What makes SHA256 secure?












3














For example, RSA relies on mathematically hard problem, factoring, while ECDSA or similar rely on "discrete logarithm problem".



What makes SHA256 and similar hash functions, of the same family, secure against pre-image and collission attacks? Whats the math behind it?










share|improve this question







New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Check these 1 2 3
    – kelalaka
    4 hours ago












  • Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
    – rapadura
    4 hours ago
















3














For example, RSA relies on mathematically hard problem, factoring, while ECDSA or similar rely on "discrete logarithm problem".



What makes SHA256 and similar hash functions, of the same family, secure against pre-image and collission attacks? Whats the math behind it?










share|improve this question







New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Check these 1 2 3
    – kelalaka
    4 hours ago












  • Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
    – rapadura
    4 hours ago














3












3








3


1





For example, RSA relies on mathematically hard problem, factoring, while ECDSA or similar rely on "discrete logarithm problem".



What makes SHA256 and similar hash functions, of the same family, secure against pre-image and collission attacks? Whats the math behind it?










share|improve this question







New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











For example, RSA relies on mathematically hard problem, factoring, while ECDSA or similar rely on "discrete logarithm problem".



What makes SHA256 and similar hash functions, of the same family, secure against pre-image and collission attacks? Whats the math behind it?







hash collision-resistance preimage-resistance






share|improve this question







New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









rapadurarapadura

1162




1162




New contributor




rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






rapadura is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Check these 1 2 3
    – kelalaka
    4 hours ago












  • Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
    – rapadura
    4 hours ago


















  • Check these 1 2 3
    – kelalaka
    4 hours ago












  • Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
    – rapadura
    4 hours ago
















Check these 1 2 3
– kelalaka
4 hours ago






Check these 1 2 3
– kelalaka
4 hours ago














Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
– rapadura
4 hours ago




Thanks for the good links. My question is different from "Why cant we reverse hashes", since I dont want to reverse a hash, merely curious about, if any, mathematical foundations for "security" of hash functions, as opposed to confusion and obfuscation. Seems the compression f in SHA256 is not provably secure, just hard.
– rapadura
4 hours ago










2 Answers
2






active

oldest

votes


















3














The design of SHA-256 relies on two structures, one-way compression function which is based on Davies–Meyer structure and Merkle–Damgård structure that uses this Davies–Meyer structure.




  • Compression function: transforms $2n$-bit input into $n$-bit. The transformation performed in a way that it achieves avalanche effect, i.e. every output bit depends on every input bit.


  • One-way function: Easy to compute hard to invert.



  • One way compression function should have these properties;





    1. Easy to compute: the calculation of the output is easy for a given input.


    2. Pre-image resistant: given a hash value $h$ find a message $m$ such that $h=Hash(m)$. Consider storing the hashes of passwords on the server. Eg. an attacker will try to find a valid password to your account.


    3. Second Pre-image resistant: given a message $m_1$ is should be computationally infeasible to find another message $m_2$ such that $m_1 neq m_2$ and $Hash(m_1)=Hash(m_2)$. Producing a forgery of a given message.


    4. Collision resistance : if it is hard to find two inputs that hash to the same output $a$ and $b$ such that $H(a)= H(b)$, $a neq b.$




SHA256 Compression function(SHA256 Compression function, from Wikipedia )




  • Davies–Meyer structure is a one-way compression function based on a block cipher. Security of this construction in the Ideal Cipher Model. However, there is a property of this construction; even the underlying block cipher is secure it is possible to find fixed points.


  • Merkle–Damgård structure (MD) uses a compression function. MD is collision resistant if the compression function is collision resistant one-way compression function.. MD constructions have length extension attack that SHA-256 is also prone to this attack.



Note: There is a preimage resistance attack for 52 out of 64 rounds of SHA-256.






share|improve this answer































    2














    It's worth pointing out that in the case of SHA2 and most other hashes the compression function has a block cipher (keyed permutation) as its core.



    Basically what you are asking is identical to asking how can block ciphers be resistant to known-plaintext attacks and chosen-plaintext attacks (arguably doesn't apply to SHA2 specifically because an attacker doesn't control that aspect) and even related-key attacks in the case of SHA2 (because it uses a Davies-Meyer construction where the attacker has control over what gets fed into the key schedule).



    There is no proof that this methodology is reducible to something that is proven secure. It is believed to be secure due to diffusion and confusion properties which as far as is known allow no efficient backtracking. You can think of it as extreme sensitivity-to-initial-conditions in a discrete non-continuous domain.



    Edit: The reason I went to block ciphers is because hash security is provably reducible to the security of the core keyed permutation (or even unkeyed if you look at SHA3) - that's how hashes are designed to begin with. Which I believe is the spirit of your inquiry. But the buck stops there, no security proof for those exists.






    share|improve this answer










    New contributor




    Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.


















      Your Answer





      StackExchange.ifUsing("editor", function () {
      return StackExchange.using("mathjaxEditing", function () {
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      });
      });
      }, "mathjax-editing");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "281"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      rapadura is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66371%2fwhat-makes-sha256-secure%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      3














      The design of SHA-256 relies on two structures, one-way compression function which is based on Davies–Meyer structure and Merkle–Damgård structure that uses this Davies–Meyer structure.




      • Compression function: transforms $2n$-bit input into $n$-bit. The transformation performed in a way that it achieves avalanche effect, i.e. every output bit depends on every input bit.


      • One-way function: Easy to compute hard to invert.



      • One way compression function should have these properties;





        1. Easy to compute: the calculation of the output is easy for a given input.


        2. Pre-image resistant: given a hash value $h$ find a message $m$ such that $h=Hash(m)$. Consider storing the hashes of passwords on the server. Eg. an attacker will try to find a valid password to your account.


        3. Second Pre-image resistant: given a message $m_1$ is should be computationally infeasible to find another message $m_2$ such that $m_1 neq m_2$ and $Hash(m_1)=Hash(m_2)$. Producing a forgery of a given message.


        4. Collision resistance : if it is hard to find two inputs that hash to the same output $a$ and $b$ such that $H(a)= H(b)$, $a neq b.$




      SHA256 Compression function(SHA256 Compression function, from Wikipedia )




      • Davies–Meyer structure is a one-way compression function based on a block cipher. Security of this construction in the Ideal Cipher Model. However, there is a property of this construction; even the underlying block cipher is secure it is possible to find fixed points.


      • Merkle–Damgård structure (MD) uses a compression function. MD is collision resistant if the compression function is collision resistant one-way compression function.. MD constructions have length extension attack that SHA-256 is also prone to this attack.



      Note: There is a preimage resistance attack for 52 out of 64 rounds of SHA-256.






      share|improve this answer




























        3














        The design of SHA-256 relies on two structures, one-way compression function which is based on Davies–Meyer structure and Merkle–Damgård structure that uses this Davies–Meyer structure.




        • Compression function: transforms $2n$-bit input into $n$-bit. The transformation performed in a way that it achieves avalanche effect, i.e. every output bit depends on every input bit.


        • One-way function: Easy to compute hard to invert.



        • One way compression function should have these properties;





          1. Easy to compute: the calculation of the output is easy for a given input.


          2. Pre-image resistant: given a hash value $h$ find a message $m$ such that $h=Hash(m)$. Consider storing the hashes of passwords on the server. Eg. an attacker will try to find a valid password to your account.


          3. Second Pre-image resistant: given a message $m_1$ is should be computationally infeasible to find another message $m_2$ such that $m_1 neq m_2$ and $Hash(m_1)=Hash(m_2)$. Producing a forgery of a given message.


          4. Collision resistance : if it is hard to find two inputs that hash to the same output $a$ and $b$ such that $H(a)= H(b)$, $a neq b.$




        SHA256 Compression function(SHA256 Compression function, from Wikipedia )




        • Davies–Meyer structure is a one-way compression function based on a block cipher. Security of this construction in the Ideal Cipher Model. However, there is a property of this construction; even the underlying block cipher is secure it is possible to find fixed points.


        • Merkle–Damgård structure (MD) uses a compression function. MD is collision resistant if the compression function is collision resistant one-way compression function.. MD constructions have length extension attack that SHA-256 is also prone to this attack.



        Note: There is a preimage resistance attack for 52 out of 64 rounds of SHA-256.






        share|improve this answer


























          3












          3








          3






          The design of SHA-256 relies on two structures, one-way compression function which is based on Davies–Meyer structure and Merkle–Damgård structure that uses this Davies–Meyer structure.




          • Compression function: transforms $2n$-bit input into $n$-bit. The transformation performed in a way that it achieves avalanche effect, i.e. every output bit depends on every input bit.


          • One-way function: Easy to compute hard to invert.



          • One way compression function should have these properties;





            1. Easy to compute: the calculation of the output is easy for a given input.


            2. Pre-image resistant: given a hash value $h$ find a message $m$ such that $h=Hash(m)$. Consider storing the hashes of passwords on the server. Eg. an attacker will try to find a valid password to your account.


            3. Second Pre-image resistant: given a message $m_1$ is should be computationally infeasible to find another message $m_2$ such that $m_1 neq m_2$ and $Hash(m_1)=Hash(m_2)$. Producing a forgery of a given message.


            4. Collision resistance : if it is hard to find two inputs that hash to the same output $a$ and $b$ such that $H(a)= H(b)$, $a neq b.$




          SHA256 Compression function(SHA256 Compression function, from Wikipedia )




          • Davies–Meyer structure is a one-way compression function based on a block cipher. Security of this construction in the Ideal Cipher Model. However, there is a property of this construction; even the underlying block cipher is secure it is possible to find fixed points.


          • Merkle–Damgård structure (MD) uses a compression function. MD is collision resistant if the compression function is collision resistant one-way compression function.. MD constructions have length extension attack that SHA-256 is also prone to this attack.



          Note: There is a preimage resistance attack for 52 out of 64 rounds of SHA-256.






          share|improve this answer














          The design of SHA-256 relies on two structures, one-way compression function which is based on Davies–Meyer structure and Merkle–Damgård structure that uses this Davies–Meyer structure.




          • Compression function: transforms $2n$-bit input into $n$-bit. The transformation performed in a way that it achieves avalanche effect, i.e. every output bit depends on every input bit.


          • One-way function: Easy to compute hard to invert.



          • One way compression function should have these properties;





            1. Easy to compute: the calculation of the output is easy for a given input.


            2. Pre-image resistant: given a hash value $h$ find a message $m$ such that $h=Hash(m)$. Consider storing the hashes of passwords on the server. Eg. an attacker will try to find a valid password to your account.


            3. Second Pre-image resistant: given a message $m_1$ is should be computationally infeasible to find another message $m_2$ such that $m_1 neq m_2$ and $Hash(m_1)=Hash(m_2)$. Producing a forgery of a given message.


            4. Collision resistance : if it is hard to find two inputs that hash to the same output $a$ and $b$ such that $H(a)= H(b)$, $a neq b.$




          SHA256 Compression function(SHA256 Compression function, from Wikipedia )




          • Davies–Meyer structure is a one-way compression function based on a block cipher. Security of this construction in the Ideal Cipher Model. However, there is a property of this construction; even the underlying block cipher is secure it is possible to find fixed points.


          • Merkle–Damgård structure (MD) uses a compression function. MD is collision resistant if the compression function is collision resistant one-way compression function.. MD constructions have length extension attack that SHA-256 is also prone to this attack.



          Note: There is a preimage resistance attack for 52 out of 64 rounds of SHA-256.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 hours ago

























          answered 3 hours ago









          kelalakakelalaka

          5,92022040




          5,92022040























              2














              It's worth pointing out that in the case of SHA2 and most other hashes the compression function has a block cipher (keyed permutation) as its core.



              Basically what you are asking is identical to asking how can block ciphers be resistant to known-plaintext attacks and chosen-plaintext attacks (arguably doesn't apply to SHA2 specifically because an attacker doesn't control that aspect) and even related-key attacks in the case of SHA2 (because it uses a Davies-Meyer construction where the attacker has control over what gets fed into the key schedule).



              There is no proof that this methodology is reducible to something that is proven secure. It is believed to be secure due to diffusion and confusion properties which as far as is known allow no efficient backtracking. You can think of it as extreme sensitivity-to-initial-conditions in a discrete non-continuous domain.



              Edit: The reason I went to block ciphers is because hash security is provably reducible to the security of the core keyed permutation (or even unkeyed if you look at SHA3) - that's how hashes are designed to begin with. Which I believe is the spirit of your inquiry. But the buck stops there, no security proof for those exists.






              share|improve this answer










              New contributor




              Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                2














                It's worth pointing out that in the case of SHA2 and most other hashes the compression function has a block cipher (keyed permutation) as its core.



                Basically what you are asking is identical to asking how can block ciphers be resistant to known-plaintext attacks and chosen-plaintext attacks (arguably doesn't apply to SHA2 specifically because an attacker doesn't control that aspect) and even related-key attacks in the case of SHA2 (because it uses a Davies-Meyer construction where the attacker has control over what gets fed into the key schedule).



                There is no proof that this methodology is reducible to something that is proven secure. It is believed to be secure due to diffusion and confusion properties which as far as is known allow no efficient backtracking. You can think of it as extreme sensitivity-to-initial-conditions in a discrete non-continuous domain.



                Edit: The reason I went to block ciphers is because hash security is provably reducible to the security of the core keyed permutation (or even unkeyed if you look at SHA3) - that's how hashes are designed to begin with. Which I believe is the spirit of your inquiry. But the buck stops there, no security proof for those exists.






                share|improve this answer










                New contributor




                Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





















                  2












                  2








                  2






                  It's worth pointing out that in the case of SHA2 and most other hashes the compression function has a block cipher (keyed permutation) as its core.



                  Basically what you are asking is identical to asking how can block ciphers be resistant to known-plaintext attacks and chosen-plaintext attacks (arguably doesn't apply to SHA2 specifically because an attacker doesn't control that aspect) and even related-key attacks in the case of SHA2 (because it uses a Davies-Meyer construction where the attacker has control over what gets fed into the key schedule).



                  There is no proof that this methodology is reducible to something that is proven secure. It is believed to be secure due to diffusion and confusion properties which as far as is known allow no efficient backtracking. You can think of it as extreme sensitivity-to-initial-conditions in a discrete non-continuous domain.



                  Edit: The reason I went to block ciphers is because hash security is provably reducible to the security of the core keyed permutation (or even unkeyed if you look at SHA3) - that's how hashes are designed to begin with. Which I believe is the spirit of your inquiry. But the buck stops there, no security proof for those exists.






                  share|improve this answer










                  New contributor




                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  It's worth pointing out that in the case of SHA2 and most other hashes the compression function has a block cipher (keyed permutation) as its core.



                  Basically what you are asking is identical to asking how can block ciphers be resistant to known-plaintext attacks and chosen-plaintext attacks (arguably doesn't apply to SHA2 specifically because an attacker doesn't control that aspect) and even related-key attacks in the case of SHA2 (because it uses a Davies-Meyer construction where the attacker has control over what gets fed into the key schedule).



                  There is no proof that this methodology is reducible to something that is proven secure. It is believed to be secure due to diffusion and confusion properties which as far as is known allow no efficient backtracking. You can think of it as extreme sensitivity-to-initial-conditions in a discrete non-continuous domain.



                  Edit: The reason I went to block ciphers is because hash security is provably reducible to the security of the core keyed permutation (or even unkeyed if you look at SHA3) - that's how hashes are designed to begin with. Which I believe is the spirit of your inquiry. But the buck stops there, no security proof for those exists.







                  share|improve this answer










                  New contributor




                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer








                  edited 3 hours ago





















                  New contributor




                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 3 hours ago









                  Jacklos44773Jacklos44773

                  212




                  212




                  New contributor




                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  Jacklos44773 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






















                      rapadura is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      rapadura is a new contributor. Be nice, and check out our Code of Conduct.













                      rapadura is a new contributor. Be nice, and check out our Code of Conduct.












                      rapadura is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66371%2fwhat-makes-sha256-secure%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                      Calculate evaluation metrics using cross_val_predict sklearn

                      Insert data from modal to MySQL (multiple modal on website)