I am looking into building a merkle tree algorithm and I need to know if SHA256 is resistant to second preimage attack.
Asked
Active
Viewed 1,234 times
1 Answers
2
SHA-256 has no known collision attack and has no known second pre-image attack and has no known pre-image attack.
There was a claim Has SHA256 been broken by Treadwell Stanton DuPont? but is has already debunked.
Currently, we have generic attacks: $2^{256}$ pre-image resistance, $2^{256}$ secondary pre-image resistance and $2^{128}$ collision resistance. Collision resistance is lower due to the birthday attack. The academical attacks are on reduced rounds, therefore not practical, yet.
Note per comment: It is not SHA-256 or any other Cryptographic hash's weakness. It is a problem with hash trees that enables to find secondary pre-images and it can be mitigated with domain separation as mentioned in rfc6992. You can also see this problem in this post;
-
Thank you. Furthermore do I have to take into account that leaf nodes and the internal nodes have different hashes like for example it is done for sha-1?As explained here https://crypto.stackexchange.com/questions/2097/how-does-a-tiger-tree-hash-handle-data-whose-size-isnt-a-power-of-two/2103#2103 – Hoistas Sep 19 '19 at 06:34
-
are you asking adding 1 and 0 for domain separation? – kelalaka Sep 19 '19 at 06:57
-
Yes I am asking about adding data to make the leafs and the nodes different. Do we have to do that for sha256? – Hoistas Sep 19 '19 at 09:47
-
1That is a different question and you can find the answer here – kelalaka Sep 19 '19 at 09:51