SAT solving SHA256 is a dead end - I was researching this for the purpose of Bitcoin mining (before this article came out), along with many others, for profit.<p>SAT solving typically relies on reducing a function down to boolean expressions where clauses are minimally connected with AND operations (a.k.a. Conjunctive Normal Form).<p>The math basis for this is that in GF2 (Galois Field 2 - a number system with only 2 values):<p><pre><code> AND is equivalent to Multiply (1 * 1 = 1; 1 * 0 = 0, etc.)
XOR is equivalent to Addition (1 + 1 = 0; 0 + 1 = 1, etc.)
</code></pre>
This is useful because we can re-express a boolean function as multiplication and addition for complexity analysis.<p>The difficulty comes when you mix AND and XORs; take the Ch function within SHA256 -<p><pre><code> Ch(E, F, G) == (E & F) | (~E & G)
</code></pre>
Which can be rewritten as:<p><pre><code> Ch(E, F, G) == (((F ^ G) & E) ^ F)
</code></pre>
Rewritten in GF2 it is equivalent to:<p><pre><code> Ch(E, F, G) == ((F + G) * E) + F
</code></pre>
Because of distributive laws, we know there is zero way to simplify this further.<p>Its trivial to see that to work backwards, you have to "consider" way more input combinations for every known output. Even if the output is 0 (which you want when Bitcoin mining), you have this problem where there are 4 possible input combinations.<p>Now unroll the entire SHA256d function Bitcoin uses and you realize the effort to work backwards is far more than the effort to brute-force the input keyspace. This explosion in complexity comes from the fact that the whole function feeds forward, so there is little that can be done to "resolve out" intermediate values as there are no cyclic value dependencies.<p>SHA256d is effectively a giant rat's nest of multiplies and adds, all stacked on top of each other, that cannot be reduced, due to distributive laws.