# [Crypto] Is it possible that a SHA256 hash has the same hex character over and over again?

## Solution 1:

First of all, the output of SHA-256 is binary and consists of 32 bytes (256 denotes the output size in bits). What you are talking about is apparently the hexadecimal encoding of these bytes.

The possibility that you are talking about is called (1st) pre-image resistance (Wikipedia):

Given a hash value $h$, it should be difficult to find any message $m$ such that $h = \text{H}(m)$.

("difficult" is a non-technical term here, generally we use "computationally infeasible", obviously there will be messages that map to any hash value, the difficulty is finding them for a one-way hash)

No, the algorithms do not check this explicitly, because the algorithm by itself needs to be resistant against it. Furthermore, the repetition of certain bits is not that special all by itself. It would be unclear what you would need to test for.

"But would that also be possible practically" well, no, unless SHA-2 gets broken. Generally it is **collision resistance** that gets broken first. That means finding a hash where $\text{H}(m) = \text{H}(m')$ for any $m$ and $m'$. This is easier to attack because an attacker can try and find weaknesses in the algorithm that create an internal collision while controlling both $m$ and $m'$. SHA-256 is still considered secure in this regard.

## Solution 2:

- Yes, it's possible.
- Given the size of the input space (not actually infinite, but still very, very large), it's also
*likely*, for any given 256-bit value, that several inputs that hash to that value exist. - No, there's nothing special in the construction of the algorithm that prevents it (restricting the output space would probably be
*bad*for security). - Nonetheless, as long as SHA-256 isn't broken, there is no practical way to
*find*an input that hashes to a given value.

## Solution 3:

But would that also be possible practically, or do the algorithms check that this is not happening?

This is practically beyond anybody to find a 32-$a$'s for SHA-256 without pure luck or one need **breaking the pre-image resistance** of SHA-256, that is not possible.

Is it possible that a SHA256 hash has the same character 64 times?

**Yes, and No. We don't know such input exists or not since we cannot try all possible inputs.**

Let see what is expected in a restricted SHA-256 to input size 256-bits.

Model SHA-256 as uniform random map $F:\{0,1\}^{256} \to F:\{0,1\}^{256}$, i.e. limit the input.

There are almost certainly less than $k=2^{256}$ outputs since the number of permutation is $k!$ and the number of function is $k^k$ and $$k!/k^k\to0.$$

Now each output $y$ has $1/2^k$ chance to appear. So we have $\Pr[F(x) = y] = 1/2^k$. Since each $x$, $F(x)$ is an independent random variable then we have

\begin{align} \Pr&[\exists x. F(x) = y] = 1 - \Pr[\forall x. F(x) \neq y] \\ &= 1 - \Pr[F(0) \neq y]\,\Pr[F(1) \neq y]\cdots\Pr[F(2^k - 1) \neq y] \\ &= 1 - (1 - 1/2^k)^{2^k}. \end{align}

This is also the expected ratio of the distinct outputs by the linearity of the expectations. When we set $k \to \infty$, this will converge to $1-e^{-1} \approx 0.632$. Therefore near 3 out of 10 of the output values are not expected to occur if we limit the inputs.

**When the input size is increased by more than 256 bits the expected ratio of the distinct outputs will approach 1 with the uniform random model. Even for 512 bits or more This doesn't mean that all outputs will occur. We don't know and we have no way to see that. Even we don't know that SHA-256 attends the first 64 bit integers.**

In theory there are infinite inputs, that you can hash with SHA256

No, not infinite inputs, Due to the length padding this is not possible.

The standard FIPS.180-4 defines a padding scheme that limits the upper input size.

Then append the 64-bit block that is equal to the number $l$ expressed using a binary representation.

Where the $l$ is the message length. Therefore, according to the standard, you can hash at most $2^{64}$-bit-sized input messages. This makes SHA-256 can have total $2^{2^{64}}$ different messages.

This upper limit, **actually**, due to the Merkle-Damgård (MD) design of SHA series. This is against the MOV attack (Handbook of Applied Cryptography; Chapter 9, Example 9.23);