Score:1

Does information about known input&output for SHA3-256 help to find KECCAK-256 input for the same output?

cc flag

I received two distinct outcomes from a single input using SHA3-256 and KECCAK-256:

input -->   sha3-256 --> output1

input --> keccak-256 --> output2

I want to find input2, which will give me output1 after Keccak-256 hash :

input2 --> keccak-256 -> output1

Is it somewhat possible? I read somewhere that SHA3-256 and keccak-256 have only difference in padding rule. Is it possible that known input and output information for a similar algorithm (SHA3-256) can somehow help to find correct input2 data?

fgrieu avatar
ng flag
It's unclear what the question designates as KECCAK-256. There is Kᴇᴄᴄᴀᴋ[256] defined in [FIPS 202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf#page=20), and used as a building block for SHAKE128. But it has two inputs: the message, and the output length. SHA3-256 is _not_ build from Kᴇᴄᴄᴀᴋ[256], but from Kᴇᴄᴄᴀᴋ[512].
Ilya avatar
cc flag
yes, I used KECCAK-256, it is used in https://keccak.team/files/Keccak-submission-3.pdf which used in Ethereum. I didn't know about `SHA3-256(M) = KECCAK [512] (M || 01, 256)` before your explanation.
Score:1
ng flag

Based on this source, KECCAK-256 (which I assume is the question's keccak-256) is a hash used by Ethereum, such that KECCAK-256(M) is Kᴇᴄᴄᴀᴋ[512](M, 256) per the terminology in FIPS 202.

SHA3-256(M) = Kᴇᴄᴄᴀᴋ[512](M ∥ 01, 256). It follows SHA3-256(M) = KECCAK-256(M ∥ 01). That matches the question's "SHA3-256 and keccak-256 have only difference in padding rule".

Thus what the question asks is possible if we manage to make a correct guess of input, which we can verify by checking SHA3-256(input) = output1; and we are free to set input2 to be input ∥ 01, where 01 is a two-bit bitstring. It follows that KECCAK-256(input2) = output1 as desired.

The only alternate possibilities to find an input2 involve a preimage attack of KECCAK-256, which is believed practically impossible.

If we want to verify KECCAK-256(input) = output2 and KECCAK-256(input2) = output1, we need that the implementation of KECCAK-256 accepts both input and input ∥ 01. That requires handling of messages of length not a multiple of 8 bits, which is not supported by all implementations.

Ilya avatar
cc flag
Thank you @fgrieu! I tried to set input2 to be input||01 but don't have enough skills (for example, appending '01' to the 64 bytes message I am getting longer input string and longer output string, but I need to have 64 bytes in input2 and other stuff like this). Am I right that if this problem is solvable though KECCAK(input2=input1||01)=output1 I could ask help on sites like upwork? I understand that offering money directly for solutions is discouraged on Stack Overflow.
fgrieu avatar
ng flag
@Ilya: If input and input2 need to be the same size, or just byte-sized (which was not stated in the original question), then the method in this answer can't be used and (as indicated in the answer) you are facing a problem that is believed impossible to solve.
Ilya avatar
cc flag
Thank you very much for clarification :(
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.