FIPS 180-3 defines the initial hash value for SHA-256 as the first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19. What would be the risks of using a different value (for example: a random salt)? Conceptually, this would be the same as prepending the message with a block which hashed (using the normal initial hash value) to the specified value.
Asked
Active
Viewed 3,382 times
1 Answers
11
With the message padding scheme of SHA-2/SHA-256 as it stands (add one 1 bit, a minimal number of 0 bits so that the overall padded message will end on a block boundary, then the original message length over some fixed number of bits), I know no attack enabled by allowing a different IV.
However, allowing an arbitrary IV renders ineffective one of the two redundant safeguards built into SHA-2's padding scheme. If the message length was removed from the above padding scheme, then an adversary having the ability to decide the different IV could do so nefariously; in particular, such that he knows a secret backdoor block $B$ that can be inserted at the beginning of any message, leaving the hash invariant. Proof: one round of SHA-2 transforms the state $S$ according to $S_{j+1}=F(M_j,S_j)\hat+S_j$, where $F$ is a cipher with the (padded) message block $M_j$ used as key, $\hat+$ is addition with some carries suppressed, and $S_0$ is the IV we are discussing. One able to choose the IV could choose it as $F^{-1}(B,0)$, thus such that $F(B,\mathtt{IV})=0$, thus such that $M_0=B\implies S_1=S_0$.
fgrieu
- 149,326
- 13
- 324
- 622