Running one-block SHA-256 in reverse Assume N rounds, t = 0:(N-1), with Kt unknown/secret for t = 0:7 a-h values are shown at the end of a round: H0 H1 H2 H3 H4 H5 H6 H7 t = 0 a b c d e f g h ... t = 7 a b c d e f g h ... t = N-2 a b c d e f g h \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ T1+T2 \ \ \ +T1 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ t = N-1 a b c d e f g h + H0 H1 H2 H3 H4 H5 H6 H7 --------------------------------------------------------------- out0 out1 out2 out3 out4 out5 out6 out7 T1 = h + func(e,f,g) + Kt + Wt T2 = func(a,b,c) h = g g = f f = e e = d + T1 d = c c = b b = a a = T1 + T2 H0-H7 are known constants, so given out0-out7 we can subtract H0-H7 and recover a-h at the end of round N-1. Given a-h at the end of round N-1, we can recover a-g at the end of round N-2: Round N-2 a,b,c e,f,g are equal to round N-1 b,c,d f,g,h Round N-1 T2 can be computed from round N-2 a,b,c Round N-1 T1 can be recovered from round N-1 a: a = T1 + T2 ==>> T1 = a - T2 Round N-2 d can be recovered from round N-1 T1 and e: e = d + T1 ==>> d = e - T1 If Kt is known we can also recover round N-2 h from T1: T1 = h + func + Kt + Wt ==>> h = T1 - func - Kt - Wt Given round N-1 a-h and known Kt we can recover rounds N-2, N-3, ... a-h back to the output of round 7. If Kt is unknown/secret for rounds 0-7 we can not continue in reverse past round 7. But we can take the now known output of round 7, change the input data W8-W15, and run the hash in the forward direction, creating a valid hash output with changed input data.