0

I apologize in advance if this question has been answered already. However, I have not been able to find an existing answer - despite the case being pretty simple and common I imagine. Perhaps there is some terminology that I do not know making me miss the obvious.

So here goes:

Assume we repeatedly SHA256-hash a "secret" value concatenated with different numbers and let an adversary know the hashed values and the concatenated number for each hashed value.

For instance:

Let's say the secret is "Pa55word", then we hash the following values and let the adversary know the integer and hashed value for each hash:

Pa55word0,

Pa55word1,

Pa55word2,

Pa55word3...

Then - my question is - if the adversary gains an advantage of finding the secret when knowing part of the hashed value and the hash for several different instances. Is he in a better situation than knowing a single instance where he knows part of the clear-text and the hash.

Or, simply, is the scheme secure?

Thomas Sylvest
  • 3
  • 1

1 Answers1

0

Specifically for SHA256 it is easier to argue about the security of this (Not a formal proof). If we discount the finalization and padding of the hash, in the Merkle Damgard construction you can do length extention. take a known hash, and calculate the hash of the same unknonwn plain text with a chosen suffix.

If given H(x) you can calculate H(x||c) without knowning x, it follows that telling the user H(x||c),c in addition to H(x) doesn't noticeably help in extracting x.

Due to padding this doesn't hold directly for SHA256, but I still see this as a strong arguement in favor of the security. i.e knowning SHA256(x||c),c for multiple values of c doesn't make it much easier to find x over only knowning SHA256(x).

For SHA256 we can do extention but not for arbitry suffixes, we need to start with the padding as the next block, but that is pretty close.

Meir Maor
  • 12,053
  • 1
  • 24
  • 55