Is it possible to derive the midstate of a sha256 hash?

Question

Let's say I have an unknown string with the known sha256-hash of it. I was wondering if it was possible to now calculate the sha256 of the concatenation of the unknown string and "abc".

(In PHP: hash('sha256', $unknownString .'abc');)

I thought in order to do so "all I need" is to go from the hash that I know back to the midstate of the sha256 algorithm (in most implementations called finalize) and append the data that I want (via, in most implementations called, update) and then call finalize again. Block lengths shouldn't be a problem because the unknown string has a length of 256 bit and my own string has this as well.

Is this possible or by the way sha256 is designed impossible to achieve?

PS: I have no intention in getting the unknown string. I absolutely do not care about the plaintext contents of this.

Answer 1

SHA-256 is computed by first padding a message $m$ and then breaking $\operatorname{pad}(m)$ into $\ell$ blocks $m_1, m_2, \dots, m_\ell$ of 512 bits each. The padding appends some bits to the message so that it is an integral multiple of 512 bits long. Then the SHA-256 hash of $m$ is $$f(\cdots f(f(\mathit{iv}, m_1), m_2) \cdots, m_\ell)$$ where $f$ is the SHA-256 compression function and $\mathit{iv}$ is the standard initialization vector. This means that given $\operatorname{SHA256}(m)$ you can compute $\operatorname{SHA256}(\operatorname{pad}(m) \mathbin\| m')$ for any suffix $m'$. But you can't necessarily compute $\operatorname{SHA256}(m \mathbin\| m'')$ unless $m''$ coincides with the padding on $m$.