Problem
Recall that the hash function SHA256: D → {0, 1} 256 is built via the MD transform from its compression function sha256: {0, 1} 768 → {0, 1} 256, where D is the set of all strings of length at most 264 . SHA256 can be computed at over 500 MBytes/second. A new attack is announced that, in under a minute, finds messages M1, M2, the first 2048 bits long and the second 3072 bits long, such that SHA256(M1) = SHA256(M2). A startup wants a collision-resistant hash function h returning 256 bits, but they note that, in their application, messages are always exactly 768 bits long. Accordingly they decide to use h = sha256, arguing that the attack on SHA256 will not apply and there is no practical way to find collisions in this h.
A. Are they right? Below, indicate YES (they are right, h remains collision resistant despite the SHA256 attack) or NO (they are wrong, it is possible to efficiently find collisions for h): YES NO
B. Give a convincing and correct justification of your answer.