Robert Viragh1
State of Utopia
March 27, 2026
We broke 92% of SHA-256 across all 64 rounds. This is an unprecedented achievement across a new metric. We wrote a paper about it which was very well-received by leading cryptographers. What this means in practice is that SHA-256 can be expected to fall to collision attacks very soon. We recommend migrating to different hash families. Below, we present the complete write-up and all necessary files to reproduce our results. We separate the research writeup from this presentation to make it easy to link to the files, since links in PDF's are difficult to follow from a browser and in order to make this presentation easier to read quickly. The text below is different from the linked PDF.
SHA-256, differential cryptography, collision attack, semi-free-start, message schedule, SAT solving, precomputation, gap placement
Secure hash functions are used to make a short version of a large file. Ideally, it has several properties including making it infeasible to find two files with the same cryptographic hash. We've just gotten 92% of the way there. This has security ramifications in that other researchers are expected to be able to complete the work through similar methods as explored in the paper. We weren't sure if this was a remarkable result, since it's not a full collision, but we shared the work with the leading cryptographer in the field, who holds the world records in reduced-round attacks, and got great encouragement to proceed to publish it as a paper, so we did so.
The main approach we used was complex analytical reasoning (i.e. new theorems) combined with low-level C programming. By creating new theorems we were able to uncover new relations and find the rest through a simple search taking minutes. Although our work was hard to produce, it was easy to extend. After starting with the sr=57 finding, we were able to extend it to sr=59 through a gap insertion, and solve the rest in minutes using a solver.
As mentioned, we've found a collision across the full 64 rounds with sr=59, corresponding to 43/48 schedule equations. The fact that we were able to achieve a result for which the solver can find a collision after the full 64 rounds is a remarkable and unprecedented one. We don't expect SHA-256 to survive collision-resistance for long after this result.
We encourage others to reproduce our results and are making all the files you need available simply. The exact steps to reproduce the collision are in the paper. Here are the files you need, along with the PDF above:
(I renamed the .py to .py.txt to make sure I'm not running it server-side.)Our results are a world record, but importantly, it is a new kind of record: it's highly significant that the collision holds across 64 rounds, because ordinarily, every three rounds or so make the state appear more or less random - so the existing reduced-round records, while admirable, are very far from a 64-round collision. Our results are different in that we've managed to attack the full 64 rounds, and got 92% schedule compliance in doing so.
Probably! Bitcoin mining depends on finding hashes below a certain value, called a threshold value. By exploring thousands of theorems across higher algabraic space, together with statistical tricks to cull the search space, it is possible that we'll find relations that carry across the entire double-SHA-256 pipeline and can let us solve the bitcoin proof of work challenge in minutes. If you'd like to be informed of updates along this path, check our page often. You can also sign up with our sponsor (nothing to do with bitcoin) since that will help keep our research funded.
There are lots of techniques we didn't use in this work yet. Our specific approach didn't even use Wang-style message modifications, or many statistical properties that make pruning the search space far easier. We're working on this now, but with encouragement from leading researchers, we think that it's time to share our findings at this stage.
We're very happy with the results we've accomplished, and are optimistic in this research direction set here.
We'd like to add more algabraic theorems to the mix as well as statistics theorems, and are working on our own version of the kissat solver based on these properties. We have gotten to a 64% solve on the full SR=64, 64-Round collision with kissat, so we think that by building our own version from algabraic and statistical facts about SHA-256 in specific, we'll be able to finish finding a collision. We've already collected 1,950 formally verified lean theorems (some of these were used for the 3.3x speedup in the present work). If we don't succeed at finding a full collision, we expect that someone else will.
We've made an end-to-end full collision of MD5 (an outdated algorithm) based on 2008 research. You can run it on seconds on any phone or computer.
You can sign up for free with our sponsor dataplay.ai (Discovery · Research · Solution · Ship) to help support this work.