Hash of concatenated values (one public, one private)

cn flag

Assume two end-points $A, B$. $A$ sends to $B$ a $Hash(pv||key)$, where $pv$ is a public value that can be intercepted by attackers. The $key$ is a common secure shared key in both end-points, and $||$ denotes concatenation. Obviously, end-point $B$ has all the info required to check the received hash. I was wondering though if in this particular setup there is some security risk due to the concatenation of a public value with a private key. $pv$ is always 48-bits.

Jimakos avatar
cn flag
The key is 72-bits
kelalaka avatar
in flag
The comments are turned into answer...
in flag

Let's assume $A$ sends $h =\text{Hash(pv||key)}$ to $B$ with $pv$ is a public $48$-bit information. The aim of attacker is to access $key$ given $h$. This is postfix construction.

The attackers must slightly modify the pre-image attack so that they must find not an arbitrary pre-image but they need to find one that has the $pv$ as the prefix. The must include all the input space to figure out the $key$

If we assume that $Hash$ is a secure cryptographic hash function like SHA2, SHA-3, BLAKE2, etc. then all are secure against all attacks. So. the only meaningful way is brute-forcing the input space. When the input space is small, we have the usual problem with the hash function; small-input space problem. In this case, the attacker can search the input space one by one with their possible massive parallel computers, ASIC/FPGAs, etc;

  • Summit can reach $\approx 2^{74.6}$ hashes in one year.
  • Bitcoin miners reached $\approx 2^{79.8}$ SHA-256D hashes per hour on 7 February 2021.

Therefore, we suggest the usual advice; increase the key size to > 128 for non-quantum adversaries or to 256 for all adversaries.

One may consider that; okay we send 256-bit then $B$ hashes it and trim to 72-bits. Don't do this since, in the attacker's sense, you are still using a 72-bit keyspace. When they have the change, they will attack where the 72-bit is used.

Keep the keys safe! Use effective 256-bit key.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.