Find string that gives sha1 with k zeroes in start

jayssj11
6 years ago

0

Find string that gives sha1 with k zeroes in start

is it possible ??

6replies
5voices
987views
dloser
6 years ago

2

Yes. For any kind of SHA1 output, you can find an input that produces it. Question is just how much resources you are willing to spend to find it.

This is actually what is commonly used in (mining) cryptocurrencies.


-4

I don’t think so.

There is no easy way to show why it’s not possible. If there was, then this would itself be the basis of an algorithm to find collisions.

Longer analysis:

The preprocessing makes sure that there is always at least one 1 bit in the input.

The loop over w[i] will leave the original stream alone, so there is at least one 1 bit in the input (words 0 to 15). Even with clever design of the bit patterns, at least some of the values from 0 to 15 must be non-zero since the loop doesn’t affect them.

Note: leftrotate is circular, so no 1 bits will get lost.

In the main loop, it’s easy to see that the factor k is never zero, so temp can’t be zero for the reason that all operands on the right hand side are zero (k never is).

This leaves us with the question whether you can create a bit pattern for which (a leftrotate 5) + f + e + k + w[i] returns 0 by overflowing the sum. For this, we need to find values for w[i] such that w[i] = 0 - ((a leftrotate 5) + f + e + k)

This is possible for the first 16 values of w[i] since you have full control over them. But the words 16 to 79 are again created by xoring the first 16 values.

So the next step could be to unroll the loops and create a system of linear equations. I’ll leave that as an exercise to the reader ;-) The system is interesting since we have a loop that creates additional equations until we end up with a stable result.

Basically, the algorithm was chosen in such a way that you can create individual 0 words by selecting input patterns but these effects are countered by xoring the input patterns to create the 64 other inputs.

Just an example: To make temp 0, we have

a = h0 = 0x67452301
f = (b and c) or ((not b) and d)
= (h1 and h2) or ((not h1) and h3)
= (0xEFCDAB89 & 0x98BADCFE) | (~0x98BADCFE & 0x10325476)
= 0x98badcfe
e = 0xC3D2E1F0
k = 0x5A827999
which gives us w[0] = 0x9fb498b3, etc. This value is then used in the words 16, 19, 22, 24-25, 27-28, 30-79.

Word 1, similarly, is used in words 1, 17, 20, 23, 25-26, 28-29, 31-79.

As you can see, there is a lot of overlap. If you calculate the input value that would give you a 0 result, that value influences at last 32 other input values.

Smyler [WHGhost]
6 years ago | edited 6 years ago

0

Of course it is possible, no need to revers the algorithm, brute force it. You learn that in the main levels…
Here is an example:
```import random
from hashlib import sha1

al = b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567'
out=‘1’
while out[0] != ‘0’:
s=bytearray()
for i in range(20):
s.append(random.choice(al))
out=sha1(s).hexdigest()
print(‘{} => {}’.format(s, out))```

It is not optimized or anything, but still gives me an answer in less than second on a phone…

SIGKILL [r4v463]
6 years ago

0

@marco-D-badass In general, when you quote something, you should be sufficiently honest to put a link to it.

I will do that for you: https://stackoverflow.com/questions/1902340/can-a-sha-1-hash-be-all-zeroes/1902355


0

Ohhhhhh Well, I’ve searched a lot and this is the best article I’ve found, ahh r4v463yes copyright right .

Smyler [WHGhost]
6 years ago

0

To refer to a user, use @, not [ url]

You must be logged in to reply to this discussion. Login
1 of 7

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss