tags:

views:

153

answers:

5
+11  Q: 

Question about the mathematical properties of hashes

Take a commonly used binary hash function - for example, SHA-256. As the name implies, it outputs a 256 bit value.

Let A be the set of all possible 256 bit binary values. A is extremely large, but finite.

Let B be the set of all possible binary values. B is infinite.

Let C be the set of values obtained by running SHA-256 on every member of B. Obviously this can't be done in practice, but I'm guessing we can still do mathematical analysis of it.

My Question: By necessity, CA. But does C = A?

EDIT: As was pointed out below, this is wholly dependent on the has function in question. So, if you know the answer for any particular hash function, please say so!

+4  A: 

Not necessarily. The pigeonhole principle states that once one more hash beyond the size of A has been generated that there is a probability of collision of 1, but it does not state that every single element of A has been generated.

Ignacio Vazquez-Abrams  2010-04-17 14:11:07
+1  A: 

Not necessarily. That would depend on the hash function.

It would probably be ideal if the hash function was surjective, but there are things that're usually more important, such as a low likelihood of collisions.

Sebastian P.  2010-04-17 14:12:45
+1 for teaching me new vocabulary!
levand  2010-04-17 14:16:10
A: 

It is not always the case. However, quality required for an hash algorithm are:

  • Cardinality of B
  • Repartition of hashes in B (every value in B must have the same probability to be a hash)
Grimmy  2010-04-17 14:13:39
+2  A: 

It really depends on the hash function. If you use this valid hash function:

Int256 Hash (string input) {
    return 0;
}

then it is obvious that C != A. So the "for example, SHA256" is a pretty important note to consider.

To answer your actual question: I believe so, but I'm just guessing. Wikipedia does not provide any meaningful info on this.

mafutrct  2010-04-17 14:30:12
+9  A: 

First, let's point out that SHA-256 does not accept all possible binary strings as input. As defined by FIPS 180-3, SHA-256 accepts as input any sequence of bits of length lower than 2^64 bits (i.e. no more than 18446744073709551615 bits). This is very common; all hash functions are somehow limited in formal input length. One reason is that the notion of security is defined with regards to computational cost; there is a threshold about computational power that any attacker may muster. Inputs beyond a given length would require more than that maximum computational power to simply evaluate the function. In brief, cryptographers are very wary of infinites, because infinites tend to prevent security from being even defined, let alone quantified. So your input set C should be restricted to sequences up to 2^64-1 bits.

That being said, let's see what is known about hash function surjectivity.

Hash functions try to emulate a random oracle, a conceptual object which selects outputs at random under the only constraint that it "remembers" previous inputs and outputs, and, if given an already seen input, it returns the same output than previously. By definition, a random oracle can be proven surjective only by trying inputs and exhausting the output space. If the output has size n bits, then it is expected that about 2^(2n) distinct inputs will be needed to exhaust the output space of size 2^n. For n = 256, this means that hashing about 2^512 messages (e.g. all messages of 512 bits) ought to be enough (on average). SHA-256 accepts inputs very much longer than 512 bits (indeed, it accepts inputs up to 18446744073709551615 bits), so it seems highly plausible that SHA-256 is surjective.

However, it has not been proven that SHA-256 is surjective, and that is expected. As shown above, a surjectivity proof for a random oracle requires an awful lot of computing power, substantially more than mere attacks such as preimages (2^n) and collisions (2^(n/2)). Consequently, a good hash function "should not" allow a property such as surjectivity to be actually proven. It would be very suspicious: security of hash function stems from the intractability of their internal structure, and such an intractability should firmly oppose to any attempt at mathematical analysis.

As a consequence, surjectivity is not formally proven for any decent hash function, and not even for "broken" hash functions such as MD4. It is only "highly suspected" (a random oracle with inputs much longer than the output should be surjective).

Thomas Pornin  2010-04-17 16:46:15
+1. I learned something new about hash functions. :)
Nick Johnson  2010-04-18 09:53:11

related questions

What are some good rigid body dynamics references?
Algorithm to find a common multiplier to convert decimal numbers to whole numbers
How to test randomness (case in point - Shuffling)
What are the core mathematical concepts a good developer should know?
How to get the base 10 logarithm of a Fixnum in Ruby?
Can you be terrible at math and still a great programmer?
Modulus operation with negatives values - weird thing ??
How do I calculate a trendline for a graph?
Calculate Video Duration
Russell's Paradox
Popularity algorithm
How do I calculate distance between two latitude longitude points?
The Google Calculator Glitch, could float vs. double be a possible reason?
Calculating Distance Between 2 Cities
Prime factors
Where can I find a "Math topic dependency tree" to assist my self-guided refresher on the subject?
How to Round Up The Result Of Integer Division
Do you have to be good at math to be a good programmer?
Useful math for programmers
Puzzle: Find largest rectangle (maximal rectangle problem)
What does the term "BODMAS" mean?
Mapping latitude/longitude to a distorted map
A little diversion into floating point (im)precision, part 1
Solving a linear equation
What's the difference between Math.Floor() and Math.Truncate() in .NET?