0

Say I'm feeding in few thousand bits data (INPUT AAAA) into both SHA256 & SHA3 256 engines at the same time. (Both engines using different hashing architecture) and hence it will generate different 256-bits of output, lets say SHA256 generate ABCD while SHA3-256 generate EFGH.

I'm curious about if we can try to find the alternative input (INPUT BBBB) later that can generate the same HASH output like above (SHA256 generate ABCD & SHA3 256 generate EFGH).

Pi-Turn
  • 83
  • 5
  • 2
    Sounds to me like you're after "collision resistance". Additionally, I'd like to note that you seem to use SHA2 and SHA3 in the same program to achieve domain separation, so I would like to note that it's perfectly possible to achieve domain separation while using the same hash function! E.g. SHA3(0 || INPUT AAAA) will be different from SHA3(1 || INPUT AAAA) – Ruben De Smet Jan 21 '21 at 08:54
  • @RubenDeSmet, if I interpret you correctly, you mean SHA2 can be out of the picture since the single SHA3 engine can achieve the domain separation by applying some kind of different seed numbers? – Pi-Turn Jan 21 '21 at 09:04
  • 2
    That's pretty much what I am saying indeed. FWIW, SHA2 does not necessarily need to be out of the picture (it's usually a bit faster than SHA3 in software), but there's no good reason to use both of them. – Ruben De Smet Jan 21 '21 at 09:56
  • 1
    Domain seperation, and it can be achieved with a fixed string on the beginning like SHA-3 does see suffix – kelalaka Jan 21 '21 at 10:37

1 Answers1

2

In short, this will be not be possible, even if we only use one secure hash function rather than two. You seem to be describing a sort of dual second-preimage attack where we need to find two inputs that clash over two separate hash functions.

A secure hash function will be resistant to such attacks. As such for either SHA2 & SHA3, it will not be possible to find another input that makes a desired output.

I believe that even SHA1 is only weak in terms of collision resistance. See here for further details.

Modal Nest
  • 1,443
  • 4
  • 18
  • 1
    It's only a second pre-image attack if the input 1 "AAAA" is fixed (which is not entirely clear from the question). However, collision resistance still applies (for SHA-2 and -3 at least). – SEJPM Jan 21 '21 at 09:14
  • @SEJPM Thank you. I see what you mean, the wording of finding an alternative input later suggested to me that the initial input was fixed. – Modal Nest Jan 21 '21 at 09:21
  • @ModalNest, "A secure hash function will be resistant to such attacks. As such for either SHA2 & SHA3, it will not be possible to find another input that makes a desired output.", I always don't get why this is not possible to happen because the input size is always much larger than the output size. if your input is a 100,000 bits long meaning the permutation is easily larger than 2^256 bits long output. So it should have overlap with simple thinking... – Pi-Turn Jan 21 '21 at 11:22
  • @SEJPM, Yes, the "AAAA" is the fixed input. But the intention here simply want to ensure others can't replace "AAAA" with their own input that can yield the same output from SHA2 and SHA3 like what AAAA does. – Pi-Turn Jan 21 '21 at 11:27
  • 1
    @Pi-Turn The size of the input doesn't matter really. It's the mindboggling size of 256bits (in the case of preimage). Using some quick JS (so maybe wrong) but a 4GHz processor left running would take a number of years 54 digits long, assuming it ran one million hashes per clock cycle. Or 4000000000000000 hashes per second. – Modal Nest Jan 21 '21 at 11:51
  • @ModalNest, I'm kind of agree what do you explain. Yes, It will be really take very long time to go through 2^256 of the permutation. However, one thing that I couldn't understand well is the size of input. Let say if the input is 256 bits long, then probably each of the permutation will have unique 256 bits of output. But if we go beyond that such as 10,000 bits of input, theoretically, the chances for different input combinations that generate the same 256 bits output (Overlap) will be significantly increase as well. appreciate that if you can advise. – Pi-Turn Jan 21 '21 at 14:39
  • 1
    @Pi-Turn There is an overlap I suppose in the sense that if you stored all 10k bit permutations, there would have to be $n$ collisions. However it's not feasible to do that. Even storing a single bit to represent every permutation of 256 bits would require more storage space than we have on earth. – Modal Nest Jan 21 '21 at 14:58
  • @ModalNest, I'm sorry for didn't explain well with the "overlap" meaning or probably I didn't follow your reply well. Let me explain in other example, If I simplify the SHA256 into lets say only 4 bits output, it means the possible output range will be from 0000 to 1111 (16 combinations). Now, if my inputs are 8 bits, meaning it can be from the range of 00000000 to 11111111 (256 combinations.). In this case, there must have many inputs combination that will generate the same 4-bits output...hence, I'm applying this in 2^10000 of inputs size to only 2^256 output size. – Pi-Turn Jan 21 '21 at 15:11
  • Let us continue this discussion in chat. – Modal Nest Jan 21 '21 at 15:39