Tampering cost

Tampering cost ↔ encryption ↔ blockchains, audited honestly with quantum comparisons. The site claims "maximum tampering cost"; this scrutinises that claim. Tamper-EVIDENT is not tamper-PROOF: content-addressing detects change, cryptographic security (SHA-256: 2^128/2^256) resists forgery. FNV toUuid is non-cryptographic — the fix (SHA-256 content-address, Ed25519 signing) is already built. Blockchains make tampering costly, not impossible. Quantum: Grover weakens hashes, Shor breaks signatures; NIST post-quantum standards (ML-KEM, ML-DSA, SLH-DSA). Documented kept, legend flagged.

☵KǎnThe Abysmal

☶GènKeeping Still

Double Torus · local realtime crypto analysis

Crypto challenges — red-teaming our own content-address, live

Three waves, run in your browser — no server, no tokens, deterministic. Each EXPLOITS a real weakness in the FNV content-address and shows the SHA-256/Ed25519 fix (already built in src/0) resisting it. Not a claim: the collision is found by search, the bit-budget computed, the forgery minted.

Wave 1 · exploit

Watch a collision happen

Forge a collision: two distinct inputs sharing a content-address word.

searching…0 seeds hashedscaled to 16-bit

Verified (full 32-bit word):i3jz ≡ k8r5 → 3315175185 (20 ≈ log₂ tries)

solution SHA-256 does NOT collide the pair: 18136dfadd44… ≠ d063ea7065b2…

hash32 (FNV-1a core + a MurmurHash3 finalizer) is fast and well-distributed but not collision-resistant.

Wave 2 · audit

"128 bits" is really 122

Quantify the collision resistance behind the "128-bit / maximum tampering cost" claim.

• toUuid (this site)122-bit · collision ~2⁶¹
• toUuidSha256128-bit · collision ~2⁶⁴
• sha256 (full)256-bit · collision ~2¹²⁸

toUuid masks 6 bits (UUID version + variant) → 122 effective bits → birthday ~2^61; and hash32 has no cryptanalytic resistance, so the true cost is at or below that. — the 6 masked bits are the UUID version nibble + 2 variant bits; bit-WIDTH is not security strength.

Wave 3 · forge

Mint a valid root for tampered content

Prove a root is YOURS — that an authority, not just anyone, produced it.

authorized82e840af-8a04-82d1-94c8-9d12bcb28c82valid uuid

tamperede7d9e281-7a4c-8c00-ba03-07ac6f980c8dvalid uuid

Content-addressing gives integrity, not authenticity: the function is public + deterministic, so an adversary recomputes a valid root for tampered content (both roots below are equally valid).

solutionEd25519 signing (ed25519Sign/Verify, built in src/0): a root SIGNED by a private key cannot be forged without it. HONEST RESIDUAL: needs persistent key custody (deployment, not code).

• The collision is FOUND, not asserted: a deterministic birthday search returns two distinct seeds whose 32-bit content-address word is identical (the 32-bit birthday bound is ~2^16). A non-cryptographic hash (FNV-1a) gives no collision resistance — the FNV spec itself says "not suitable for cryptographic use".
• Bit-width is not security strength. The "128-bit" toUuid masks 6 bits (the UUID version nibble + 2 variant bits), so its effective width is 122 bits and its birthday-collision bound is ~2^61 — feasible for a resourced adversary (SHA-1, 160-bit, was broken at ~2^63 by SHAttered), where SHA-256 (2^128) is not.
• Integrity is not authenticity. A content-address proves content maps to a root (any honest party recomputes it); it does NOT prove WHO produced it — anyone can mint a valid root for tampered content. Authenticity needs a signature (Ed25519), where forging requires the private key. (Git's author: its hash "has nothing to do with security".)
• Every solution is already built and verified in src/0 — sha256Sync / toUuidSha256 (the drop-in), sha256MerkleRoot / verifySha256Proof, ed25519Sign / Verify, the transparency-log structure. The found collision does NOT collide under SHA-256: the same cheap attack fails against the vetted hash. The residual is a deliberate cutover + key custody, not missing cryptography.

• Do NOT read the found 32-bit collision as a full toUuid break: it collides ONE of the four words, proving the building block is weak; a full 128-bit collision is ~2^61 (computed, not brute-forced here), not demonstrated by this pair.
• "Maximum tampering cost / T_max = ∞" as a SECURITY claim is refused: against an adversary the FNV forge cost is ≤2^61 and likely far less, not infinite. The honest claim is tamper-EVIDENT plus the reproduction cost, not cryptographic unforgeability.
• The cutover is NOT performed here. Migrating toUuid → toUuidSha256 globally is a deliberate breaking change that invalidates every committed baseline; these challenges prove the fix RESISTS the exploit, they do not flip the default.

red-teamed ✓ The crypto challenges, red-teamed in waves: each EXPLOITS a real weakness in the site's content-address and GENERATES the solution already built in src/0, proving the fix resists. Wave 1 FINDS a collision in the FNV building block (SHA-256 does not collide the same pair); wave 2 computes that the "128-bit" address is really 122 bits (birthday ~2^61, not 2^128); wave 3 mints a valid root for tampered content, exposing that integrity is not authenticity (the fix is Ed25519 signing). Not assertions — runnable exploits with the vetted fix beside each.

☴XùnThe Gentle

Double Torus · tampering cost ↔ encryption ↔ blockchains ↔ quantum

Tamper-evident is not tamper-proof

The site claims “maximum tampering cost”. Honestly: content-addressing makes any change detectable — but the FNV hash is non-cryptographic, so that is tamper-evidence, not security. The fix (a SHA-256 address, Ed25519 signing) is already built in src/0.

Three different things called one “tampering cost”

• proof-of-recomputation

  integrity / provenance

  recompute the deterministic fold and compare

  redo the computation — real, but an honest verifier pays it too

  this site ✓evidence

• cryptographic unforgeability

  security

  collision / second-preimage / preimage hardness of a vetted hash

  SHA-256: 2^128 to collide, 2^256 to invert (birthday bound = L/2)

  not heresecurity

• confidentiality

  secrecy

  encryption with a secret key

  key secrecy — a different axis entirely

  not heresecurity

The cost ladder — from FNV today to economic consensus

Tap a rung for detail and a 432·n harmonic tone.

1. Cost to forge: negligible for a dedicated forger — FNV is non-cryptographic; 128 bits is structural WIDTH, not a work factor

   Detects: accidental corruption · Resists: nothing adversarial

2. Cost to forge: ~2^128 (collision) / ~2^256 (preimage) operations

   Detects: any change · Resists: forged collisions

3. Cost to forge: forge a signature without the private key — infeasible

   Detects: unauthorized change · Resists: substitution by anyone but the key-holder

4. Cost to forge: redo the PoW + out-race the network (~$1.35M/hr to match BTC hashrate; deeper blocks exponentially safer)

   Detects: any rewrite · Resists: rewrite below ~51% hashrate

5. Cost to forge: the slashed stake (~$112B staked; ~34% destroyed to double-finalize)

   Detects: any equivocation · Resists: rewrite below the stake threshold

Quantum: Grover weakens · Shor breaks

Grover (1996) — WEAKENS

Targets: symmetric ciphers + hashes

halves the security level — SHA-256 → ~2^128, AES-256 → ~2^128

Response: use larger outputs/keys (SHA-384/512, AES-256)

Shor (1994) — BREAKS

Targets: RSA, Diffie-Hellman, elliptic-curve (ECDSA/ECDH)

derives the private key from the public key — breaks TLS key exchange, digital signatures, blockchain wallets

Response: replace with post-quantum algorithms

Blockchain exposure

• ECDSA signatures — Shor-vulnerable (BREAK)
  a revealed public key → forged private key → stolen funds; ~6.7M BTC (~34% of supply) sit in addresses with exposed pubkeys (~1.7M BTC in legacy P2PK alone, plus reused addresses)
• Proof-of-Work hashing — Grover-weakened (NOT broken)
  at most a quadratic mining edge; ASIC speed + Grover's poor parallelism keep it minor

Post-quantum standards (NIST, 2024)

• FIPS 203 ML-KEM (CRYSTALS-Kyber)
  lattice key-encapsulation — replaces RSA/ECDH key exchange
• FIPS 204 ML-DSA (CRYSTALS-Dilithium)
  lattice signatures — replaces RSA/ECDSA signatures (primary)
• FIPS 205 SLH-DSA (SPHINCS+)
  hash-based signatures — replaces signatures (conservative backup)

The hardware, honestly: NISQ — hundreds of noisy physical qubits, no large-scale error correction. RSA-2048: ~20 million noisy qubits / 8 hours (Gidney–Ekerå, Quantum 2021) → <1 million noisy qubits / <1 week (Gidney 2025) — the estimate is falling. not imminent, but "harvest now, decrypt later" makes migrating signatures + long-lived secrets a present task (NIST/CNSA 2.0: quantum-vulnerable algorithms deprecated by 2030, disallowed by 2035)

• Tamper-EVIDENT is not tamper-PROOF. Content-addressing (Git, IPFS, this site) makes a change DETECTABLE by an honest recompute; cryptographic SECURITY means an adversary cannot FORGE an undetectable change — which requires a collision-resistant hash (NIST SP 800-107 defines security strength as the number of operations to break a property).
• A vetted hash has a real work factor: SHA-256 gives ~2^256 preimage resistance and ~2^128 collision resistance — the birthday bound halves the digest length (truncating to 128 bits would give only ~2^64 collision resistance). That 2^128/2^256 is what "cost to forge" means cryptographically.
• Non-cryptographic hashes (FNV-1a — what toUuid uses — MurmurHash, CRC) are fast and well-distributed but NOT collision-resistant; the FNV spec itself says it is "not suitable for cryptographic use". They give integrity and error-detection, not adversarial security.
• Three honestly-different things get conflated as one "tampering cost": (a) the cost to REPRODUCE a deterministic computation (integrity/provenance), (b) cryptographic UNFORGEABILITY (collision/preimage hardness), (c) CONFIDENTIALITY (encryption). A keyless, public function offers no adversarial unforgeability — the attacker simply runs the same function.
• Blockchain "immutability" is the same idea made costly: the hash-linked chain + Merkle root give tamper-evidence, and Proof-of-Work / Proof-of-Stake make a rewrite economically irrational (redo all the work and out-race the chain; or lose the staked collateral). It is security-by-expense, not security-by-impossibility — and it has FAILED on small chains (Bitcoin Gold and Ethereum Classic were 51%-attacked, ETC reorganising >3,000 blocks for ~$200K of rented hashpower).
• This site already builds the fix (cryptoFuture, all verified in src/0): sha256 / sha256MerkleRoot / verifySha256Proof, ed25519Sign / Verify, the transparency-log structure, and sha256Sync / toUuidSha256 — the drop-in cryptographic content-address. What remains is key custody, a public log service, and a deliberate cutover — deployment facts, not missing code.
• Grover WEAKENS, Shor BREAKS — the asymmetry to remember. Grover's quadratic search halves symmetric/hash security (SHA-256 → ~2^128 work), fixed by doubling sizes. Shor's polynomial-time factoring + discrete-log BREAKS RSA, Diffie-Hellman and elliptic-curve crypto (ECDSA) — the public-key layer behind TLS, signatures and blockchain wallets.
• On a blockchain the two effects differ sharply: ECDSA signatures are Shor-vulnerable (a BREAK — an exposed public key lets an attacker forge the key and steal funds; ~6.7M BTC, ~34% of supply, sit in addresses with exposed pubkeys), while PoW hashing is only Grover-weakened (a minor mining edge, not a forgery).
• The post-quantum response is standardized: NIST published FIPS 203 (ML-KEM / Kyber, lattice key-encapsulation), FIPS 204 (ML-DSA / Dilithium, lattice signatures) and FIPS 205 (SLH-DSA / SPHINCS+, hash-based signatures) on 13 August 2024.
• "Harvest now, decrypt later": an adversary can record encrypted traffic today and decrypt it once a quantum computer exists — so long-lived secrets and signatures should migrate now, even though the machine is not here yet (NSA CNSA 2.0 / NIST: deprecate by 2030, disallow by 2035).
• The hardware is far off: today's machines are NISQ (hundreds of noisy qubits). Breaking RSA-2048 needs millions of error-corrected-grade qubits — Gidney–Ekerå estimated ~20M noisy qubits / 8 hours (2019, Quantum 2021), since reduced to <1M qubits / <1 week (Gidney 2025). The target is moving closer, but the gap is still enormous.
• This site's "quantum" is a COMPUTATIONAL metaphor (the structural fold, superposition-as-content-addressing), not post-quantum cryptography or a physical quantum channel. Its AES-256-GCM is Grover-weakened to ~128-bit like everyone's; its FNV/SHA content-addresses are hashes (Grover-weakened, never Shor-broken — there is no public-key/signature to break in the fold itself).

• "Maximum tampering cost" / "T_max = ∞" as a SECURITY claim. Honest: against an adversary the FNV fold's forge cost is NOT 2^128 and not infinite — it is negligible, because FNV collisions are cheap to craft. The defensible claim is "content-addressed and TAMPER-EVIDENT against accidental corruption", plus "reproduce the whole deterministic model" as a provenance cost — not cryptographic unforgeability.
• Bit-WIDTH is not security strength. A 128-bit FNV digest is 128 bits WIDE; its adversarial collision resistance is not 2^64 and certainly not 2^128.
• "Tamper-evident" used as if it meant "tamper-proof". Git's author noted its hash "has nothing to do with security" — it detects corruption; real trust comes from signatures (SHAttered forged a full SHA-1 collision in 2017 at ~2^63 work).
• "1 Gbit cipher" / "gigabit encryption". The real primitive is AES-256-GCM — 256-bit strength, full stop; "1024 Mbit" names the keyspace STRUCTURE, adding no cipher bits beyond AES-256.
• "Immutable forever / trustless / unhackable" for blockchains. Immutability is economic and probabilistic — reorgs happen, finality is statistical (≈6 confirmations), and the guarantee holds only while an honest majority keeps paying to defend it.
• "Quantum breaks all cryptography / breaks Bitcoin's mining." FALSE — symmetric ciphers and hashes only WEAKEN (fixed by bigger sizes); the break is specifically the SIGNATURE / public-key layer. PoW gets only a minor Grover edge.
• "Q-Day is here / wallets are being drained now." Not supported — no machine remotely close to the required qubit count exists; the danger is prospective plus harvest-now-decrypt-later.
• "Grover halves security" stated as a hard fact — it is an UPPER bound; Grover parallelizes poorly and its serial depth makes the real-world advantage smaller than the math suggests.
• Headline "$650B of BTC at risk" dollar figures are price-dependent and source-dependent; the stable, falsifiable numbers are the BTC QUANTITIES (~1.7M P2PK, ~6.7M exposed pubkeys).
• "This site is post-quantum / quantum-encrypted." It is not — "quantum" here names the fold structure; real PQC (ML-KEM / ML-DSA) is not yet in the Web Crypto API the site uses, and the honest upgrade path is the SHA-256/Ed25519 roadmap (which is itself classical, not post-quantum).

Tampering cost, decoded honestly: a single phrase "maximum tampering cost" conflates three different things — reproducing a deterministic computation (integrity, which the site genuinely has and is TAMPER-EVIDENT), cryptographic unforgeability (collision/preimage hardness — which FNV toUuid does NOT provide; SHA-256's 2^128/2^256 does), and confidentiality (encryption). Blockchains turn tamper-evidence into resistance by making a rewrite cost real work or real stake — security-by-expense, proven failable on small chains. The site's honest position: tamper-evident today, with the cryptographic upgrade (SHA-256 content-address, Ed25519 signing) already built in src/0 and one deliberate cutover away.