Skip to Main content Skip to Navigation
Preprints, Working Papers, ...

Brute-Force Cryptanalysis with Aging Hardware: Controlling Half the Output of SHA-256

Abstract : This paper describes a "three-way collision" on SHA-256 truncated to 128 bits. More precisely, it gives three random-looking bit strings whose hashes by SHA-256 maintain a non-trivial relation: their XOR starts with 128 zero bits. They have been found by brute-force, without exploiting any cryptographic weakness in the hash function itself. This shows that birthday-like computations on 128 bits are becoming increasingly feasible, even for academic teams without substantial means. These bit strings have been obtained by solving a large instance of the three-list generalized birthday problem, a difficult case known as the 3XOR problem. The whole computation consisted of two equally challenging phases: assembling the 3XOR instance and solving it. It was made possible by the combination of: 1) recent progress on algorithms for the 3XOR problem, 2) creative use of "dedicated" hardware accelerators, 3) adapted implementations of 3XOR algorithms that could run on massively parallel machines. Building the three lists required 2 67.6 evaluations of the compression function of SHA-256. They were performed in 7 calendar months by two obsolete secondhand bitcoin mining devices, which can now be acquired on eBay for about 80e. The actual instance of the 3XOR problem was solved in 300 CPU years on a 7-year old IBM Bluegene/Q computer, a few weeks before it was scrapped. To the best of our knowledge, this is the first explicit 128-bit collision-like result for SHA-256. It is the first bitcoin-accelerated cryptanalytic computation and it is also one of the largest public ones.
Document type :
Preprints, Working Papers, ...
Complete list of metadatas

Cited literature [27 references]  Display  Hide  Download
Contributor : Charles Bouillaguet <>
Submitted on : Monday, October 7, 2019 - 10:37:12 AM
Last modification on : Friday, November 27, 2020 - 2:20:05 PM


Files produced by the author(s)


  • HAL Id : hal-02306904, version 1



Mellila Bouam, Charles Bouillaguet, Claire Delaplace. Brute-Force Cryptanalysis with Aging Hardware: Controlling Half the Output of SHA-256. 2019. ⟨hal-02306904⟩



Record views


Files downloads