Analysis of Step-Reduced SHA-256, http://eprint.iacr.org/2008/130 Collisions and other Non-Random Properties for Step-Reduced SHA-256, http://eprint.iacr.org/2008/131 Attacking Reduced Round SHA-256, http://eprint.iacr.org/2008/142 Very brief summary: Attacks are feasible against just over 1/3 of the 64 rounds (meaning if you reduce SHA-256 to 23 or 24 rounds, it's vulnerable). That number is slowly creeping upwards. Peter.