[Cryptography] SHA-256 challenge

Mon Apr 8 12:44:20 EDT 2024

On 8 Apr 2024 14:08 +0000, from cryptography at metzdowd.com (McDair via cryptography):
>> d084a44d89a2ce255743f551c92e018f5ddcc5b98a3adfddd2edd4b109b6b379, not
>> deb360ae3c1ff7a29f83731b33dcd4bf354a5e80de2dc50370ebf55a14216b85.
> 
> I provided a couple of 17-round preimage examples in the first
> category. They are preimages to the full extend for hash
> deb360ae3c1ff7a29f83731b33dcd4bf354a5e80de2dc50370ebf55a14216b85,
> however limited to 17 rounds.

I frankly have no idea what you actually mean by this, especially the
"preimages to the full extend for hash <value>". You can't take some
intermediate internal state and claim that it's a hash value, much
less go from there to claiming that you have found a way to "decrypt"
a hash value. I don't see how being able to get the internal state to
some specific set of values after a small number of rounds by
constructing a preimage is a particularly useful attack, and we
already have actual preimage attacks for far larger numbers of rounds
which so far have not been extended to anywhere near full 64-round
SHA-256.

> I have also provided 64-round examples for the second category, they
> will *not* yield to the challenge provided using the complete hash
> function. I provided these examples to show progress wrt being able
> to move around the 64 block words, which is essential to efficiently
> finding preimages, and for the people who were genuinely interested
> in this from the start (yes, there are).
> 
> You seem to have redirected the 64-round example under the wrong category?
> 
> With respect to the full hash function (17 rounds), you should try
> and validate the examples in the first category (for which I
> provided the hex value/bytes of the input message).

You are the one who wrote "when expanded to the full 64 rounds, the
method finds 'a' valid input message (so not necessarily the original
message).", to say nothing of your next paragraph's statement that
"Finding a preimage (again, not taking into account additional
validation), even for 64 rounds happens therefore in negligible time.".

This reasonably implies (also reinforced by the fact that no one else
has even suggested that there might be an alternative, meaningful
interpretation of your statements) that you believe that your work can
be extended to the full 64 rounds and that by doing so a preimage can
be found, quoting your own words, "in negligible time".

Hence my challenge: given this particular hash, let's have a matching
preimage.

Calling a cited paper describing an attack extending into the 40s of
rounds "impractical" in what looks like an attempt at defense of your
own apparently intermediate-state selection 8-round (or is it
17-round?) attack does not reflect well on what you are doing.

Unless and until you actually _clearly and unambiguously_ state what
claim you are making using established terminology in a proper manner,
in a form that is testable and falsifiable, I think this is going to
be my final contribution to this particular discussion.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”