SHA-256SW Collision Demonstrator (Exploiting Linear Flaw)

This interactive tool demonstrates collision attacks on a SPECIFICALLY FLAWED version of SHA-256, which we refer to as "SHA-256SW". This variant incorporates a critical linear copying flaw within its internal state updates: hs_b[i+20] = hs_b[i+4].

The inclusion of this flaw fundamentally breaks the avalanche effect and dramatically reduces the collision resistance. While finding a full 256-bit collision in a web browser remains computationally infeasible, this demo performs Birthday Attacks to find a collision for a reduced hash size (e.g., the first 16 to 36 bits of the output). The underlying weakness of SHA-256SW means that even generic attacks are vastly more successful and faster than they would be against a secure hash, vividly demonstrating the catastrophic impact of such a design flaw.

Collision Search Configuration

For Pure Birthday: Max total hashes. For Structured Birthday: Max number of "base message families" to generate.

Setting `Maximum Attempts` too high can freeze your browser if a collision isn't found quickly, especially for higher bit targets.

0%
Ready.

The Attack Methods Explained

The SHA-256SW implementation targeted by this demo contains a critical line within its 64-round compression function:
if (i < 48) { hs_b[i + 20] = hs_b[i + 4]; }

In this specific SHA-256SW variant, the hs_b array serves a dual role, functioning both as part of the evolving internal state registers (similar to e, f, g, h in standard SHA-256) and as a modified message schedule. The term hs_b[i+4] effectively represents a crucial word derived from the state or message schedule at the current round i.

The Core Vulnerability: Linear Copying

The line hs_b[i + 20] = hs_b[i + 4] dictates that the exact value of hs_b[i+4] is directly copied, without any non-linear mixing, additions, or dependence on other state bits, to a position 16 steps later in the hs_b array. This copied value will then be used in computations 16 rounds later.

This direct, linear copy is a profound cryptographic weakness for several key reasons:

  1. Destroys Diffusion (Avalanche Effect): A fundamental property of a secure hash function is the "avalanche effect," where a single bit change in the input (or internal state) causes unpredictable changes in roughly half of the output bits. The direct copy creates a "tunnel" through the hash function, allowing differences to propagate predictably instead of diffusing randomly and thoroughly.
  2. Enables Differential Cryptanalysis: Cryptanalysts can directly exploit this linearity. By carefully introducing a specific difference (Δ) at hs_b[i+4], they know that the exact same Δ will reappear predictably at hs_b[i+20], hs_b[i+36], and so on. This predictability allows them to design specific input pairs where these predictable differences can be made to cancel each other out over time, ultimately leading to hash collisions.
  3. Reduces Collision Resistance: For a 256-bit hash, finding a collision should require an infeasible number of attempts (approximately 2128). A flaw like this dramatically reduces the effective security level, often to a range like 260 to 280 for a full 256-bit collision. While still large, this is within the theoretical reach of determined, well-resourced attackers, unlike the truly astronomical 2128.

1. Pure Birthday Attack (Generic)

This attack is a generic collision-finding technique based purely on the Birthday Paradox. It generates random messages, computes their hashes, and stores them in a dictionary. A collision occurs by pure chance when a newly generated hash matches one already in storage. For an N-bit hash, the Birthday Paradox suggests that on average, approximately 2N/2 unique hashes need to be generated and stored before a collision is found.

While a full 256-bit collision would still be extremely difficult to find even with the flaw, a reduced 36-bit collision, for example, typically requires around 218 (262,144) unique hashes to be stored. This translates to a significantly larger number of total hash computations (often tens to hundreds of millions), as many generated hashes will not be unique or will not lead to an immediate collision. This attack vividly demonstrates the flaw by finding reduced-bit collisions much faster than would be possible against a secure hash function.

2. Structured Birthday Attack (Hybrid)

This attack combines the Birthday Paradox with specific knowledge of the SHA-256SW's linear flaw. Instead of generating purely random messages, it generates a "base" message and then creates a "family" of "neighbor" messages by applying carefully chosen bit differences to the base message. These differences are designed to exploit the predictable propagation caused by the hs_b[i+20] = hs_b[i+4] flaw.

By generating structured variants (e.g., single-bit flips and select multi-bit flips in specific message words), the attack vastly increases the likelihood of finding a collision within the "neighborhood" of related messages, or between a "neighbor" and a previously stored hash. This significantly accelerates the collision search for the same output bit length compared to a pure Birthday Attack, as it doesn't rely solely on pure chance but guides the search towards vulnerable regions in the hash function's output space. It demonstrates that the flaw allows for more targeted and efficient attacks than just generic brute force.