Much fewer than 32 bytes will do, too. If the server doesn't have the file but wants to pretend it does, it could report random numbers. Those would be correct for a chance of 1 in 256 for 1 byte or 1 in ~4bn for 4 bytes I think that's safe enough.