2

I have been educating myself recently about the SHA-2 hashing algorithm, and in the midst of this pursuit, I've encountered a question:

This algorithm uses a set of constant hexadecimal values, derived from the cube root of prime numbers, as a starting point for the process. Because these values can be known to anyone, does this not open some level of vulnerability to the hashed values? Would it not be better to use a set of less predictable values?

I don't know a great deal about cryptography, so forgive me if this question is silly in some way I do not understand, but I am very curious about the answer.

EDIT: I'm not asking why they are constant. I understand how hashing works and what it is used for. I am asking if the security of the algorithm would be increased if constant but unknowable (to the outside) values were used instead of the array of constants currently used.

user37745
  • 21
  • 2
  • If the constants were not constant, you could not use the hash function without keying it, so it would not be a hash function but something else. You can read up on http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number – Thomas Jan 23 '14 at 00:33
  • 1
    possible duplicate of Why are these specific values used to initialise the hash buffer in SHA-512? – Cryptographeur Jan 23 '14 at 08:57
  • For SHA-2, the round constants are based on cube roots of primes, the initial hash value is based on square roots of primes – Richie Frame Jan 23 '14 at 09:48
  • I understand that they have to be constant. That is not what I am asking. There are ways to make the values constant, but not transparent to someone trying to break the hash; a system that selects various constants based on the cube roots of primes based on the unicode values of the chars in the initial string, for instance. – user37745 Jan 23 '14 at 15:50
  • So, you're suggesting that the attacker be allowed to select those constants? After all, during an attack, the attacker is submitting values to hash; if those 'constants' depend on the values, the attacker can, by selecting the appropriate initial string, he gets to pick the 'constants' that the hash function will use. – poncho Jan 23 '14 at 19:46
  • The idea of a hash is that anybody can compute the same hash without having to know a secret. When you have a secret, you can use a MAC which is stronger than an unkeyed hash. The random prefix keys used in for example HMAC are very similar to random IVs. – CodesInChaos Jan 24 '14 at 09:33
  • I think I get what you mean. There are uses of hash functions where some degree of secrecy is called for, but for some reason you don't want to use a MAC, and that's where you might use a salt. – rath Jan 26 '14 at 05:37

1 Answers1

3

Would it not be better to use a set of less predictable values?

Actually, there aren't any "unpredictable values".

SHA-2 is a hash function (actually, it's a family of 6 hash functions; we'll ignore that point for now); a hash function is designed so that anyone can compute it.

One use of a hash function is during signature generation and verification; typically, the signer takes the message, and hashes it, and then applies the signature operation to the hash. Then, the verifier takes the message, hashes it, and then verifies the hash against the signature. If the verifier could not compute this hash, he could not verify that the signature corresponded to this message.

Because of this, the entire specification of SHA-2 must be made public, so that the verifier (and anyone else) can compute it. That is, any internal table values must also be public, because they are needed to compute the hash function.

Because we're going to tell everyone what the values are, they aren't, in any sense, unpredictable.

poncho
  • 147,019
  • 11
  • 229
  • 360