Can a document contain its own hash?

Question

Do any methods exist whereby a "hash" can be embedded in the "document" it hashes?

What I mean is this. Say I have a given plaintext T. I wonder if there is a method to craft (i.e. not discover as a fluke) a "document" D being some combination (e.g. a concatenation) of T and a hashvalue h, where h is H(D), H being some hash function.

Perhaps a simpler way of phrasing this is: Is there any way to make a document contain its own hash, under the constraint that the document must, apart from its own hash, contain a given plaintext?

Is this possible in theory? In practice?

This question is somewhat different from this one, in that I am assuming a given plaintext T, whereas that question asks if any T can be crafted (or found).

Answer 1

It actually depends on what you consider a hash function.

If we take a CRC (Cyclic Redundancy Check) as our hash function, then it is quite feasible; a CRC has a property that every output bit is a linear (affine if the initial state is nonzero, but the difference is unimportant) function of the input bits; hence we can generate a set of linear equations over the various bits of X in the expression $CRC( Message || X || MoreMessage ) = X$, and attempt to solve that (and find the solutions, if any).

I would further note that CRC does meet the criteria you gave; it can potentially have a large range (just make the CRC state large enough), and at first glance, if you just look at inputs and outputs, it does appear random.

Of course, a CRC is not a secure hash function; however you didn't specify a secure hash function.

Answer 2

As I noted in my earlier answer, for any standard secure hash function, it is unlikely that you could ever find any string that contains its own hash value. If you cannot do that at all, you certainly have no hope of doing it with extra constraints, like having the string begin with some preselected prefix $T$.

You could do that if the hash function you chose was broken enough to allow chosen-prefix first preimage attacks; indeed, that would even allow you to choose the hash value you want. Basically, just pick any $T$ and $h$ you want, and apply the preimage attack to generate a message the prefix $T \,\|\, h$ and the hash value $h$. But, of course, any hash function that broken would be completely useless as a cryptographic hash anyway.

In any case, I'm not sure what cryptographic purpose such a construction would serve. Hash functions don't have keys, so if you could construct a message containing its own hash, anybody else (with access to comparable computing power) could do it just as well. So such a scheme, even if possible, would be useless for authentication or data integrity.

If what you want to do is prove that you created a particular document, and that it hasn't been tampered with, what you actually want is a message authentication code or a digital signature. Both of those can be constructed using hash functions (among other things), but they're not the same thing.