I was thinking the below attack scenario on hash function. Let's assume that three binary numbers A(1000 bits), B(16 bits) and C(283 bits) are concatenated together and H(A||B||C) is generated using SHA256 or SHA512. Here, the attacker knows C. Knowing C, is it possible for an attacker to find A or B or (A||B) from the output H(A||B||C)? If yes, what are the attacks and how to prevent them?
Thank You.
Let consider $h = H(A\mathbin\|B\mathbin\|C)$ for SHA-256 or SHA-512 where both are MD-based cryptographic hash functions of NIST with
and we further assume that the attacker knows $h$ and $C$
Brute-force search
Definitely, the attacker cannot test the 1016-bit of unknown data to match the $h$. Bitcoin miners, the biggest known collective entity, can reach around $\approx 2^{93}$ This road is closed.
Prime-image attack
To find a pre-image normally we look for the first $a2^n$ input to find an input $x$ such that $h=H(x)$. For your case a little different.
Try random $a2^n$ values in the range $[2^{1299},2^{1300}]$. This has two problems;
And, we know that SHA-256 and SHA-512 are pre-image resistant, this road is also closed, too.
A simple counter-argument
If there is an attack on your case, that is one can extract $A$ and $B$ from $H(A\mathbin\|B\mathbin\|C)$ with the knowledge of $C$, Then we can use the length extension attacks on SHA-256 and SHA-512 to execute a pre-image. Simple, for a given $h'$ with $h' = SHA-256(x)$, execute a length extension $h'' = \operatorname{SHA-256}(x\mathbin\|C')$, then extract $X$ form $h''$ with the knowledge of $C'$. We don't have such any method.
In other words, extend the hash then find a pre-image. End of the path.
If you are looking for a secure way to hash with a key, the obvious method is the HMAC or you can use KMAC of SHA3.
