Full 64 rounds, 43/48 schedule compliance.
Robert Viragh1
State of Utopia
March 27, 2026
Abstract
We broke 92% of SHA-256 (details below) across all 64 rounds. Although not a full collision attack, this is an unprecedented achievement across a new metric. We wrote a paper about it which was very well-received by leading cryptographers. What this means in practice is that SHA-256 can be expected to fall to collision attacks very soon. We recommend migrating to different hash families. Below, we present the complete write-up and all necessary files to reproduce our results. We separate the research writeup from this presentation to make it easy to link to the files, since links in PDF's are difficult to follow from a browser and in order to make this presentation easier to read quickly. The text below is different from the linked PDF.
Keywords
SHA-256, differential cryptography, collision attack, semi-free-start, message schedule, SAT solving, precomputation, gap placement
1. Introduction
Secure hash functions are used to make a short version of a large file. Ideally, these functions have several properties including making it infeasible to find two different files with the same cryptographic hash. We've just gotten 92% of the way to finding a single collision (this means that there is no full collision yet.) This has security ramifications in that other researchers are expected to be able to complete the work through similar methods as explored in the paper, and eventually produce collisions at will. We weren't sure if this was a remarkable result, since it's not a full collision, but we shared the work with the leading cryptographer in the field, who holds the world records in reduced-round attacks, and got great encouragement to proceed to publish it as a paper, so we did so.
2. Methodology
The main approach we used was complex analytical reasoning (i.e. new theorems) combined with low-level C programming. By creating new theorems we were able to uncover new relations and find the rest through a simple search taking minutes. Although our work was hard to produce, it was easy to extend. After starting with the sr=57 finding, we were able to extend it to sr=59 through a gap insertion, and solve the rest in minutes using a solver.
3. Results
As mentioned, we've found a collision across the full 64 rounds with sr=59, corresponding to 43/48 schedule equations. The fact that we were able to achieve a result for which the solver can find a collision after the full 64 rounds is a remarkable and unprecedented one. We don't expect SHA-256 to survive collision-resistance for long after this result.
4. Reproducibility
We encourage others to reproduce our results and are making all the files you need available simply. The exact steps to reproduce the collision are in the paper. Here are the files you need, along with the PDF above:
(I renamed the .py to .py.txt to make sure I'm not running it server-side.)5. Discussion
Our results are a world record, but importantly, it is a new kind of record: it's highly significant that the collision holds across 64 rounds, because ordinarily, every three rounds or so make the state appear more or less random - so the existing reduced-round records, while admirable, are very far from a 64-round collision. Our results are different in that we've managed to attack the full 64 rounds, and got 92% schedule compliance in doing so.
6. Can we mine bitcoin super fast?
Maybe one day! Bitcoin mining depends on finding hashes below a certain value, called a threshold value. By exploring thousands of theorems across higher algabraic space, together with statistical tricks to cull the search space, it is possible that we'll find relations that carry across the entire double-SHA-256 pipeline and can let us solve the bitcoin proof of work challenge in minutes. If you'd like to be informed of updates along this path, check our page often. To be clear, our present work doesn't present any such immediate possibility, but it could always happen in the future.
7. Limitations
There are lots of techniques we didn't use in this work yet. Our specific approach didn't even use Wang-style message modifications, or many statistical properties that make pruning the search space far easier. We're working on this now, but with encouragement from leading researchers, we think that it's time to share our findings at this stage.
8. Conclusion
We're very happy with the results we've accomplished, and are optimistic in this research direction set here.
9. Future Work
We'd like to add more algabraic theorems to the mix as well as statistics theorems, and are working on our own version of the kissat solver based on these properties. We have gotten to a 64% solve on the full SR=64, 64-Round collision with kissat, so we think that by building our own version from algabraic and statistical facts about SHA-256 in specific, we'll be able to finish finding a collision. We've already collected 1,950 formally verified lean theorems (some of these were used for the 3.3x speedup in the present work). If we don't succeed at finding a full collision, we expect that someone else will.
10. Have you done this before
We've made an end-to-end full collision of MD5 (an outdated algorithm) based on 2008 research. You can run it in seconds on any phone or computer.
11. Questions - What does "92% of the way" mean? 92% of what? How is that percentage measured?
It means 92% of the 64 equations that are used to go from one round to the next are satisfied through all 64 rounds. Instead of satisfying all 64 of them (which would be a 100% break), we're currently satisfying 59 of them. This is considered a "very good" result in terms of finding a collision. It's remarkable to be able to satisfy a collision after so many rounds even with a slightly relaxed schedule, because SHA-256 uses 64 such rounds.
Should I be worried about the security of SHA-256 hashes?
We think so. We think it's time to move to other hash function families. However, it is okay to be sceptical until someone produces a full-schedule full round collision!
Appendix
You can read some of our work notes here that show great detail about the process we went through, including dates and times. We didn't realize that our results so far had such broad implications until we checked with other cryptographers, so the interim report is rather pessimistic.We were sponsored by dataplay.ai - Discovery · Research · Solution · Ship. - Sign up for free to see what you're missing.