8

So let's say you had infinite time and energy. You have a hashed string of some sort. Because you have infinite time and energy, you can produce a collision(or the original value) easily enough. But, there is a problem. The hashed string was hashed an unknown amount of times. (ie, it may have been produced by sha256(sha256("foobar")) or by sha256(sha256(sha256(sha256("foobar"))))).

You were given a hint by your adversary though. They give you (say) 10 strings, of which one is the initial value that is hashed.

Is it possible to determine with absolute certainty that you chose the correct string? Is it possible that hashing "foobar" recursively an infinite amount of times will eventually yield any arbitrary hash value?

Although my question is about SHA256, I'd be equally curious of other hash algorithms as well

Earlz
  • 253
  • 1
  • 5

1 Answers1

7

Is it possible that hashing "foobar" recursively an infinite amount of times will eventually yield any arbitrary hash value?

I very much doubt it. A simple demonstration of this logic can be done through the birthday paradox. Suppose we log each successive recursive SHA-256 on "foobar" in a table. We can ask ourselves what the probability is that our next recursion will collide with any item already in the table?

Assuming SHA-256 behaves as a random function the probability will exceed 50% just after we've tried approximately $2^{128}$ recursions. However, since we know that SHA-256 is not actually a random function, as soon as a collision is found it will then fall in to a cycle. Thus, approximately 0% of the total hash value space will be covered.

The string "Foobar" would need to be a special case where each hash value is visited exactly once. I believe this property is called being a "generator" but I'm happy to be corrected on that point.

Although my question is about SHA256, I'd be equally curious of other hash algorithms as well

I'd expect that this analysis would apply to any secure cryptographic hash.

Simon Johnson
  • 3,236
  • 17
  • 21