Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 1 Oct 2015 03:01:43 +0300
From: Aleksey Cherepanov <>
Subject: Re: reverse of full sha1 and sha256 limb when hash and block are

On Thu, Sep 03, 2015 at 03:34:54AM +0300, Aleksey Cherepanov wrote:
> tl;dr: if W and hash are known, initial state can be computed. ... PROFIT!

No, it is a mistake.

> Looking at sha1 round, it is obvious that each round can be computed
> backwards (i.e. starting from hash and going to initial state):
> consider a, b, c, d, e after round known, then there are only 2
> unknown variables: w[i] and e at the beginning of round. So knowing
> w[i], it is trivial to right a formula to compute e. This way we go
> reverse.
> sha256 is a bit more complex, but it has only 1 unknown variable too.
> So it is possible to write reverse algo straight-forward. PoC is
> attached.
> So sha1 and sha256 behave like block ciphers: you "encrypt" initial
> state ("block of data") with W, that is expanded block of message
> ("key"). And it is possible to "decrypt" hash to get initial state.

That's true only for a part. But pre-block state is added after block,
so we have  f(x) + x == hash  where hash is known, x is unknown and f
is known but very complex. My code worked because it is for 1 block:
we know x, but it won't work for 2 block when x is not known and can't
be subtracted from hash.d


Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.