[Cryptography] SHA-256 decrypted (8 rounds)

Jon Callas jon at callas.org
Fri Apr 5 16:26:11 EDT 2024 


> On Apr 5, 2024, at 03:23, McDair via cryptography <cryptography at metzdowd.com> wrote:
> 
> From the *NIST* site under possible definitions of encryption:
> 
> Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption,” which is a transformation that restores encrypted data to its original state.
> 
> 
> https://csrc.nist.gov/glossary/term/encryption
> 
> 
> This implies that it is not necessary to be able to transform back to the original data, allowing one-way functions here.
> 
> 
> So I'm not trying to reinvent definitions, as one claims.
> 
> 
> HOWEVER, I have a sneaking suspicion the general consensus here is this broader definition being incorrect, so I will take this into account.

I have to jump in. Sorry, it does not imply that at all. That's not what it means. This definition covers a number of things like Counter Mode, where you don't actually use the decrypt portion of the function -- and you can indeed use a hash function to create a counter mode equivalent. 

More importantly, it is a property of a hash function that it has a fixed output for arbitrary input. Consider a 256-bit hash function, which has an output of 32 bytes. If you hash 33 or more bytes (or 257 bits -- many hash functions technically work with not only any number of bytes, but any number of bits), you can't recover the whole string and that's the point.

We're not beating up on you, hashing is not encrypting. We don't use the word that way. We specifically differentiate functions like ciphers from functions like hash functions because they have different properties. Often the properties overlap somewhat. 

As I note above, you can make a PRNG from iterating a block cipher and turn that into a stream cipher, by XORing the PRNG onto the plaintext (just like with a block cipher or an LFSR or some bespoke stream-cipher function -- see ChaCha and others). You can iterate a hash function for a PRNG, too, and hash-based PRNGs are better than cipher-based ones *because* they can't be inverted.

Every discipline has its own internal language to describe particulars in the discipline that people outside the discipline don't care about -- often rightfully. In this discipline, we have symmetric functions (where the same function encrypts and decrypts), asymmetric functions (where there is an encrypt function and a decrypt function), and one way functions. (And of course, we also call asymmetric functions "public key" ones.)

Sometimes this all gets a bit hazy. For example, counter mode encryption can be made from a one-way function. In the case of asymmetric functions, RSA uses the same underlying math with two different inputs -- thus making decrypting and signing basically the same thing.

There's nothing wrong with being loose or sloppy in the right place. Heck, I got growled at not that recently, because I was blithering about a JWT-based protocol and sloppily said, "oh, you get the signing key from a web server" and of course I meant the verification half of the key pair that signed the object. We all talk fast and assume a level of understanding from our audience at times. It's a "you know what I mean" thing.

Nonetheless, if you say "decrypt a hash" as opposed to "invert" or "reverse" -- we're all going to say, "what do you mean by decrypting a hash; hashes can't be decrypted." You can avoid that by saying "invert" or "reverse" or even the long, technical, precise, "find a preimage" and then we know what you mean. Note also that the reason here is that a hash function in its purest, most abstract form takes an arbitrary bit string and produces a fixed output. We also demand of the hash function that there's no better way find a preimage than guess or keep a dictionary.

It's a fact of human nature that we engage in behaviors that advertise belonging to some group. Sometimes they are dress -- bankers dress in suits, physicians wear scrubs or lab coats, and so on. Sometimes they are language. If you'd like me to go on a rant about the word "praxis," I'd be happy to. On the other hand, there are groups of people where I use that word to indicate that I know what I'm talking about. I'm using the jargon of the in-group of experts to advertise that I am a member of that group.

Using "decrypt" rather than "invert" (or "reverse" or "find a preimage" or ...) experts in the field are going to think, "huh?" and not understand what you're saying. Some people are going to ask, "what do you mean" and others are just going to presume you don't know what you're talking about (in the sense that you don't know what you claim to know), because you literally are not talking to people using the technical language in the way they expect.

If that's what you want -- to be seen as someone over there who doesn't use words the way the in-group does -- that's your right. Heck, this discipline is filled full of people who are a bit eccentric and prone to the occasional peeve. The person in *my* mirror does that from time to time, so I empathize. If you believe that reversing a hash function is decryption -- sure, man, whatever. The consequence of that is going to be that some people will discount your work, or not bother reading, because they don't understand what you're saying. Perhaps this is akin to encryption itself in some metaphorical way, but the better word is "coding" rather than "encryption." You're speaking in a code that is hard (another word with a specialized meaning) for cryptographers to decode.

	Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240405/6b908aa8/attachment.htm>

More information about the cryptography mailing list