Why is SHA-512 limited to an input of $2^{128}$ bits?

Question

Both SHA-384 and SHA-512 are limited to an input size of less than $2^{128}$ bits. Considering SHA-512 has a higher output size, couldn't it include more input data?

kelalaka · Accepted Answer · 2019-08-12T20:31:19.847

The standard FIPS.180-4 defines a padding scheme that limits the upper input size.

Then append the 128-bit block that is equal to the number $l$ expressed using a binary representation.

Where the $l$ is the message length. Therefore, according to the standard, you can hash at most $2^{128}$-bit-sized input messages.

This upper limit, actually, due to the Merkle-Damgård (MD) design of SHA-512. MD based hash functions are vulnerable to length extension attacks and appending the length simplifies the security proof.

forest · Answer 2 · 2019-07-18T01:20:01.313

8

Considering SHA-512 has a higher output size

Here's where I think you're making a mistake. The space of the output of SHA-512 is $2^{512}$. However, the number of possible inputs is not $2^{128}$, but a whooping $2^{(2^{128}-1)}-1$. You will have reached all possible output spaces well before even a minuscule fraction of the input space has been exhausted.

edited Jul 18 '19 at 01:20

answered Dec 10 '18 at 09:18

forest

15,626
2
49
103

score 3 · Answer 3 · answered Dec 09 '18 at 22:41

3

This is not a question of output size (even a 16-bit CRC can handle an unlimited input) but depends on the specification. You could use the SHA-2 compression function in an algorithm with larger input size, but then it would not be SHA-512.

answered Dec 09 '18 at 22:41

gammatester

1,005
1
8
12

score 3 · Answer 4 · edited Jun 17 '20 at 08:17

The limitation is not a fault but a practical limit. A limit which does not impair it's usefulness.

"The Bug Charmer's" blog "How big is 2**128?" makes several comments about the value, here are a few:

"Most people realize that it’s a “big number” but don’t comprehend exactly how big. Who can blame them? Outside of a few disciplines such as cryptography and astrophysics, most people will never encounter a number this large.".

"$2^{128}$ is 340 undecillion - 340,282,366,920,938,463,463,374,607,431,768,211,456".

"How long would it take to brute-force a 128-bit key? If your PC can try $2^{40}$ keys per day, it would take you about 847,904,136,496,835,804,725,427 (848 sextillion) years in the worst case. We expect the sun to run out of hydrogen and collapse into a white dwarf in only about 5 billion years.".

"A computer that can try $2^{90}$ keys per day will take millions of years to guess a 128-bit key.".

"Storage on the order of $2^{128}$ will remain impossible. As I discussed in a previous post, storage for rainbow tables for each of $2^{128}$ salt values would require a storage device at least as large as the Earth.".

While some of those points refer to cracking and not the input text length the problem remains the same, what if the actual message was contained in the last sentence. Someone (or a computer) must create the input, it requires storage, and then there's the processing time; what if it turns out to be a compressed file?

Why is SHA-512 limited to an input of $2^{128}$ bits?

4 Answers4

Linked