hash-truncation-is-16-hex

OUT premise

Source hashes are SHA-256 truncated to the first 16 hex characters (64 bits), reducing collision resistance to ~32 bits for birthday attacks compared to the full 256-bit hash.

Summary

The system identifies content using shortened SHA-256 hashes, keeping only the first 16 hex characters instead of the full hash. This dramatically weakens collision resistance — an attacker or even normal usage at scale could find two different inputs producing the same truncated hash with roughly 2^32 (about 4 billion) attempts, which is computationally trivial by modern standards. This matters because hash collisions could cause the system to confuse distinct pieces of content, leading to incorrect lookups or silent data corruption.

Dependents

These beliefs depend on this one:

Details

Sourceentries/2026/04/23/reasons_lib-check_stale-check_stale.md