[Cryptography] SHA-256 decrypted (8 rounds)

Michael Kjörling 9bf3a7ef93bb at ewoof.net
Mon Apr 8 12:44:13 EDT 2024 

On 8 Apr 2024 14:13 +0000, from cryptography at metzdowd.com (McDair via cryptography):
> But we're talking about a single block and initially 8 rounds of
> processing (which disregards inputs greater than 256 bits, and even
> disregards additional mixing with derived words).

Hold on. In your initial post 6 Nov 2023 15:18 UTC you wrote:

"Hereby the code to decrypt 8 rounds of SHA-256 deterministically.
An original input message length up to 447 bits (single block) is supported."

(Later, you discussed the expanding of your attack to 64 rounds.)

Now, almost half a year later, are you saying that what you have is
only valid for "inputs" (is that supposed to mean a preimage?) up to
256 bits inclusive?

Attacks don't get _worse_. If what you had in November was valid for
preimages of up to 447 bits, then unless you have identified a flaw in
your work, you can't reasonably now have something that is valid for
preimages of up to only 256 bits.


> Please keep in mind that in case of password hashes for instance
> (probably better to use alternative functions for this), the
> original input (password/key) is mostly less or equal than 256 bits,
> even when it's rehashed a number of times. So there are real-world
> cases where being able to revert such a hash is not desired, to say
> the least.

I think I'm safe in saying that nobody in their right mind is going to
use eight rounds of SHA-256 for password hashing. _Certainly_ nobody
who knows to implement _iterated_ hashing is going to do so using only
eight rounds of SHA-256 for each iteration. This is therefore not a
meaningful comparison and quite possibly a strawman argument.

Also, while the _entropy_ (in the information theory sense of the
word, just to be clear) of a password may be less than 256 bits, the
_encoding_ of that entropy can easily be longer than 256 bits. This is
especially the case with passphrases, which typically have rather low
entropy per character; if I recall correctly, in proper English prose,
the value is on the order of about 1 bit per character. (That last is
why anyone who knows what they are talking about will almost certainly
suggest using passphrases made up of randomly selected, unrelated
words; as in for example Diceware. And even with typical five-dice /
6^5 entry word list Diceware you get only about 2 bits per character.)

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

More information about the cryptography mailing list