3

512 bit X has been hashed using SHA256(X) = Y

  1. Given Y and half of X (the first 256bits) to attacker, how hard is to reveal whole X

  2. Can SHA256 or any real world function be cracked to allow this problem to be solved faster

Is this problem known in cryptography? and under what name? Tried google for concatenated preimage attack but found nothing.

charraster
  • 33
  • 2
  • 2
    just found this (http://crypto.stackexchange.com/questions/6441/how-hard-is-a-known-prefix-hash-preimage-attack?rq=1) – charraster Mar 13 '17 at 20:27
  • There are no known pre-image attacks on SHA-256 feasible. At least not with any practical significance. So the question becomes: what do you want to do with this question? Because I'm not sure myself; I could vote to close it as a dupe but the other question is officially unanswered. Oh, and welcome to crypto.SE! Almost forgot :) – Maarten Bodewes Mar 13 '17 at 22:12

1 Answers1

2

Knowing the first 256 bits of X is of little use. Intuitively you can understand this becsuse most values for the first 256 will have a matching second 256 which will lead to Y. Assuming pseudo random distribution throwing n balls in to n bins will leave only n/e of them empty. By knowing there is an answer with said prefix the brute force is slightly faster, not by doing anything clever in the brute force but by virtue of eliminating the possibility of no value. If we have a random oracle hash the worst case brute force with the prefix is 2^256 and without it is 2^512 but the difference in expected attack time is rather small. And in any cass it is entirely not fessable. Threre are no known relevant attacks on sha255 to make this even remotely feasible to launch.

Meir Maor
  • 11,835
  • 1
  • 23
  • 54