5 comments

[ 3.3 ms ] story [ 61.6 ms ] thread
The right way to understand modern general-purpose cryptographic hash functions (like SHA2) is just to understand block ciphers. A hash function is a block cipher's permutation core, wired to a "compression" function (much simpler than compression as typically understood; somewhat analogous to the chaining CBC does) that feeds blocks through the same permutation continuously, scrambling state as it goes.

Everything gets tweaked differently because you have different constraints and parameters for a hash function than for a block cipher (though: there were SHA3 contestants that used Rijndael/AES for the core permutation, which is attractive because it has broad hardware support), but the core doodads are basically the same.

(And of course, you can run this argument in reverse and derive a cipher from a hash function trivially. That's how Chapoly happened.)

I can't judge the veracity of the history of hash functions, but the moment it starts talking about cryptography it goes completely off the rails: it seems to indicate that finite field exponentiation o'r high degree polynomials are used in cryptographic hash functions; they are emphatically not. It presents password hashing as just applying a suggest function to the password; in practice a KDF is used, which is a completely different design space (for a start, KDFs have a tweak parameter, usually called a salt in this context). Finally, there's a haven't reference to quantum computers breaking hash functions and needing post-quantum algorithms as a result. This does brush with reality in that Grover's algorithm does theoretically eat half the first preimage resistance security level of your hash function, but even SHA256 will require 2^128 iterations on a quantum computer, which will likely never be feasible. Worse, it doesn't help at all in attacks against second perimeter resistance or collision resistance.

Considering that everything I have personal knowledge of here is obviously bunk, best ignore the rest of it too

Author here. In the article I explicitly mention that the second part (about high degree polynomial and descrete exponentation) is based on Diffie-Hellman's 1976 paper and presents their one-way function constructions, not MD5 or SHA family (my goal is to cover the history of hashing from the beginning, so I haven't done a research on modern systems yet).

As for the quantum computing stuff, I should have stated more clearly that I'm referring only to quantum computer allowing to calculate descrete logarithms rather fast, and provided a source such as https://math.mit.edu/~shor/elecpubs.html containing a link to the paper Algorithms for quantum computation: Discrete logarithms and factoring by Peter Shor. (I'm planning on covering post-quantum cryptography after I'm done with modern algorithms)

Is the title a Waffle House reference?
I have always been fascinated by Hash Functions. Modern hash functions are incredibly fast and unbelievably secure (crypto hashes). Also, equally important is how hashes have adopted to the usecases. We are intentionally developing slow hashes (BCrypt, Argon2id) with memory, time tradeoff to slow down hash generation as a security measure. One of the fascinating corners of Computers