Is there any input that SHA-1 will compute to a hex value of fourty-zeros, i.e. "0000000000000000000000000000000000000000"?
- HMAC SHA1 Digest in python
- Convert sha1 to bcrypt?
- how to store password salt
- Why does encrypting HMAC-SHA1 in exactly the same
- [removed] CryptoJS object missing SHA1 method
- Java SHA-1 hash an unsigned BYTE
- SHA1 for Specific String in iOS
- Different in Java SHA1 vs JavaScript SHA1
- Certificate fingerprint is invalid?
- How do I convert a large string into hex and then
- SHA1 Hash on Hex String
- Convert SHA Hash Computation in Python to C#
- basics of python encryption w/ hashlib sha1
I don't think so.
There is no easy way to show why it's not possible. If there was, then this would itself be the basis of an algorithm to find collisions.
Longer analysis:
The preprocessing makes sure that there is always at least one
bit in the input.The loop over
will leave the original stream alone, so there is at least one 1 bit in the input (words 0 to 15). Even with clever design of the bit patterns, at least some of the values from 0 to 15 must be non-zero since the loop doesn't affect them.Note:
is circular, so no 1 bits will get lost.In the main loop, it's easy to see that the factor
is never zero, sotemp
can't be zero for the reason that all operands on the right hand side are zero (k
never is).This leaves us with the question whether you can create a bit pattern for which
(a leftrotate 5) + f + e + k + w[i]
returns 0 by overflowing the sum. For this, we need to find values forw[i]
such thatw[i] = 0 - ((a leftrotate 5) + f + e + k)
This is possible for the first 16 values of
since you have full control over them. But the words 16 to 79 are again created byxor
ing the first 16 values.So the next step could be to unroll the loops and create a system of linear equations. I'll leave that as an exercise to the reader ;-) The system is interesting since we have a loop that creates additional equations until we end up with a stable result.
Basically, the algorithm was chosen in such a way that you can create individual 0 words by selecting input patterns but these effects are countered by
ing the input patterns to create the 64 other inputs.Just an example: To make
0, we havewhich gives us
w[0] = 0x9fb498b3
, etc. This value is then used in the words 16, 19, 22, 24-25, 27-28, 30-79.Word 1, similarly, is used in words 1, 17, 20, 23, 25-26, 28-29, 31-79.
As you can see, there is a lot of overlap. If you calculate the input value that would give you a 0 result, that value influences at last 32 other input values.
Yes, it's just incredibly unlikely. I.e. one in 2^160, or 0.00000000000000000000000000000000000000000000006842277657836021%.
Also, becuase SHA1 is cryptographically strong, it would also be computationally unfeasible (at least with current computer technology -- all bets are off for emergent technologies such as quantum computing) to find out what data would result in an all-zero hash until it occurred in practice. If you really must use the "0" hash as a sentinel be sure to include an appropriate assertion (that you did not just hash input data to your "zero" hash sentinel) that survives into production. It is a failure condition your code will permanently need to check for. WARNING: Your code will permanently be broken if it does.
Depending on your situation (if your logic can cope with handling the empty string as a special case in order to forbid it from input) you could use the SHA1 hash ('da39a3ee5e6b4b0d3255bfef95601890afd80709') of the empty string. Also possible is using the hash for any string not in your input domain such as sha1('a') if your input has numeric-only as an invariant. If the input is preprocessed to add any regular decoration then a hash of something without the decoration would work as well (eg: sha1('abc') if your inputs like 'foo' are decorated with quotes to something like '"foo"').
Without any knowledge of SHA-1 internals, I don't see why any particular value should be impossible (unless explicitly stated in the description of the algorithm). An all-zero value is no more or less probable than any other specific value.
Contrary to all answers here, the answer is simply No.
The hash value always contains bits set to 1.
Contrary to all of the current answers here, nobody knows that. There's a big difference between a probability estimation and a proof.
But you can safely assume it won't happen. In fact, you can safely assume that just about ANY value won't be the result (assuming it wasn't obtained through some SHA-1-like procedures). You can assume this as long as SHA-1 is secure (it actually isn't anymore, at least theoretically).
People doesn't seem realize just how improbable it is (if all humanity focused all of it's current resources on finding a zero hash by bruteforcing, it would take about xxx... ages of the current universe to crack it).
If you know the function is safe, it's not wrong to assume it won't happen. That may change in the future, so assume some malicious inputs could give that value (e.g. don't erase user's HDD if you find a zero hash).
If anyone still thinks it's not "clean" or something, I can tell you that nothing is guaranteed in the real world, because of quantum mechanics. You assume you can't walk through a solid wall just because of an insanely low probability.
[I'm done with this site... My first answer here, I tried to write a nice answer, but all I see is a bunch of downvoting morons who are wrong and can't even tell the reason why are they doing it. Your community really disappointed me. I'll still use this site, but only passively]