Is there a way to calculate a hash with two people so that no one knows the pre-image but if they get together they do?

Dani Vilardell

4/13/24, 12:19 PM

I'm trying to find a way to have multi party hash computation, more specifically for SHA256. I want for two people to be able to compute a hash so that none of them knows the pre-image but when they get together they can reconstruct the pre-image.

Is there any known way to do it in general or any hack that can be used in the SHA25 specific case?

1664

2 + 1

multiparty-computation

sha-256

secret-sharing

John B. Lambe

4/13/24, 8:44 PM

A hash can't reveal the pre-image. You could encrypt a message by two keys in succession, and give each party half of each key, and the (full) final ciphertext.

Score:8

Crypto

fgrieu

4/13/24, 12:58 PM

One simple option:

The preimage consists of 2 segments $M_A$, $M_B$ of 64 bytes each. They are given to or chosen by $A$ and $B$ respectively.
$A$ computes the 32-byte $H_A=R(\mathsf{IV},M_A)$ where $R$ is the SHA-256 round function, and $\mathsf{IV}$ is the 32-byte SHA-256 Initialisation Value.
$B$ computes the 32-byte $H=R(R(H_A,M_B),“80\ \underbrace{00…00}_{\text{61 zeroes}}\ 04\ 00”)$, where the right string in this formula is the SHA-256 padding for a 128-byte message.

By construction, $H$ is the SHA-256 hash of $M_A\mathbin\|M_B$.

This has drawbacks:

One can confirm a guess of $M_A$ with knowledge of $H_A$, or/and confirm a guess of $M_B$ with knowledge of $H_A$ and $H$ (but this is seems unavoidable unless we add more communication).
$A$ must do it's thing first.
$B$ can choose $M_B$ with knowledge of $H_A$ and thus partially choose $H$. That can be avoided by adding a hash commitment of $M_B$ before step 2.

+ 0

Score:4

Crypto

Luca Citi

4/14/24, 7:58 AM

As mentioned in a comment, hashes cannot reveal preimages. However you could encrypt the message.

If you want the two people be able to jointly reconstruct the message, but not individually, you could do the following. Take your message M of length L and generate a random binary string M1 of length L and M2=xor(M,M1), then have person 1 encrypt M1 and person 2 encrypt M2, each one with their own key. The encrypted messages can now be shared freely. Each one can decrypt their message but this won't reveal any info about M; they would need to recombine their messages to reconstruct M.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there a way to calculate a hash with two people so that no one knows the pre-image but if they get together they do?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.