Convert SHA-256 to SHA-1 and MD5 - Increase bit length/entropy?

Question

I know this is a real dumb question and I am certainly talking complete rubbish, but let me explain:

1. We have a long SHA-256 hash, e.g.: 474bfe428885057c38088d585c5b019c74cfce74bbacd94a7b4ffbd96ace0675 (256bit)
2. Now we use the long hash to create one SHA-1 and one MD5 hash and combine them. E.g.: c49e2143913627ea178e66571189628a41526bf3 (SHA-1; 160bit) + 6bb225025371aaa811748da8e011773d (MD5; 128bit)

So now we got this: c49e2143913627ea178e66571189628a41526bf36bb225025371aaa811748da8e011773d
(SHA-1 + MD5; 160bit + 128bit = 288bit)

And it is longer than the input string, with 288bit instead of 256bit. So did we actually increased the entropy?

In short this is this:

hash = sha256(input) # 256bit
result = sha1(hash) + md5(hash) # 288bit

(That is supposed to be pseudo-code, don't know if it is valid through.)

What is the error in reasoning here? I am sure you cannot increase entropy/string length in this way...

Edit: Also important: Did I possibly even decreased the entropy this or stayed it the same?

Answer 1

And it is longer than the input string, with 288bit instead of 256bit. So did we actually increased the entropy?

No, you did not increase the entropy.

In this context, "entropy" basically refers to the probability of any particular guess about the content or value being correct.

If I tell you that I have hashed a single lowercase US English letter's ASCII representation using SHA256, and that the hash is hexadecimal ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb, then the entropy of that value isn't 256 bits, but rather closer to five bits (log2(26) ~ 4.7) because you only need to make at most 26 guesses to arrive at the conclusion that the letter I hashed was a. (For completeness, what I really did was printf 'a' | sha256sum -b on a UTF-8 native system.)

The entropy, thus, can never be greater than that of the input. And the input is, at best, the initial hash, which has 256 bits worth of entropy. (It could have less, if the string you hashed has less than 256 bits of entropy and the attacker can guess that and its value somehow.) Each hash calculation can be assumed to be O(1) when the input size is fixed.

So by concatenating the SHA-1 and MD5 hashes of a string that is a SHA-256 hash, you can never get more entropy than 256 bits' worth. All you are doing is making it longer, and possibly obscuring its origin.

Now, in some situations, using multiple hashes actually makes sense. For example, many Linux package managers use and validate multiple, different hashes for the same file. This isn't done to increase the entropy of the hash value, though; it's done to make finding a valid collision harder, because in such a situation the preimage or collision attack must work equally against all hashes used. Such an attack against a modern cryptographic hash is already difficult enough for most purposes; mounting a similar attack against several different hashes simultaneously would be orders of magnitude more difficult.

Answer 2

You are certainly not adding entropy. You still only will have at most 256bit entropy possible outputs of this schema, no matter how many times and how you rehash this. Note that you will have at most 256 bit entropy, because you did not told us about how much entropy is in your input. SHa256 will also not give you 256bit entropy if you have less than that in your input. Hash nevers increases entropy.

But considering the full sha256 possible values, you actually would loose entropy because of collisions. Some of the 256 bit values will have collisions, that is, for 256bit input to sha1 and md5 there will be x1 and x2 that sha1(sha256(x1)) == sha1(sha256(x2)) and md5(sha256(y1)) == md5(sha256(y2)). You lost entropy because of that if you now have actually less outputs.

Answer 3

As others have explained, 'bits of entropy' refers to to the guess-ability of the original Password or other text that was first used to create the SHA-256 hash. In your example case the entropy is unchanged.

What you've done here is provide an SHA-1 version and an MD5 version of the SHA-256. This makes the SHA-256 more guessable than other solutions you could be using.

If you are trying to make it harder to guess the original input, you should simply repeat the SHA-256 function. In fact, repeating SHA-256 many thousands of times will make it much harder to brute-force the original input, with no noticeable impact on your server load or end-user experience.

However, for password storage, the best thing is to use a proper Password Hash function, which is designed to be a Slow Hash with Salt. This lets you adjust how many rounds (the work factor) to fit the desired processing time on your production hardware. BCrypt is usually recommended. PBKDF2 or the new SCrypt are both good choices.

Answer 4

did you increase the entropy... most likely not.

All you did is use 2 older hashing functions to get a new hash. since this has no new data, entropy is not affected.

The amount of bits here makes no differences whatsoever (since its just 'another way o writing' the original hash.)

Entropy (in cryptography) has to do with the amount of uncertainty a specific bit is '0' or '1'. In order to increase this you need 'new' data, not simply rehash things (to a lower degree). You can keep the smae level of entropy most of the time when you rehash using the original hashing function. since then you do not lose bits.