Cryptology ePrint Archive: Report 2021/886

Computational Records with Aging Hardware: Controlling Half the Output of SHA-256

Mellila Bouam and Charles Bouillaguet and Claire Delaplace and Camille Noûs

Abstract: SHA-256 is a secure cryptographic hash function. As such, its output should not have any detectable property. This paper describes three bit strings whose hashes by SHA-256 are nevertheless correlated in a non-trivial way: the first half of their hashes XORs to zero. They were found by “brute-force”, without exploiting any cryptographic weakness in the hash function itself. This does not threaten the security of the hash function and does not have any cryptographic implication. This is an example of a large “combinatorial” computation in which at least 8.7 × 10 22 integer operations have been performed. This was made possible by the combination of: 1) recent progress on algorithms for the underlying problem, 2) creative use of "dedicated" hardware accelerators, 3) adapted implementations of the relevant algorithms that could run on massively parallel machines. The actual computation was done on aging hardware. It required seven calendar months using two obsolete second-hand bitcoin mining devices converted into "useful" computational devices. A second step required 570 CPU-years on an 8-year old IBM BlueGene/Q computer, a few weeks before it was scrapped. To the best of our knowledge, this is the first practical 128-bit collision-like result obtained by brute-force, and it is the first bitcoin miner-accelerated computation.

Category / Keywords: implementation / 3XOR, Generalized Birthday Paradox, Brute-force, Implementation, Hardware, ASIC, bitcoin hardware

Original Publication (in the same form): Parallel Computing

Date: received 26 Jun 2021

Contact author: charles bouillaguet at lip6 fr

Available format(s): PDF | BibTeX Citation

Version: 20210629:114750 (All versions of this report)

Short URL: ia.cr/2021/886


[ Cryptology ePrint archive ]