[Cryptography] SHA-256 decrypted (8 rounds)

McDair mcdair at protonmail.com
Thu Nov 9 08:06:01 EST 2023 

Verzonden met [Proton Mail](https://proton.me/) beveiligde e-mail.

Op dinsdag 7 november 2023 om 23:15 schreef Ray Dillinger <bear at sonic.net>:

> On 11/7/23 00:54, Michael Kjörling wrote:
>
>> Given that there are 2^447 possible inputs of 447 bits of length
>> (ignoring shorter inputs), but only 2^256 possible outputs of 256 bits
>> of length (for SHA-256), within a 2^447 input space, mathematically
>> there must statistically exist 2^(447-256) = 2^191 different possible
>> inputs for every single output. (It is of course possible that the
>> output distribution has non-uniform properties, especially after only
>> 8 rounds, but likely still not on the order of 2^190.)
>>
>> How does what you are showing compare against the current publicly
>> known attacks against SHA-256?
>>
>> In English, what _exactly_ is your claim?
>
> I do not have a VB.Net environment to test this code in and haven't analyzed it extensively, but this appears to be an attempt to find a preimage for a given hash by iteratively finding preimages for single steps of the hashing algorithm. This is not an approach I'm optimistic about for any hash (or any cipher) that takes input in blocks larger than 128 bits - the search for a preimage of a single step becomes prohibitive unless there's something I don't understand going on that restricts the search.
>
> The approach, even if fruitful, is closed off by modifications such as SHA-256D which requires finding blocks that are simultaneous preimages for different steps of the hash.
>
> Bear

Dear Ray,

Thank you for your answer.
The approach, even if fruitful, is closed off by modifications such as SHA-256D which requires finding blocks that are simultaneous preimages for different steps of the hash.

As stated, there is no guessing involved here, meaning a fixed number of iterations that will lead to the/a valid input message.

Because the SHA-256 output hash still fits in a single input block, the same 'decryption'/reversion method (limited to 8 rounds here) can also be used for SHA-256D (by also applying it twice). Or a multitude of hashes of hashes for that matter.

Sincerely,
McDair

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20231109/3efc7507/attachment.htm>

More information about the cryptography mailing list