1

I have a double-SHA-256 of some text $$ h_2 = \operatorname{SHA256}(\operatorname{SHA256}(m)).$$ I don't need the plain text ($m$), but somehow I need to get first $$h_1 = \operatorname{SHA256}(m).$$

Can I have it ($h_1$) by keep hashing the second one ($h_2$)? $$ h_1 = \operatorname{SHA256}(\operatorname{SHA256}(...\operatorname{SHA256}(h_2)...)).$$

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Zarei
  • 13
  • 5

1 Answers1

3

Short answer; Almost NO!

Can I have it by keep hashing the second one?

There were great answers for the question; Cycles in SHA256

In short, if we model SHA256 as a uniform random function then the probability of element being on the cycle is

$$\frac{1}{\sqrt{\hspace{.03 in}2\hspace{-0.05 in}\cdot \hspace{-0.04 in}\pi} \cdot 2^{127}}$$

The average cycle length with expected value for SHA256 is $$2^{127} \sqrt{2\pi}$$

Simply consider the first hash $\operatorname{SHA256}(m)$ as the starting point;

  • As one can see that being on a cycle has a very low probability and you almost find none in a cycle since the probability is $\frac{1}{\sqrt{2\cdot \pi} \cdot 2^{127}}$.
  • Even it is on a cycle, you almost certainly can not calculate the cycle to find the pre-image since the average cycle length is $2^{127} \sqrt{2\pi}$.

These are from the result of Bernard Harris's magnificent work; Probability Distributions Related to Random Mappings in 1960.

Also, this exists in the Handbook of Applied Cryptography - Fact 2.37

  • tail lenght = $\sqrt{\pi n /8}$
  • cycle lenght = $\sqrt{\pi n /8}$
  • rho-lenght = $\sqrt{\pi n /2}$
kelalaka
  • 48,443
  • 11
  • 116
  • 196