About

SHA-0 is the original Secure Hash Algorithm published in FIPS PUB 180 (1993) by NIST. It produces a 160-bit (20-byte) message digest rendered as 40 hexadecimal characters. The algorithm was withdrawn in 1995 and replaced by SHA-1, which added a single circular left-shift (ROTL¹) to the message schedule step. Without that rotation, SHA-0 is vulnerable to differential collision attacks demonstrated by Chabaud and Joux in 1998, reducing collision complexity to approximately 2⁶¹ operations. This tool implements the complete, unmodified SHA-0 specification. Each generated hash digests 32 bytes of entropy sourced from crypto.getRandomValues, ensuring uniform distribution across the output space. Use these hashes for test fixtures, database seeding, protocol simulation, or academic study of pre-SHA-1 constructions. This tool approximates no shortcuts. Every round function, every padding bit, every word expansion is computed per the original standard.

Formulas

SHA-0 processes a padded message in 512-bit blocks. Each block is expanded into 80 words and compressed through 80 rounds. The critical difference from SHA-1 is the message schedule: SHA-0 uses a simple XOR without rotation.

Message schedule expansion (SHA-0, no rotation):

W_t = W_t−3 ⊕ W_t−8 ⊕ W_t−14 ⊕ W_t−16 for 16 ≤ t ≤ 79

Round compression function:

T = ROTL⁵(a) + f_t(b, c, d) + e + K_t + W_t mod 2³²

Nonlinear functions by round range:

{

f_0..19 = (b ∧ c) ∨ (¬b ∧ d) (Ch)f_20..39 = b ⊕ c ⊕ d (Parity)f_40..59 = (b ∧ c) ∨ (b ∧ d) ∨ (c ∧ d) (Maj)f_60..79 = b ⊕ c ⊕ d (Parity)

Where a, b, c, d, e are the five 32-bit working variables initialized from H₀..H₄. ROTLⁿ denotes circular left rotation by n bits. K_t is the round constant. W_t is the expanded message word. The final hash is the concatenation of the five updated state words: H₀ ‖ H₁ ‖ H₂ ‖ H₃ ‖ H₄.

Reference Data

Property	SHA-0	SHA-1	SHA-256	MD5
Publication	1993	1995	2001	1992
Standard	FIPS 180	FIPS 180-1	FIPS 180-2	RFC 1321
Digest Size (bits)	160	160	256	128
Digest Size (hex chars)	40	40	64	32
Block Size (bits)	512	512	512	512
Rounds	80	80	64	64
Word Size (bits)	32	32	32	32
Message Schedule Rotation	None	ROTL¹	-	-
Initial H₀	0x67452301	0x67452301	0x6A09E667	0x67452301
Initial H₁	0xEFCDAB89	0xEFCDAB89	0xBB67AE85	0xEFCDAB89
Initial H₂	0x98BADCFE	0x98BADCFE	0x3C6EF372	0x98BADCFE
Initial H₃	0x10325476	0x10325476	0xA54FF53A	0x10325476
Initial H₄	0xC3D2E1F0	0xC3D2E1F0	0x510E527F	-
Round Constant K_0..19	0x5A827999	0x5A827999	-	-
Round Constant K_20..39	0x6ED9EBA1	0x6ED9EBA1	-	-
Round Constant K_40..59	0x8F1BBCDC	0x8F1BBCDC	-	-
Round Constant K_60..79	0xCA62C1D6	0xCA62C1D6	-	-
Collision Resistance	Broken (~2³⁹)	Broken (~2⁶³)	Secure (2¹²⁸)	Broken (~2¹⁸)
Status	Withdrawn	Deprecated	Active	Deprecated

Frequently Asked Questions

The sole difference is in the message schedule expansion. SHA-1 applies a circular left rotation by 1 bit (ROTL¹) to the XOR result when computing words W₁₆ through W₇₉. SHA-0 omits this rotation entirely, using the raw XOR. This single missing operation makes SHA-0 susceptible to differential cryptanalysis, as demonstrated by Chabaud and Joux (1998) who found collisions with complexity ~2⁶¹, later improved to ~2³⁹ by subsequent researchers.

No. SHA-0 was withdrawn by NIST in 1995 specifically because of cryptographic weaknesses. Practical collision attacks exist. Do not use SHA-0 for digital signatures, certificate verification, password hashing, or any integrity-critical application. This tool generates random hashes for testing, academic study, seeding databases, or generating unique identifiers where collision resistance is not a security requirement.

Each hash digests 32 bytes (256 bits) of randomness obtained from crypto.getRandomValues(), which is backed by the operating system's cryptographically secure pseudorandom number generator (CSPRNG). The entropy of the input far exceeds the 160-bit output space of SHA-0, ensuring uniform distribution across the digest domain.

Theoretically yes, but practically no for reasonable batch sizes. With a 160-bit output space (2¹⁶⁰ possible digests), the birthday paradox gives a 50% collision probability at approximately 2⁸⁰ hashes (~1.2 × 10²⁴). Generating 10,000 hashes gives a collision probability of roughly 10⁻⁴⁰. The tool does not deduplicate, but collisions are astronomically unlikely.

Merkle-Damgård construction requires the original message length to be encoded in the final block to prevent length-extension ambiguity. The message is padded with a 1-bit, then zeros, then the 64-bit big-endian representation of the original message length in bits. This ensures that two messages of different lengths cannot produce identical padded blocks, which is necessary for the security proof of the hash construction.

The tool supports batch generation of up to 10,000 SHA-0 hashes in a single operation. SHA-0 computation on a 32-byte input involves a single 512-bit block (after padding, the total is 256 bits of data + padding + 64-bit length = 512 bits exactly). Processing 10,000 single-block digests completes in under 200ms on modern hardware, so no Web Worker is needed.