SHA-1 哈希值可以全零吗? [英] Can a SHA-1 hash be all-zeroes?
问题描述
是否有任何输入 SHA-1 将计算为四十个零的十六进制值,即0000000000000000000000000000000000000000"?
我不这么认为.
没有简单的方法可以说明为什么不可能.如果有,那么这本身就是寻找碰撞的算法的基础.
更长的分析:
预处理确保输入中总是至少有一个 1 位.
w[i] 上的循环将保留原始流,因此输入中至少有一个 1 位(字 0 到 15).即使位模式设计得很巧妙,至少 0 到 15 之间的一些值必须是非零的,因为循环不会影响它们.
注意:leftrotate 是循环的,所以不会丢失 1 位.
在主循环中,很容易看出因子k从不为零,所以temp不能为零,因为右边的所有操作数手边为零(k 从来没有).
这给我们留下了一个问题,您是否可以创建一个位模式,其中 (a leftrotate 5) + f + e + k + w[i] 通过溢出总和返回 0.为此,我们需要找到 w[i] 的值,使得 w[i] = 0 - ((a leftrotate 5) + f + e + k)
这对于 w[i] 的前 16 个值是可能的,因为您可以完全控制它们.但是单词 16 到 79 再次通过 xor 前 16 个值创建.
所以下一步可能是展开循环并创建一个线性方程组.我将把它留给读者作为练习 ;-) 这个系统很有趣,因为我们有一个循环来创建额外的方程,直到我们最终得到一个稳定的结果.
基本上,算法的选择方式是,您可以通过选择输入模式来创建单独的 0 个单词,但这些影响会通过对输入模式进行 xor 运算以创建 64 个其他输入来抵消.
举个例子:为了使 temp 为 0,我们有
a = h0 = 0x67452301f = (b and c) or ((not b) and d)= (h1 and h2) or ((not h1) and h3)= (0xEFCDAB89 & 0x98BADCFE) |(~0x98BADCFE & 0x10325476)= 0x98badcfee = 0xC3D2E1F0k = 0x5A827999这给了我们 w[0] = 0x9fb498b3 等.这个值然后用在单词 16、19、22、24-25、27-28、30-79 中.>
词 1 类似地用于词 1、17、20、23、25-26、28-29、31-79.
如您所见,有很多重叠.如果您计算得出的结果为 0 的输入值,则该值至少会影响其他 32 个输入值.
Is there any input that SHA-1 will compute to a hex value of fourty-zeros, i.e. "0000000000000000000000000000000000000000"?
I don't think so.
There is no easy way to show why it's not possible. If there was, then this would itself be the basis of an algorithm to find collisions.
Longer analysis:
The preprocessing makes sure that there is always at least one 1 bit in the input.
The loop over w[i] will leave the original stream alone, so there is at least one 1 bit in the input (words 0 to 15). Even with clever design of the bit patterns, at least some of the values from 0 to 15 must be non-zero since the loop doesn't affect them.
Note: leftrotate is circular, so no 1 bits will get lost.
In the main loop, it's easy to see that the factor k is never zero, so temp can't be zero for the reason that all operands on the right hand side are zero (k never is).
This leaves us with the question whether you can create a bit pattern for which (a leftrotate 5) + f + e + k + w[i] returns 0 by overflowing the sum. For this, we need to find values for w[i] such that w[i] = 0 - ((a leftrotate 5) + f + e + k)
This is possible for the first 16 values of w[i] since you have full control over them. But the words 16 to 79 are again created by xoring the first 16 values.
So the next step could be to unroll the loops and create a system of linear equations. I'll leave that as an exercise to the reader ;-) The system is interesting since we have a loop that creates additional equations until we end up with a stable result.
Basically, the algorithm was chosen in such a way that you can create individual 0 words by selecting input patterns but these effects are countered by xoring the input patterns to create the 64 other inputs.
Just an example: To make temp 0, we have
a = h0 = 0x67452301
f = (b and c) or ((not b) and d)
= (h1 and h2) or ((not h1) and h3)
= (0xEFCDAB89 & 0x98BADCFE) | (~0x98BADCFE & 0x10325476)
= 0x98badcfe
e = 0xC3D2E1F0
k = 0x5A827999
which gives us w[0] = 0x9fb498b3, etc. This value is then used in the words 16, 19, 22, 24-25, 27-28, 30-79.
Word 1, similarly, is used in words 1, 17, 20, 23, 25-26, 28-29, 31-79.
As you can see, there is a lot of overlap. If you calculate the input value that would give you a 0 result, that value influences at last 32 other input values.
这篇关于SHA-1 哈希值可以全零吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
