0

After reading that about "37% of the 256-bit outputs" of SHA-256 are unreachable when fed only 256-bit inputs [1] I'm curious & confused. The formula from the proof here considers a fixed "h-bit" input & output. How does this translate to the maximum number of internal states that are reachable within SHA3?

Does this mean ~37% of the internal states of SHA3 are unreachable after each of its $f$-function evaluations? I'm thinking it's analogous because $f$ takes a 200-byte internal state & produces a new 200-byte internal state. Is that correct?

aiootp
  • 1,182
  • 4
  • 11

1 Answers1

1

How does this translate to the maximum number of internal states that are reachable within SHA3?

That depends on what you're asking.

If you are considering only 256 bit inputs (which the SHA-256 question did), well, there will be precisely [1] $2^{256}$ states reached (which is far below the 37% value of SHA-256).

On the other hand, if you are considering arbitrary length inputs (which you didn't for the case for SHA-256), it looks quite likely that all states are reachable.

Remember, all the rate bits can be set to anything (by setting the next message block appropriately).

So, the question is: given that the rate bits can be anything, are there any set of 'capacity bit' settings which are unreachable. That is, if the output of the permutation has the capacity bits within that set, then the capacity bits of the input must also be in that set (and that set does not contain the 'all 0' setting - that's what SHA-3 starts with).

We don't know whether this is true - apriori, this looks quite unlikely.

[1]: This is "precisely" because two different 256 bit inputs will never result in the same state - we're not filling up the rate bits (and so collision while inputting the bits), and because the permutation will never cause a collision.

poncho
  • 154,064
  • 12
  • 239
  • 382