[kzrdude]

so the puzzle author could "cheat" and just present a 256-bit number and not know the preimage at all, which would be a fun shortcut.

[mulmen]

Huh, I realize I don’t know the answer to this seemingly simple question. Are all 256 bit vectors valid sha-256 hashes?

[talkin]

Yes.

In a secure hash function, all output bits are without bias. So all combinations exist.

[kzrdude]

Sounds like the ideal. Can we prove that sha256 has this property?

[thaumasiotes]

Probably not. The point of a cryptographic hash function is to be resistant to analysis.

Can we prove it has the much simpler property that toggling one bit of the input will, on average, toggle half of the bits in the output? (Probably not.)

[AdamJacobMuller]

Depends how you define "prove"

If you calculate a billion sha256 hashes and look at the results you'll have an even enough distribution to say it's proven, but, it's not "mathematically" proven.