How hard is a known prefix hash preimage attack on SHA-2?

Asked Feb 23 '13 at 13:31

Active Jun 19 '17 at 07:36

Viewed 576 times

Suppose the attacker knows $X, Z$ such that

$H(X || Y) = Z$

If bit-length(Y) < 60 then a brute force attack is possible.

What if bit-length(Z) = 256 (such as in SHA-256), bit-length(X) = 128, or bit-length(Y) = 256? Are there any published paper with results/experiments with SHA-256/512 in full or reduced rounds? Are there specific known attack techniques?

edited Jun 19 '17 at 07:36

otus

32,132
5
70
165

asked Feb 23 '13 at 13:31

SDL

1,867
13
25

6

I'm pretty confident there is nothing out there allowing a preimage attack of this kind on SHA-256 with full rounds. – fgrieu Feb 23 '13 at 16:46
Regarding the brute force attack, the bitcoin network could brute-force more than 60 bit quite fast (today - the question is 4 years old): Assuming $5 \cdot 10^{18}$ hashes per second, it would take the bitcoin network $\approx 0.23$ sec for a full search over $60$ bit. – tylo Jun 19 '17 at 09:01

How hard is a known prefix hash preimage attack on SHA-2?

0 Answers0

Linked