6

Based on my skimming over FIPS 180-4 it looks like the only difference between SHA-512 and SHA-512/256 is the initial hash value and the fact that the final output is truncated to 256 bits.

My question is: if you have a library that does SHA-512 can you transform that to SHA-512/256?

Like maybe there could be some sort of magic string that, when prepended to the original message, makes the first 256 bytes of the SHA-512 hash of the original message the same as SHA-512/256? Or maybe you could xor the first x bytes of the original message with some magic string?

I'm guessing that there isn't such a way but I thought I'd ask all the same.

otus
  • 32,462
  • 5
  • 75
  • 167
neubert
  • 2,969
  • 1
  • 29
  • 58

1 Answers1

8

Like Richie Frame commented, as SHA-2 padding uses the length of the message that is not possible. Specifically, even if you had some string of input that took you from the SHA-512 IV to the SHA-512/256 IV, any message you hashed with it prepended would have a different length and thus a different hash value.

Additionally, even ignoring the padding it would be infeasible to find such a string. The IV constants for SHA-512/n have been chosen using an algorithm that does not start with the normal SHA-512 IV, so it would require a preimage attack on the compression function to find one.

However, unless you need compatibility or conformance with SHA-512/256, you could just use SHA-512 and truncate. See page 27 of the FIPS document you linked.

otus
  • 32,462
  • 5
  • 75
  • 167