Cryptographic hash functions take an arbitrary-length input and produce a short fixed-length output that acts as a signature or fingerprint of the input. The fingerprint is called a hash value and the input is known as a message. Hash functions are extensively used for data integrity and security. They are particularly helpful in cases where storing the message would pose a security threat but a signature is still required for verification, such as a password in a database. The hashes of the passwords can be stored instead and each time the user enters their password, the hashes can be matched for verification.

Hashes can be used for data integrity as well. For example, when some data is stored or transferred, the integrity can be checked by comparing a known hash with the hash of the stored data. This integrity check ensures that the data was preserved without alteration.

Cryptographic hash functions are expected to have three primary characteristics: • Preimage resistance: It’s computationally infeasible to find an input, x, given a hash, y, such that y is the hash of x. • 2nd preimage resistance: Given an input, x, and its hash, y, it’s infeasible to find a diferent input, x′, that produces the same hash y.

IV

Hash

• Collision resistance: It’s infeasible to find an input pair, x and x′ (x ̸= x′), that both produce the same hash.

An example of a weak hash function is MD4 [ 13 ] because it does not have collision resistance—an attacker can easily generate colliding message pairs. 2.2. SHA-256 SHA-256 is a hash function that takes an arbitrary-length input and pads it as necessary to produce one or many 512-bit message blocks. Afterwards, the message blocks are processed iteratively to produce a 256-bit hash. Each message block is processed by a compression function that takes the message block and a 256-bit chaining value as inputs (see Figure 1).

In the compression function, 64 rounds (also called steps) of transformations are performed to produce a hash. The hash from processing a single message block is used as the chaining value for the next message block. This means that altering a message block will lead to cascading changes in the next message blocks in the sequence. The chaining value for the first message block is set by the specification [ 14] to a fixed value, known as the standard IV (initialization vector). The hash output is the chaining value produced after applying the compression function on the last message block.

In our work, we focus on a step-reduced version of SHA-256. This means that the number of rounds/steps in the compression function is reduced to make the problem easier. Moreover, we only consider messages with a single block of size 512 bits. Because the hash output has 256 bits, there is certainly enough freedom in the input so that many collisions exist without needing to consider multiple blocks.

A relaxed type of collision known as a semi-free-start (SFS) collision allows an arbitrary initial chaining value CV, so long as the same chaining value is used to initialize the hash function for both colliding messages in the SFS collision (see Figure 2). In our work, we find SFS collisions for SHA-256 using up to 38 steps of the compression function. Note that the actual SHA-256 hash function has 64 steps, meaning we are still very far from finding a true SHA-256 collision (roughly speaking, as the number of steps increases the collision problem becomes exponentially more dificult). The best known collision attacks on SHA-256 are very far from the full 64 steps, so this provides evidence that SHA-256 is secure.

Diferential cryptanalysis is a technique that analyzes how the input diferences influence the output diferences in, for example, a hash function. This technique is crucial in collision attacks of hash functions, since we’re interested in studying the difusion of the input diferences to the output diferences such that we get a zero output diference and a non-zero input diference.

In diferential cryptanalysis of hash collisions, we have two hash inputs and we examine the diferences in all the operations until the output for both inputs. Usually diferences between the values are calculated through XOR operations, such as Δx = x ⊕ x′, where x is a single bit, x′ is its counterpart in the second hash instance, and Δx is the diference of x and x′. In general, a pair (x, x′) representing a bit in one bitvector and its counterpart in the second hash instance may have up to 4 combinations, {(0, 0), (0, 1), (1, 0), (1, 1)}. In some cases, some of the four possibilities may be ruled out, though. The possibilities for (x, x′) can be generalized as the diferential conditions [ 16] presented in Table 1. For example, if a pair (x, x′) has the possibilities {(0, 0), (1, 1)}, we describe it as having the diferential condition ‘-’, whereas the diferential condition ‘ x’ describes the possibilities {(0, 1), (1, 0)}.

For convenience, the diferential conditions of a pair of words (A, A′) can be collectively described in a vector ∇A = [cncn− 1 · · · c1c0], where ci is the diferential condition of the ith bit pair (ai, a′i) with A = [an− 1 · · · a0] and A′ = [a′n− 1 · · · a′0].

The diferential over a function f (X) = Y where X and Y are bitvectors is denoted ∇X → ∇Y . On a high level, we want f to be the hash function while ∇X and ∇Y are the input and output diferences represented by diferential conditions. In practice, analyzing this diferential alone is not helpful as it contains too little information. We want to study all the operations in between as well—chaining the operations in SHA-256 together as a series of steps starting from the input to the output. If we represent the diferences in an operation’s input and output values as a diferential, we can represent the 2 hash function instances as a chain of diferentials. This chain of diferentials is called the diferential path and analyzing this path shows how the diferences propagate from the input diferences all the way to the output diferences, which is essential for finding collisions.

Boolean satisfiability (SAT) solving involves searching for a solution of a Boolean formula (an assignment of the variables that makes the formula true). The tools designed for this purpose are called SAT solvers. Even though all known algorithms for SAT solving run in exponential time in the worst case, in practice many problems can be solved by modern SAT solvers in a reasonable amount of time. In fact, SAT solvers are so efective that in practice there are problems unrelated to logic that are most efectively solved by reducing them to SAT and calling a SAT solver.

The beauty of SAT solving lies in its generic nature, which means that it can be applied to any domain as long as the problem can be encoded into a Boolean formula. This also allows solvers to be tuned for performance independently of a specific problem. Modern SAT solvers can be surprisingly efective at solving SAT problems by incorporating sophisticated techniques like conflict analysis and clause learning, clever branching heuristics, and simplification [ 17]. This combination allows them to be highly potent at general-purpose search.

The SC2 Project. SAT solving, ever since its inception, has been found to be useful for satisfiability checking—determining whether a logical formula is satisfiable. On the other side, Computer Algebra Systems (CASs) include algorithms that are eficient at solving mathematical problems. However, many problems exist that involves both satisfiability checking and symbolic computation, and bridging the two fields was proposed in 2015 in the work of Ábrahám [18] and Zulkoski et al. [19]. Shortly afterwards, the SC2 project [20] was initiated to support the joint community. Since then, a wide variety of problems have been tackled using SC2 techniques, from circuit verification [ 21] to knot theory [22] to quantifier elimination and cylindrical algebraic decomposition [23], and factoring integers with known bits [24]. See England’s survey [25] for an overview of many other examples.

Programmatic SAT. Programmatic SAT involves injecting code into the solver to aid the solver and solve a problem more eficiently than it otherwise could [ 26]. It’s useful especially when aspects of the problem are dificult to express in conjunctive normal form, the typical input of SAT solvers [27].

Programmatic SAT is usually domain-specific and combines the powerful techniques of search possessed by SAT solvers with the most eficient high-level algorithms and analysis tools for the problem. Some modern SAT solvers can be customized in a programmatic way through built-in interfaces like IPASIR-UP [28]. The solver may be aided through the following ways during search: • External propagation: Assigning variables derived through high-level deduction. • External decisions: Making decisions on picking important unassigned variables and guessing their values through high-level analysis. • External learning: Injecting learned clauses during conflicts detected through the high-level conflict analysis.

Cryptographic hash functions such as MD4, MD5, SHA-1, etc. have been extensively relied on for information security for many years. However, Wang et al. [ 13 ] devised an eficient method in 2005 for ifnding MD4 collisions with probability from 2− 6 to 2− 2 using at most 256 MD4 hash operations. Wang et al. also proposed an attack on MD5 [ 1 ] for finding collisions within 15–60 minutes of computational time in the same year. Also in 2005, Wang et al. [29] presented a collision attack on SHA-1 using at most 269 SHA-1 hash computations, resulting in a SHA-1 collision found in 2017 [30].

The SHA-2 family of hash functions, however, survived these remarkable attacks, likely due to their relatively complex design with message expansion. One of the earliest attacks on SHA-256 and its family members was in 2003 by Gilbert and Handschuh [31]. In FSE 2006, Mendel et al. [ 32 ] reported that the message expansion of the SHA-2 family of hash functions was one of the key points for their increased collision resilience over SHA-1. To tackle this, Mendel et al. applied a message modification technique and reached an 18-step collision for SHA-256. In INDOCRYPT 2008, Sanadhya and Sarkar [ 33 ] presented collisions up to 24 steps of SHA-256 and SHA-512, making improvements over the work of Nikolić and Biryukov [ 34 ] that presented collisions up to 21 steps of SHA-256 at FSE 2008.

In ASIACRYPT 2011, Mendel et al. [15] revealed a collision for 27-step SHA-256 and a semi-free-start (SFS) collision for 32 steps. They automated the search with a domain-specific tool that searches for differential characteristics for SHA-256. The tool utilizes propagation, analysis of the bit constraints, clever branching on the most constraints bits, and contradiction detection in the diferential characteristics.

In EUROCRYPT 2013, Mendel et al. [ 7 ] came back with another breakthrough—a 28-step collision of SHA-256 along with a 38-step SFS collision. They further improved the automatic search tool that finds diferential characteristics. The improvements included local collisions over a larger number of steps and improved decision/branching heuristics over [15].

Very recently, in the rump session of FSE 2024, Li et al. [ 8 ] announced a 31-step collision of SHA256, and in a EUROCRYPT 2024 paper found a 39-step SFS collision [ 9 ]. These works also made an advancement in cryptanalysis with SAT solving, searching for characteristics by controlling the sparsity (number of variables with no diference).

The progress of the attacks on SHA-256 is presented in Table 2.

Perfect propagation is only feasible for small diferentials with a small number of possibilities to explore. However, SHA-256 performs operations on 32-bit words, which means that every function operates on 32-bit words as input. If we want to propagate the output for a function, we’d have to deal with a relatively large number of bits.

To keep the process computationally feasible, we only perform perfect propagation on the output of a bitwise operation in each bit position independently. This reduces the number of bits involved in the propagation while still helping to deduce information. Each output condition is propagated by enumerating all possibilities conforming to the input conditions that the output condition is dependent on—the same as perfect propagation, but only perfect locally. This is a practical version of perfect propagation called “bitsliced” propagation.

For example, suppose we have X ⊞ Y = Z and we want to propagate ∇X = [x-x-] and ∇Y = [x---] to ∇Z. We will focus on propagating information for the second-least significant bit; this bitslice is highlighted in bold in the depiction below: ∇Z = ⊞

??[x-x-] [x---] [???-]

In the example above, the wordwise addition (modulo 24) involves 2 addends with the diferential conditions [x-x-] and [x---], and the first row denotes the diferential conditions of the carries. In general the bitslices involve 3 input conditions and 2 output conditions (namely, a sum diferential bit and a carry diferential bit). The conditions are derived through perfect propagation on each bitslice—in this case the slice having a width of 1 bit.

In this example, the highlighted bitsliced diferential [-x-??] (with the last ? denoting the carry) after propagation becomes [-x-x?] (i.e., the sum diferential bit becomes an x). This process of bitwise propagation can be repeated for the rest of the bit positions, resulting in propagation over a wordwise operation with a low cost.

SHA-256’s hash output is calculated by a series of Boolean operations on 32-bit words. Each step involves the state update equations of Section 2.2.2 that are used for transforming the state variables A and E. We also have the message expansion equation (1) defining Wi for all steps i ≥ 16. All these equations involve modular additions and therefore to efectively search for collisions it is essential to have efective propagation for the modular additions. Bitsliced propagation is helpful in deriving information for modular additions, however, this technique doesn’t capture all the relations between the bits as it is local to a bitslice and doesn’t operate on the entirety of the 32-bit words.

To mitigate this shortcoming of bitwise propagation, we utilize a global “wordwise” propagation technique, that is significantly cheaper than perfect propagation on words pairs in practice but typically derives more information than bitwise propagation.

Wordwise propagation works by exploiting the constraints in the modular addition, such as the modular integer diferences of words. Modular diferences of words were also used in the work of Wang and Yu [ 1 ] for a diferent purpose.

When A ⊞ B = C and A′ ⊞ B′ = C′, wordwise propagation may derive additional information on the diferential conditions ∇A and ∇B if the modular diference of C and C′ is known. Denoting modular subtraction of two 32-bit words by ⊟ , the modular diference of C and C′ is (2) (3) δC := C ⊟ C′ = 31 X(ci − c′i)2i i=0 mod 232 where ci and c′i denote the ith least significant bits of C and C′.

In the previous example, the modular addition equations in both the hash instances can be combined via (A ⊟ A′) ⊞ (B ⊟ B′) = C ⊟ C′ which can be rewritten as δA ⊞ δB = δC .

In general, wordwise propagation is performed on equations like

δA 1 ⊞ δA 2 ⊞ · · · ⊞ δA n = C where C can be determined in advance and we want to derive some additional information on at least one of the diferential conditions ∇A1 to ∇An.

For example, suppose we know δA = δB , ∇A = [ux-], and ∇B = [-n-]. It follows that δB = 0 · 22 + (0 − 1) · 2 + 0 = − 2 is known (modulo 8), but δA = (1 − 0) · 22 + (a1 − a′1) · 2 + 0 = 4 ± 2 is either 2 or 6 since a1 − a′1 = ± 1. From ∇A alone the value of δA cannot be determined exactly, but when the additional constraint δA = δB is considered it is clear that the only solution is δA = 6 meaning that a1 − a′1 = 1. Thus, wordwise propagation in this case would derive ∇A = [uu-].

To avoid dealing with negative numbers, the diferential conditions x, n, and ? are normalized by adding an appropriate power of two. For example, in the above example 21 would be added making the equation (1 − 0) · 22 + w · 21 + 0 = − 2 + 21 = 0 where w := a1 − a′1 + 1 ∈ {0, 2} becoming (1 + v) · 22 = 0 where v := w/2 ∈ {0, 1}. As a 3-bit bitvector equation (hence performed modulo 23), this is [1 + v, 0, 0] = [0, 0, 0] which has just one solution v = 1.

Dividing into subproblems. After reducing equations of the form (3) to bitvector equations, we want to determine all solutions for the variables. To do so, we search for possible values through brute force. Since this has an exponential time complexity, we divide the problem into smaller components by analyzing the cascading efects of the carries. In practice, this reduces the computational cost significantly as the subproblems can usually be solved quickly, and any subproblem that is too expensive to solve can be skipped without afecting the other subproblems. In our work, we consider any subproblem with more than 10 variables as expensive, limiting the number of (brute force) iterations to 210 = 1024 for a subproblem.

As an example, suppose δA ⊞ δB = δC where ∇A = [u1xxx], ∇B = [xx-nx], and ∇C = [---u-]. Then δC = 2, and after normalizing A and B we derive

(δA + 22 + 2 + 1) ⊞ (δB + 24 + 23 + 2 + 1) = δA ⊞ δB ⊞ 2 = 4, becoming the bitvector modular addition problem [ 1, v3, v2, v0, 0 ] δA ⊞ δB ⊞ 2 = ⊞ [ v4, 0, 0, v1, 0 ] 0 0 1 0 0 where v0, . . . , v4 ∈ {0, 1}.

Now, a linear scan is performed starting from the least significant digit (the rightmost column). Since there’s no variable in the first column, we skip it. Next, we have a subproblem candidate v0 + v1 ≡ 0 (mod 2). Since this addition can overflow, the next column must be included in the subproblem. Including the next column results in the subproblem v0 + v1 + 2v2 ≡ 2 (mod 4) which cannot overflow since v0 = v1 = v2 = 1 is not a solution. Thus, the problem starting in the next column is independent.

The next problem is then v3 ≡ 0 (mod 2), which only has one solution v3 = 0 and thus also cannot overflow and is independent of the final column. Similarly, the final column results in the subproblem 1 + v4 ≡ 0 (mod 2) which only has the single solution v4 = 1.

In this example wordwise propagation thus determines that v4 = 1 and v3 = 0. Since v4 arose from the second ‘x’ in ∇B which encodes the diference b3 ⊕ b′3, i.e., v4 = (b3 − b′3 + 1)/2, we derive that (b3, b′3) = (1, 0). Similarly, v3 arose from the ‘x’ in ∇A encoding a2 ⊕ a′2, i.e., v3 = (a2 − a′2 + 1)/2, and we derive that (a2, a′2) = (0, 1). Thus, in this example wordwise propagation deduces the updated diferential conditions ∇A = [u1nxx] and ∇B = [xu-nx].

Implementation Details. Wordwise propagation was applied to all the modular addition equations, specifically the message expansion (1) and state update transformation equations, including the one for the auxiliary word Ti. However, the only variables that were propagated were the diferential variables in ∇Ai, ∇Ei, and ∇Wi.

During the wordwise propagation routine, a heuristic that we used which we found dramatically improved the eficiency of the solver was to assume that any diferential ‘ ?’ in the auxiliary variables (including ∇Ti and the diferential variables corresponding to the output of IF, MAJ, σ 0, Σ0, etc.) was actually a ‘-’ diferential. In practice, making this assumption allowed the modular diference of the auxiliary diferential words to be calculable much more frequently, and increased the likelihood that variables in the word diferentials ∇Ai, ∇Ei, and ∇Wi were derived. This heuristic is related to the ‘decision’ search strategy of Mendel et al. [15] which always first imposes a ‘ -’ for a ‘?’ before imposing a ‘x’. However, we found that making assumptions on the primary word diferentials ∇Ai, ∇Ei, and ∇Wi themselves significantly decreased the solver’s performance, preventing us from finding SFS collisions for SHA-256 beyond 28 steps.

The IPASIR-UP programmatic interface provides access to the current state of the solver for the relevant variables (i.e., those encoding the state of the hash function and the diferential variables). IPASIR-UP also enables us to perform custom propagation and branching as well as learning custom conflict clauses.

For implementing inconsistency blocking, we used our own implementation of a graph library. This houses the graph algorithm described in Section 4 for detecting minimal inconsistent cycles in linear time. Our implementations of bitsliced and wordwise propagation, as well as the two-bit condition detection engine used for inconsistency blocking, are based on the ideas described in the works of Mendel et al. [15] and Eichlseder [ 40, 43 ]. We used a least-recently-used cache data structure for caching propagation rules and rules for deriving two-bit conditions. The cache doesn’t grow beyond the maximum available RAM, since the least frequently used entries are deleted on the fly.

In our experiments, most queries to the propagation and two-bit detection engines could be served from the cache, which is much faster than deriving the propagation rules or the two-bit conditions on the fly each time. Since the set of rules that are queried throughout the entire runtime is usually small (i.e., consumes a small portion of the total CPU time), it wasn’t necessary to precompute any rules.

We perform bitsliced propagation for all operations in SHA-256 (including the modular additions) alongside the solver’s built-in Boolean constraint propagation (BCP). As wordwise propagation is much more expensive in terms of computational cost, it’s performed only when the SAT solver finishes with the other propagation methods. This way, wordwise propagation only deduces the conditions that bitsliced propagation couldn’t.

IPASIR-UP asks for a “reason” clause of propagated literals when it becomes necessary for the solver to know why a literal was propagated. For bitsliced propagation, these reason clauses were relatively short, so in this case we provided reason clauses directly via IPASIR-UP’s interface. On the other hand, wordwise propagation involves multiple word pairs and a single propagated literal may depend on a relatively large number of bits, leading to long reason clauses. To avoid overwhelming the solver with long reason clauses, we did not use IPASIR-UP’s propagation interface for wordwise propagation and instead set the values of any literals deduced by wordwise propagation via branching.

We performed the same experiment with three separate solvers: an unmodified version of CaDiCaL 1.8.0, a version of CaDiCaL with programmatic bitsliced and wordwise propagation, and a version of CaDiCaL with both programmatic propagation and inconsistency blocking. We also tried using CryptoMiniSat 5.11.21 [ 44 ], given that it supports XOR constraints natively and has been tuned to work on cryptographic problems. However, we did not pursue this extensively as CryptoMiniSat currently does not have a programmatic interface and did not perform as well as CaDiCaL.

With each solver we searched for semi-free-start collisions for step-reduced SHA-256 with 20 to 38 steps. In order to reduce the randomness inherent in the search, each instance was solved ten times independently using 10 diferent random seeds, though these 10 diferent seeds were consistently used across all our experiments. Each instance was run for a time limit of 500,000 seconds (roughly 5.8 days). The number of instances successfully solved in each case is given in Table 3, and the minimum time for ifnding a collision is plotted in Figure 3. The starting points used for the 21-step, 25-step, 28-step, and 38-step instances are given in the appendix. The starting points for all other step counts were formed from one of these starting points by dropping a number of rows at the bottom, e.g., the 26-step instance matches the 28-step starting point with two rows removed. This means that the instances in the step

CaDiCaL CaDiCaL/P CaDiCaL/P+IB 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

Steps ranges 20–21, 22–25, 26–28, and 29–38 can be expected to roughly have similar dificulty as they were created from the same starting point.

The results show that programmatic propagation was clearly efective at helping the solver find SFS collisions. The plain SAT solver could only find SFS collisions up to 28 steps, while CaDiCaL with programmatic propagation, both with and without inconsistency blocking, successfully found SFS collisions for every step count from 20 to 38, with the exception of 35—no 35-step instances were solved when both programmatic propagation and inconsistency blocking were enabled (see Table 3). In general, we found inconsistency blocking tended to decrease the eficiency of the solver, although using inconsistency blocking did result in the fastest solve times for the instances with 30, 31, 32, and 36 steps.