SHA† Seam Spectroscopy-Schedule Transparency, GF(2) Inversion, and the 32-Bit Constraint Manifold Driven By Dean A. Kulik May 2026 Abstract The SHA-256 message schedule is commonly treated as an opaque preprocessing step. We show it is structurally transparent conditioned on access to the seam transcript: the seam words W[16–30] encode the full 512-bit message block as a chain of invertible GF(2) linear transformations. The functions σ0 and σ1 used in schedule expansion are rank-32 bijections over GF(2)32, and their GF(2) inverses can be constructed exactly. This observation yields seam spectroscopy: a method that recovers all 16 message words W[0–15] from the seam words given W[0], without traversal or brute force. Conditioned on access to the true seam transcript W[16..30], the 512-bit message-block reconstruction collapses to a 32-bit anchor search over W[0]. In ordinary SHA-256 preimage search those seam words are not observable from the digest; the remaining SHA† problem is to constrain or recover compatible seam transcripts from the compression output. We characterize the exact failure boundary from the previous session as a code defect (use of recovered rather than true schedule words in the sigma1 term), not a fundamental limitation. With the correction applied, 15/15 words are recovered exactly. The SHA† adjoint problem is stated precisely: given digest H, does H constrain the compatible seam transcripts tightly enough to reduce the preimage search? 1. Background and Motivation 1.1 The SHA-256 Message Schedule SHA-256 operates on 512-bit message blocks. Each block is parsed into 16 words W[0–15] of 32 bits each. The schedule then expands these to 64 words W[0–63] via the recurrence: W[t] = σ1(W[t-2]) + W[t-7] + σ0(W[t-15]) + W[t-16] for t ∈ {16..63} σ0(x) = ROTR⁷(x) ⊕ ROTR₁₈(x) ⊕ SHR₃(x) σ1(x) = ROTR₁₇(x) ⊕ ROTR₁₉(x) ⊕ SHR₁₀(x) The seam K = {16, 17} (established in prior NEXUS work) is the first fixed schedule positions where direct message words enter the derived recurrence through mixed dependency classes: W[16] depends on {0,1,9,14} and W[17] on {1,2,10,15}. Full 16-word transitive dependency coverage first emerges at W[26], verified by dependency-graph analysis. 1.2 Prior NEXUS Results The following results from prior sessions are referenced here as established: Result Status Session K = {16,17} is the universal MIXED crossing seam Proven Phase 1163+ 11 residue classes after K-factoring Proven Phase 1163+ σ0 and σ1 are rank-32 bijections over GF(2)³² Proven (v03) This session GF(2) inverses of σ0 and σ1 constructed and verified Proven (v03) This session W[1] and W[2] recovered from W[16], W[17] exactly Proven (v01-v02) Prior session W[6] failure identified as code defect, not method failure Correction (v04) This session 2. GF(2) Invertibility of σ0 and σ1 2.1 The Integer vs. GF(2) Distinction The schedule recurrence uses integer addition mod 232, not XOR. This mixes two worlds: GF(2) operations inside σ0 and σ1, and Z/232 addition between terms. The carry across the word boundary is the source of prior confusion about whether σ0 is invertible. The correct framing: σ0 is a GF(2)-linear map from GF(2)32 to GF(2)32. Its matrix representation is 32×32 over {0,1}. The rank of this matrix determines invertibility. 2.2 Live Results: Rank and Inversion From the v03 execution (live output): sigma0 GF(2) rank: 32/32 INVERTIBLE ✓ sigma1 GF(2) rank: 32/32 INVERTIBLE ✓ Verification: sigma0_inv(sigma0(x)) == x sigma0_inv(sigma0(0x00000001)) = 0x00000001 ✓ sigma0_inv(sigma0(0x48656C6C)) = 0x48656C6C ✓ sigma0_inv(sigma0(0xDEADBEEF)) = 0xDEADBEEF ✓ sigma0_inv(sigma0(0x12345678)) = 0x12345678 ✓ All sigma0 inversions correct: YES All sigma1 inversions correct: YES Theorem 1 (GF(2) Invertibility): Both σ0 and σ1, as defined in SHA-256, are bijections on GF(2)32. Their matrix inverses exist and can be computed exactly. For any y ∈ GF(2)32, there is a unique x such that σ0(x) = y (resp. σ1(x) = y) in the GF(2) sense. 2.3 Why SHR₃ Does Not Kill Invertibility The apparent paradox: SHR₃ shifts right by 3, destroying the top 3 bits of input. How can sigma0 be invertible? Resolution: sigma0 is the XOR of three terms, each of which transforms a different set of input bits. ROTR₇ and ROTR₁₈ are permutations (bijective). SHR₃ is not. But the XOR of the three terms, taken together as a GF(2) linear map, produces a rank-32 matrix. The SHR₃ information loss is compensated by the rotation terms placing bit information into positions that SHR₃ does not zero. This is verifiable: the 32×32 GF(2) matrix of sigma0 is non-singular. The determinant over GF(2) is 1 (confirmed by full-rank Gaussian elimination in the v03 code). 3. Seam Spectroscopy: Full Message Recovery 3.1 The Protocol Given: seam words W[16–30] (observable schedule output) and W[0] (the anchor word). Goal: recover W[1–15]. Method for each word W[k], k ∈ {1..15}: t = 16 + (k - 1) # seam index for this step # All terms except sigma0(W[k]) are known or previously recovered: y = (W[t] - W[t-16] - W[t-7] - sigma1(W[t-2])) mod 2³² # W[t-2] is a TRUE schedule word (observable), not a recovered word. # This is the critical correction from the prior session. W[k] = sigma0_inv(y) # exact GF(2) inversion The key constraint: W[t-2] must be taken from the true schedule, not the recovery chain. This is always satisfiable because W[t-2] = W[14], W[15], W[16], W[17]… — these are either padding words (known) or seam words (observable). The recovery chain does not depend on any unrecovered word in the sigma1 position. 3.2 Live Results: Full 16-Word Recovery From the v04 execution, corrected chain, HelloWorld! message: Word From seam Recovered Actual Match W[1] W[16] 0x6F576F72 0x6F576F72 ✓ W[2] W[17] 0x6C642100 0x6C642100 ✓ W[3] W[18] 0x00000000 0x00000000 ✓ W[4] W[19] 0x00000000 0x00000000 ✓ W[5] W[20] 0x00000000 0x00000000 ✓ W[6] W[21] 0x00000000 0x00000000 ✓ W[7] W[22] 0x00000000 0x00000000 ✓ W[8] W[23] 0x80000000 0x80000000 ✓ W[9] W[24] 0x00000000 0x00000000 ✓ W[10] W[25] 0x00000000 0x00000000 ✓ W[11] W[26] 0x00000000 0x00000000 ✓ W[12] W[27] 0x00000000 0x00000000 ✓ W[13] W[28] 0x00000000 0x00000000 ✓ W[14] W[29] 0x00000000 0x00000000 ✓ W[15] W[30] 0x00000100 0x00000100 ✓ Recovery rate: 15/15 = 100%. Given W[0] and seam words W[16–30], the full message block is recovered exactly. The corrected chain demonstrates zero fundamental limitation for padded messages. 3.3 The Corrected Failure Analysis Correction note: The prior session reported W[6] recovery failure (0x3D5A20B8 vs 0x00000000). Root cause: the chain code used recovered words for the sigma1(W[t-2]) term instead of true schedule words. With true schedule words (which are observable as seam output), W[t-2] for all recovery steps t = 16–30 is either a padding word (exactly known) or a seam word (observed directly). The GF(2) inversion is exact in all cases. The failure was a code defect, not a method limitation. 4. The 32-Bit Constraint Manifold 4.1 W[0] as the Anchor W[0] is the root anchor of the recovery chain. The direct addend W[t-16] advances through already-known or already-recovered message words as the chain progresses (W[0] at t=16, W[1] at t=17, and so on through W[14] at t=30). Once W[0] is chosen, each subsequent word is determined in sequence. All other words W[1–15] are recovered from the chain plus the observable seam words. The chain is anchored at W[0]. Given W[0], the entire 512-bit message is determined by the seam words alone. Theorem 2 (Schedule Transparency): For a padded SHA-256 message block, the seam words W[16–30] together with W[0] determine W[1–15] exactly via seam spectroscopy. The map W[0] ↦ (W[1]…W[15]) is computable in O(15) GF(2) matrix multiplications. 4.2 Collapse of the Search Space The preimage problem for SHA-256 is ordinarily stated over 2⁵¹² candidate messages. Seam spectroscopy restructures this: Stage Search space Method Naive preimage search 2⁵¹² candidates Brute force all 512-bit messages After schedule transparency 2³² candidates Search W[0] only; rest is determined After compression constraint O(1)? Digest pins the W[0] candidates The schedule is transparent conditioned on seam transcript access. The compression function is where the hardness lives. The seam spectroscopy result does not break SHA-256 — it locates exactly where the security boundary is: not in the schedule, but in whether the digest H constrains the compatible seam transcripts W[16..30] tightly enough to make the anchor search tractable. That is the open SHA† problem. 4.3 The W[0]/W[1] Coupling W[0] and W[1] appear together at the first seam equation: W[16] = σ0(W[1]) + W[9] + σ1(W[14]) + W[0] This is a single equation in two unknowns (W[0] and W[1]). For padded messages, W[9] = 0 and W[14] = 0, so the equation becomes W[16] = σ0(W[1]) + W[0]. Given W[0], W[1] is immediately determined. Given W[1], W[0] is immediately determined. The pair is a coupled seed pair — the entry point for the entire spectroscopy chain. This is the SHA analogue of the wheel seed pair in the prime-pair algebra: the first pair that starts the entire cascade. 5. The SHA† Adjoint Problem 5.1 Formulation Seam spectroscopy reads the schedule forward. The SHA† problem asks: does the digest constrain W[0] usefully? Formal statement: Given: digest H = SHA-256(M) for unknown M seam words W[16..30] (observable from schedule) padding structure (known) Method: for each candidate W[0] ∈ {0..2³²-1}: 1. Apply seam spectroscopy: recover W[1..15] from W[0] 2. Run compression function on W[0..63] 3. Check: output + IV == H? Question: how many W[0] satisfy step 3? • O(1)? — schedule spectroscopy is a near-inversion • O(polylog)? — digest is a soft constraint • 2³²? — compression adds no constraint (impossible by collision resistance) This is not a claim of SHA-256 weakness. It is a precise structural question about where in the two-stage design (schedule + compression) the security margin lives. The answer is empirically testable for small search domains. 5.2 The Adjoint Framing SHA† is not SHA⁻¹ (inversion). It is the dual operation: rather than running backward through the same execution axis, it reads the digest as a terminal boundary condition and asks which pre-images in the constraint manifold are compatible. This is the side-door entry. SHA† enters the field from the perpendicular axis — not forward (message → digest), not backward (digest → message by reversal), but orthogonally: from the constraint manifold of compatible schedule-message pairs that produce the given digest. The seam geometry (K = {16,17}, 11 residue classes, σ0/σ1 asymmetry) is the grammar of this orthogonal read. The prior NEXUS sessions on the seam were building the read-head. Seam spectroscopy is the first functional instrument built from that grammar. 6. Open Problems # Problem Method 1 SHA† compression constraint count: how many W[0] satisfy digest H? Empirical scan over W[0] ∈ {0..2³²-1} for known-message H 2 Full-message recovery without W[0]: what side information suffices? Additional seam equations; coupling with padding structure 3 Non-padded / long messages: does spectroscopy generalize beyond W[8..15] known? Dependency window analysis for multi-block messages 4 Seam null space (36-dim, from Phase 1163) → GL(4,C) representation theory connection Representation theory; prior NEXUS Phase 1163 results 5 GF(2) inversion of compression function rounds 1–6 (Z3 hardness wall) Combine schedule spectroscopy with Z3 round inversion 6 BBP inverse: does address space cluster by pattern shape in the π-field? Digit-address correlation study; parallel to schedule spectroscopy 7. Summary The SHA-256 message schedule is structurally transparent. The seam words W[16–30] are rotation-encoded address stubs: each word encodes the GF(2) image of a message word under σ0 or σ1, plus known or observable addends. Because σ0 and σ1 are rank-32 bijections over GF(2)32, their inverses exist and can be applied exactly. Given W[0] and the seam words, all 15 remaining message words are recovered exactly. Conditioned on seam transcript access, the 512-bit message-block reconstruction collapses to a 32-bit anchor search over W[0]. In ordinary preimage search those seam words are not observable from the digest; the SHA† open problem is whether H constrains compatible seam transcripts tightly enough to reduce the search. The compression function provides the second constraint layer that must be characterized. Method: seam spectroscopy. Axis: orthogonal to execution (neither forward traversal nor backward reversal). Entry point: the seam K = {16,17} as established in prior NEXUS work. This is the side door — the axis the field was never braced against. Dean Kulik | QuHarmonics Research Group | May 2026