Given a hash function $\mathcal H()$ and a hash value $H$ that is in the codomain/range of outputs of $\mathcal H()$, can you determine if $H$ can be produced by $\mathcal H()$ (i.e. is $H$ in the image of $\mathcal H()$)?
I'll assume "codomain/range of outputs" is defined without reference to what the hash actually outputs (rather than as the set of actual outputs of the hash, which would make it all reached by definition).
If a hash function $\mathcal H$ was such that for a sizable portion of given $H$ in it's codomain one can exhibit input $M$ such that $H(M)=H$, then that function would not be preimage-resistant. Thus said exhibition must be computationally impossible for a random $H$.
If we model a hash as a random function $\{0,1\}^*\to\{0,1\}^n$, then per the coupon collector problem, the expected number of hashes of random messages to reach all values is $E=2^n\,(n\,\ln(2)+\gamma)+1/2+o(1)$. In crypto practice $n\ge128$ thus $\log_2(E)\approx n+\log_2(n)-0.53$. Thus on average we'd need to hash less than all exactly 33-byte messages to reach all values for an ideal 256-bit hash, but need to hash more than all exactly 65-byte messages to reach all values for an ideal 512-bit hash. Making that many hashes is impossible.
For usual hash functions such as SHA-1, SHA-256, SHA-512, and I believe SHA-3, as stated in that other answer, we have no mathematical proof that every output value can be reached. The best we can say is it likely holds (even restricting to messages that fit a single block, and even more so with more), but it would be surprising if it could be either proven or disproven.
But I think we can construct a hash function that provably reaches all it's output space, yet has to a large degree the properties expected from a cryptographic hash. Here is a candidate hash of arbitrary bitstring demonstrably reaching the whole $\{0,1\}^{512}$.
I'll use a 3072-bit safe prime $p$, that is such that $q=(p-1)/2$ is also prime; and a generator $g$ of the multiplicative group $\mathbb Z_p^*$, that is $g\in[2,p-2]$ with $g^q\equiv-1\pmod p$. We can use $p=2^{3072}-2^{3008}+2^{64}\,(\left\lfloor2^{2942}\,\pi\right\rfloor+1690314)-1$ of the 3072-bit MODP group, and $g=\left\lfloor 2^{3070}\,e\right\rfloor$.
Compute the hash $H(M)\in\{0,1\}^{512}$ of input message $M\in\{0,1\}^*$ as follows:
- Convert the bitstring $M$ to integer $m$ per big-endian convention, and keep track of the bit length $\ell$ of $M$.
- Compute
$$\begin{align}
m_0&=m\bmod(p-1)\\
h_0&=(g^{m_0}\bmod p)-1\\
h_1&=\left\lfloor h_0/2^{1024}\right\rfloor\bmod2^{512}\\
h_2&=\left\lfloor h_0/2^{1664}\right\rfloor\bmod2^{512}\\
m_1&=\left\lfloor m/(p-1)\right\rfloor\\
\end{align}$$
Note: the constants 1024 and 1664 select the position of two arbitrary non-overlapping 512-bit segments in the binary representation of $h_0$.
- Convert $h_1$ to bitstring $H_1\in\{0,1\}^{512}$, $h_2$ to bitstring $H_2\in\{0,1\}^{512}$, and $m_1$ to bitstring $M_1\in\{0,1\}^{\ell}$ per big-endian convention.
- Compute and output $H=H_1\oplus H_2\oplus\operatorname{SHA3-512}(M_1)$.
The transformation between $m_0$ and $h_0$ is a bijection of $[0,p-2]$. If follows we could provably find a preimage $M$ of any $H\in\{0,1\}^{512}$ if we could solve the DLP in the multiplicative group $\mathbb Z_p^*$: we fix $M_1=0^{3072}$ (thus $\ell=3072$ and $m_0=m$), $h_0=2^{640}\,h_1$ (thus $H_2=0^{512}$), that lets us compute $H_1=H\oplus\operatorname{SHA3-512}(M_1)$, then $h_1$, then $h_0=2^{640}\,h_1$. We solve the DLP problem $(g^{m_0}\bmod p)=h_0+1$ to get $m_0$, then $m$, then the 3072-bit $M$.
My argument that the hash is collision-resistant and preimage-resistant is that $M\mapsto(M_1,m_0)$ is injective, $m_0\mapsto H_1\oplus H_2$ seems to be fairly hard to invert or collide, and XORing that with a good unrelated hash of $M_1$ less than halves the collision-resistance.
Is there any benefit you can think of ?
I don't see any actual technical benefit to a hash function that demonstrably reaches all it's codomain, since we can't experimentally tell the difference with a good standard hash function without this property. On the other hand, it would be intellectually satisfying. Problem is, anything I can think of (like the above candidate) if both slower and less safe at given output width than a standard hash is, and that practical consideration out weights the intangible benefit of being sure all output values can be reached.
I don't see any benefit to a hash function that demonstrably can not reach some of it's output space, and such that's it's computationally impossible to exhibit such output value, or impossible to tell if a given output space value is reachable.
I can imagine applications for hashes that probably can not reach a few known values in their output space (e.g. one such value can be reserved as indicator of a special case). On the other hand, we can easily construct such hashes from standard primitives. For example, for a 256-bit hash that can not reach $0^{256}$, we can use (with usual conversions between bitstrings and integers) $M\mapsto(\operatorname{SHAKE128}(M,416)\bmod(2^{256}-1))+1$. And in practice we could as well use any standard 256-bit hash.
