Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Apr 2012 16:17:56 +0800
From: myrice <>
Subject: Reverse steps for single round sha(sha-1, sha256/384/512)

Hi, all

It is possible to do some steps reverse in single round hash, for example,
in sha-512, message is less than 1024 bits. I am currently working on
XSHA512 for Mac Lion OS. The maximum length of password is 107(107*8 <
1024). Here is my initial idea of reverse.
Currently, we first compare first 64 bit of hashes. The code likes(Please
refer to cuda/ for more details):

    initial H[0..7]; a..h = H[0..7]*    for* i *from* 0 to 79
        t1 := ...
        t2 := ...
        h := g
        g := f
        f := e
        e := d + t1
        d := c
        c := b
        b := a
        a := t1 + t2
    H[0] += a

For cipher text which is H`[0] append H`[1] append .... H`[7];
1) H`[0..7] -= H[0..7], we get a80, b80, c80...h80. These means a, b...h in
2) Please see code above, the b80 = a79, c80 = b79, d80 = c79,
e80=d79+t1_80. However, we don't know t1_80, so stop here.
3) And b79 = a78, c79 = b78, d79 = c78 ... b78 = a77, c78 = b77, d78 = c77
4) Focus on d80, d80 = c79 = b78 = a77 = t1_77+t2_77. We don't know t1_77
and t2_77

For now, we can compute to 77th iteration and compare a77 with d80.

Any ideas about it? I think t1 and t2 are main reasons for us to reverse
more steps.

Dongdong Li

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.