Why haven't any SHA-256 collisions been found yet?

Question

I've been thinking about this for a few days, a SHA-256 algorithm outputs 64 characters which can either be a lowercase letter or a number from 0-9. Which should mean that there are 64^36 distinct SHA-256 results.

How has a collision never been found? If I decide to find the hash for a random input of increasing length I should find a collision eventually, even if it takes years. I imagine this can also be done where the input is a large file and you just change one byte and calculate the hashes until you find a collision. Why hasn't' this happened?

Answer 1

I think you underestimate just how large $2^{256} \gg 64^{36}$ is.

How has a collision never been found?

It will take a very, very, very, $\text{very}^{\text{very}}$ long time to find one. For comparison, as of January 2015, Bitcoin was computing 300 quadrillion SHA-256 hashes per second. That's $300 \times 10^{15}$ hashes per second.

Let's say you were trying to perform a collision attack and would "only" need to calculate $2^{128}$ hashes. At the rate Bitcoin is going, it would take them

$2^{128} / (300 \times 10^{15} \cdot 86400 \cdot 365.25) \approx 3.6 \times 10^{13}$ years. In comparison, our universe is only about $13.7 \times 10^9$ years old. Brute-force guessing is not a practical option.

Answer 2

Well, it might be possible that a SHA-256 collision has happened by accident, but since it was by accident we don't know about it. It's possible that two or more inputs have been used to get the same output, but no one did it on purpose meaning no one ever realized. It's interesting to think about it like that.

Answer 3

There's already the first practical SHA-256 collision for 31 rounds shown on #fse2024. You're safe... for now, as normal SHA-256 hashing should have at least 64 rounds, but still result shown is quite scary.

• https://news.ycombinator.com/item?id=39836046
• https://bsky.app/profile/retr0.id/post/3konobbmf6o2a
• POC for 31 rounds https://gist.github.com/DavidBuchanan314/aa9ab4265fe402ab86399b5f9da82888

Answer 4

This is a comment more than answer 1-There is a slight divide mistake in the given answer ... the number ~3.6•10¹³ is on days, ie before dividing by 365.25. When we divide by 365.25 it becomes ~10¹¹ yrs (I approximate 2¹⁰=1024~10³, so 2¹²⁸~256•10³⁶ 256•10³⁶/[3•10²•10¹⁵•864•10²] ~256•10¹⁷/(3•864) ~10¹⁶ days ~3•10¹³ years)

»»»»»Apologies I am the wrong one here

2-These numbers has changed from 2017 till now https://www.blockchain.com/charts/hash-rate https://ycharts.com/indicators/bitcoin_network_hash_rate#:~:text=Basic%20Info,9.82%25%20from%20one%20year%20ago. The previously 300*10¹⁵ is now 121.88•10⁶•10¹²= 121.88•10¹⁸

3-The resulting number being down by ~10³ ie ~3•10¹⁰ yrs still safe ofcourse, but I think the risk could come from analytical attacks too, Differential attacks I mean (I've always been impressed by their old S-boxes story with DES)

4-I just found this paper today (while editing the answer) but I have no access to it's full version https://dl.acm.org/doi/abs/10.1145/3409501.3409513

-What if someone like entering previously hashed data as a learning/training set into an AI system for example??? In fact the AI thought just crossed my mind in this very moment. (If we humans cannot analyze some patterns, doesn't mean AI can't)

5-From a new brute force paper HAL Id: hal-02306904 https://hal.archives-ouvertes.fr/hal-02306904v2 The actual computation was done on aging hardware. It required 7 calendar months using two obsolete second-hand bitcoin mining devices converted into “useful” computational devices. A second step required 570 CPU-years on an 8-year old IBM BlueGene/Q computer, a few weeks before it was scrapped. To the best of our knowledge, this is the first practical 128-bit collision-like result obtained by brute-force, and it is the first bitcoin miner-accelerated computation

6-I think it maybe useful also to bring Justin Drake estimation to the discussion too, evaluating his words with the conflicts of interest in mind ofcourse (mins 29-32) https://podcasts.google.com/feed/aHR0cHM6Ly9icmVha2Rvd25zLmxpYnN5bi5jb20vcnNz/episode/ZjJkZGY1M2MtZjMzYy00N2M4LWFlNWItYzMxY2ZlYTk0ZDQ1?ep=14

Sorry if this kind of brainstorming more than an answer