signatures + long-lived secrets a present task (NIST/CNSA 2.0: quantum-vulnerable algorithms deprecated by 2030, disallowed by 2035)

• Tamper-EVIDENT is not tamper-PROOF. Content-addressing (Git, IPFS, this site) makes a change DETECTABLE by an honest recompute; cryptographic SECURITY means an adversary cannot FORGE an undetectable change — which requires a collision-resistant hash (NIST SP 800-107 defines security strength as the number of operations to break a property).
• A vetted hash has a real work factor: SHA-256 gives ~2^256 preimage resistance and ~2^128 collision resistance — the birthday bound halves the digest length (truncating to 128 bits would give only ~2^64 collision resistance). That 2^128/2^256 is what "cost to forge" means cryptographically.
• Non-cryptographic hashes (FNV-1a — what toUuid uses — MurmurHash, CRC) are fast and well-distributed but NOT collision-resistant; the FNV spec itself says it is "not suitable for cryptographic use". They give integrity and error-detection, not adversarial security.
• Three honestly-different things get conflated as one "tampering cost": (a) the cost to REPRODUCE a deterministic computation (integrity/provenance), (b) cryptographic UNFORGEABILITY (collision/preimage hardness), (c) CONFIDENTIALITY (encryption). A keyless, public function offers no adversarial unforgeability — the attacker simply runs the same function.
• Blockchain "immutability" is the same idea made costly: the hash-linked chain + Merkle root give tamper-evidence, and Proof-of-Work / Proof-of-Stake make a rewrite economically irrational (redo all the work and out-race the chain; or lose the staked collateral). It is security-by-expense, not security-by-impossibility — and it has FAILED on small chains (Bitcoin Gold and Ethereum Classic were 51%-attacked, ETC reorganising >3,000 blocks for ~$200K of rented hashpower).
• This site already builds the fix (cryptoFuture, all verified in src/0): sha256 / sha256MerkleRoot / verifySha256Proof, ed25519Sign / Verify, the transparency-log structure, and sha256Sync / toUuidSha256 — the drop-in cryptographic content-address. What remains is key custody, a public log service, and a deliberate cutover — deployment facts, not missing code.
• Grover WEAKENS, Shor BREAKS — the asymmetry to remember. Grover's quadratic search halves symmetric/hash security (SHA-256 → ~2^128 work), fixed by doubling sizes. Shor's polynomial-time factoring + discrete-log BREAKS RSA, Diffie-Hellman and elliptic-curve crypto (ECDSA) — the public-key layer behind TLS, signatures and blockchain wallets.
• On a blockchain the two effects differ sharply: ECDSA signatures are Shor-vulnerable (a BREAK — an exposed public key lets an attacker forge the key and steal funds; ~6.7M BTC, ~34% of supply, sit in addresses with exposed pubkeys), while PoW hashing is only Grover-weakened (a minor mining edge, not a forgery).
• The post-quantum response is standardized: NIST published FIPS 203 (ML-KEM / Kyber, lattice key-encapsulation), FIPS 204 (ML-DSA / Dilithium, lattice signatures) and FIPS 205 (SLH-DSA / SPHINCS+, hash-based signatures) on 13 August 2024.
• "Harvest now, decrypt later": an adversary can record encrypted traffic today and decrypt it once a quantum computer exists — so long-lived secrets and signatures should migrate now, even though the machine is not here yet (NSA CNSA 2.0 / NIST: deprecate by 2030, disallow by 2035).
• The hardware is far off: today's machines are NISQ (hundreds of noisy qubits). Breaking RSA-2048 needs millions of error-corrected-grade qubits — Gidney–Ekerå estimated ~20M noisy qubits / 8 hours (2019, Quantum 2021), since reduced to <1M qubits / <1 week (Gidney 2025). The target is moving closer, but the gap is still enormous.
• This site's "quantum" is a COMPUTATIONAL metaphor (the structural fold, superposition-as-content-addressing), not post-quantum cryptography or a physical quantum channel. Its AES-256-GCM is Grover-weakened to ~128-bit like everyone's; its FNV/SHA content-addresses are hashes (Grover-weakened, never Shor-broken — there is no public-key/signature to break in the fold itself).

• "Maximum tampering cost" / "T_max = ∞" as a SECURITY claim. Honest: against an adversary the FNV fold's forge cost is NOT 2^128 and not infinite — it is negligible, because FNV collisions are cheap to craft. The defensible claim is "content-addressed and TAMPER-EVIDENT against accidental corruption", plus "reproduce the whole deterministic model" as a provenance cost — not cryptographic unforgeability.
• Bit-WIDTH is not security strength. A 128-bit FNV digest is 128 bits WIDE; its adversarial collision resistance is not 2^64 and certainly not 2^128.
• "Tamper-evident" used as if it meant "tamper-proof". Git's author noted its hash "has nothing to do with security" — it detects corruption; real trust comes from signatures (SHAttered forged a full SHA-1 collision in 2017 at ~2^63 work).
• "1 Gbit cipher" / "gigabit encryption". The real primitive is AES-256-GCM — 256-bit strength, full stop; "1024 Mbit" names the keyspace STRUCTURE, adding no cipher bits beyond AES-256.
• "Immutable forever / trustless / unhackable" for blockchains. Immutability is economic and probabilistic — reorgs happen, finality is statistical (≈6 confirmations), and the guarantee holds only while an honest majority keeps paying to defend it.
• "Quantum breaks all cryptography / breaks Bitcoin's mining." FALSE — symmetric ciphers and hashes only WEAKEN (fixed by bigger sizes); the break is specifically the SIGNATURE / public-key layer. PoW gets only a minor Grover edge.
• "Q-Day is here / wallets are being drained now." Not supported — no machine remotely close to the required qubit count exists; the danger is prospective plus harvest-now-decrypt-later.
• "Grover halves security" stated as a hard fact — it is an UPPER bound; Grover parallelizes poorly and its serial depth makes the real-world advantage smaller than the math suggests.
• Headline "$650B of BTC at risk" dollar figures are price-dependent and source-dependent; the stable, falsifiable numbers are the BTC QUANTITIES (~1.7M P2PK, ~6.7M exposed pubkeys).
• "This site is post-quantum / quantum-encrypted." It is not — "quantum" here names the fold structure; real PQC (ML-KEM / ML-DSA) is not yet in the Web Crypto API the site uses, and the honest upgrade path is the SHA-256/Ed25519 roadmap (which is itself classical, not post-quantum).

Цена на подправяне, честно: една фраза „максимална цена на подправяне“ смесва три различни неща — възпроизвеждане на детерминистично изчисление (цялост, която сайтът наистина има и е доказуем при подправяне), криптографска незаменимост (твърдост на колизия/праобраз — която FNV toUuid НЕ дава; SHA-256 с 2^128/2^256 я дава) и поверителност (криптиране). Блокчейните превръщат доказуемостта в устойчивост, като правят пренаписването скъпо — сигурност чрез цена, доказано проваляема на малки вериги. Позицията на сайта: доказуем при подправяне днес, с готовата криптографска поправка (SHA-256 адрес, Ed25519 подпис) на едно решение разстояние.