7

Clearly since SHA-1 hashing produces 40 characters each time, there is a finite number of possible hashes—does anyone know exactly how many?

Michael
  • 8,362
  • 6
  • 61
  • 88
James
  • 30,496
  • 19
  • 86
  • 113
  • 5
    It doesn't "produce" 40 characters. It does produce 160 bits of hash. If you see them in hex format, you see 40 hex digits. – xanatos Sep 10 '11 at 16:08
  • No. 40 signed/unsigned chars are "normally" 320 bits (8 bits/char). A SHA-1 is 160 bits = 20 bytes = 40 hex digits. You asked a precise question about how many SHA-1 hashes are there. Just to make an example, if I write a SHA-1 in base64 I get a string long 28 characters (of which 1 is fixed and is the terminating `=`) – xanatos Sep 10 '11 at 16:39
  • Okay, SHA-1 hashes consist of 160 bits = 40 hexadecimal digits, commonly encoded into a 40 character string if that makes it better. My last comment was indeed incorrect, which is bad considering I have written a tight SHA1er in C. – James Sep 10 '11 at 17:19
  • My fear was that you were a junior programmer that thought the DVD-ROM was a cup holder :-) But if you wrote a SHA-1er then you can think whatever you want of SHA1 hashes :-) In this case it becomes an "informed choice" :-) – xanatos Sep 10 '11 at 17:25

3 Answers3

15

SHA-1 hashes have 160 bits, so 2160 of them.
(2160 = 1461501637330902918203684832716283019655932542976 ~= 1.46 x 1048)

Note that since you have a much larger message space than possible hashes, collisions are bound to occur.

Also note that the probability of collision is much higher than you might think. At just 280 messages the probability of a collision is 50%, thanks to the Birthday paradox. (ie: with just 23 people the probability that 2 people have the same birthday is 50%).

NullUserException
  • 83,810
  • 28
  • 209
  • 234
  • 2
    I guess the question asks whether the hash function is surjective, though. – Kerrek SB Sep 10 '11 at 16:01
  • 3
    Google calc: 1.46150164 × 10^48 :-) – xanatos Sep 10 '11 at 16:02
  • I'll add that the number of possible SHA-1 is very near the sqrt([googol](http://en.wikipedia.org/wiki/Googol)) (a factor of only 100) :-) :-) – xanatos Sep 10 '11 at 16:12
  • @NullUser: You seem to be mixing surjective and bijective. Having a proof of either surjectivity or non-surjectivity would both quite likely constitute a break of some kind of the function. Have a look at [Is SHA-512 bijective when hashing a single 512-bit block?](http://crypto.stackexchange.com/questions/301/is-sha-512-bijective-when-hashing-a-single-512-bit-block/304#304) for a similar question (and answer). – Paŭlo Ebermann Sep 10 '11 at 16:39
  • I'll buy you a beer if you can generate a SHA1 collision. Or even if you can generate 2^80 messages without one. – Nick Johnson Sep 12 '11 at 05:12
  • @Nick I'll do it if you buy me a large enough server :) – NullUserException Sep 12 '11 at 05:15
  • @NullUserException How large is large enough? ;) – Nick Johnson Sep 12 '11 at 05:27
  • 2^80 = 1,208,925,819,614,629,174,706,176. A distributed systems that is able to handle 1 billion SHA1 hashes per second would likely take no less than 1,208,925,819,614,629 seconds to find a single collision. 1 trillion SHA1s per sec would be 1,208,925,819,614 seconds. Good luck! – JSON Jan 26 '14 at 21:11
  • Hash collision probability calculator, might be useful for others too: http://everydayinternetstuff.com/2015/04/hash-collision-probability-calculator/ – Adam Szabo Sep 09 '16 at 12:13
11

SHA-1 produces 160-bit outputs, and it should be able to produce just about any sequence of 160 bits, There are 2160 such sequences, i.e. close to 1461 billions of billions of billions of billions of billions. That's kind of big.

However we have no proof that every single one of them is reachable. It would be bad for SHA-1 security if the number of possible outputs would be significantly lower than 2160; for instance, if only 1/4 of them were reachable (2158), security against preimage attacks would be divided by 4, and security against collisions would be halved. No such issue is currently known with SHA-1 (there are known weaknesses of SHA-1 when it comes to resistance to collisions, but not that one).

It is possible (but it would be at least mildly surprising) that a few 160-bits outputs cannot be reached. It is expected that this will be remain unknowable. To some extent, being able to prove that SHA-1 possible outputs cover the whole 160-bit space would be worrisome: such a proof would require a good deal of analysis of the mathematical structure of SHA-1, and the security of SHA-1 largely relies on such an analysis being intractable.

Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
1

SHA-1 is made up of 5 32 bit integers.

That's 4294967296^5 or 2^160

or 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 possibilities

To put that into perspective

Total Possible SHA-1 Values: 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Total gallons of Water on Earth: 365,904,000,000,000,000,000

That includes every ocean, sea, lake, swimming pool, bath tub, etc - source

The possibility of collisions is only theoretical at this point. Still waiting to hear of one.

JSON
  • 1,819
  • 20
  • 27