Hubbry Logo
SHA-2SHA-2Main
Open search
SHA-2
Community hub
SHA-2
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
SHA-2
SHA-2
SHA-2
View on Wikipedia
from Wikipedia
Secure Hash Algorithms
Concepts
hash functions, SHA, DSA
Main standards
SHA-0, SHA-1, SHA-2, SHA-3
SHA-2
General
DesignersNational Security Agency
First published2001; 24 years ago (2001)
Series(SHA-0), SHA-1, SHA-2, SHA-3
CertificationFIPS PUB 180-4, CRYPTREC, NESSIE
Detail
Digest sizes224, 256, 384, or 512 bits
StructureMerkle–Damgård construction with Davies–Meyer compression function
Rounds64 or 80
Best public cryptanalysis
A 2011 attack breaks preimage resistance for 57 out of 80 rounds of SHA-512, and 52 out of 64 rounds for SHA-256.[1] Pseudo-collision attack against up to 46 rounds of SHA-256.[2]

SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001.[3][4] They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits:[5] SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-256 and SHA-512 are hash functions whose digests are eight 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are truncated versions of SHA-256 and SHA-512 respectively, computed with different initial values. SHA-512/224 and SHA-512/256 are also truncated versions of SHA-512, but the initial values are generated using the method described in Federal Information Processing Standards (FIPS) PUB 180-4.

SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard. The SHA-2 family of algorithms are patented in the U.S.[6] The United States has released the patent under a royalty-free license.[5]

As of 2011 the best public attacks break preimage resistance for 52 out of 64 rounds of SHA-256 or 57 out of 80 rounds of SHA-512, and collision resistance for 46 out of 64 rounds of SHA-256.[1][2][needs update]

Hash standard

[edit]
One iteration in a SHA-2 family compression function. The blue components perform the following operations:
    
    
    
    
The bitwise rotation uses different constants for SHA-512. The given numbers are for SHA-256.
The red is addition modulo 232 for SHA-256, or 264 for SHA-512.

With the publication of FIPS PUB 180-2, NIST added three additional hash functions in the SHA family. The algorithms are collectively known as SHA-2, named after their digest lengths (in bits): SHA-256, SHA-384, and SHA-512.

The algorithms were first published in 2001 in the draft FIPS PUB 180-2, at which time public review and comments were accepted. In August 2002, FIPS PUB 180-2 became the new Secure Hash Standard, replacing FIPS PUB 180-1, which was released in April 1995. The updated standard included the original SHA-1 algorithm, with updated technical notation consistent with that describing the inner workings of the SHA-2 family.[4]

In February 2004, a change notice was published for FIPS PUB 180-2, specifying an additional variant, SHA-224, defined to match the key length of two-key Triple DES.[7] In October 2008, the standard was updated in FIPS PUB 180-3, including SHA-224 from the change notice, but otherwise making no fundamental changes to the standard. The primary motivation for updating the standard was relocating security information about the hash algorithms and recommendations for their use to Special Publications 800-107 and 800-57.[8][9][10] Detailed test data and example message digests were also removed from the standard, and provided as separate documents.[11]

In January 2011, NIST published SP800-131A, which specified a move from the then-current minimum of 80-bit security (provided by SHA-1) allowable for federal government use until the end of 2013, to 112-bit security (provided by SHA-2) being both the minimum requirement (starting in 2014) and the recommended security level (starting from the publication date in 2011).[12]

In March 2012, the standard was updated in FIPS PUB 180-4, adding the hash functions SHA-512/224 and SHA-512/256, and describing a method for generating initial values for truncated versions of SHA-512. Additionally, a restriction on padding the input data prior to hash calculation was removed, allowing hash data to be calculated simultaneously with content generation, such as a real-time video or audio feed. Padding the final data block must still occur prior to hash output.[13]

In July 2012, NIST revised SP800-57, which provides guidance for cryptographic key management. The publication disallowed creation of digital signatures with a hash security lower than 112 bits after 2013. The previous revision from 2007 specified the cutoff to be the end of 2010.[10] In August 2012, NIST revised SP800-107 in the same manner.[9]

In March 2023, NIST announced its decision to revise FIPS 180-4.[14] FIPS 180-5 will remove the SHA-1 specification, add guidance from SP 800-107, and include editorial updates.

The NIST hash function competition selected a new hash function, SHA-3, in 2012.[15] The SHA-3 algorithm is not derived from SHA-2.

Applications

[edit]
Further information: Cryptographic hash function § Applications

The SHA-2 hash function is implemented in some widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. The inherent computational demand of SHA-2 algorithms has driven the proposal of more efficient solutions, such as those based on application-specific integrated circuits (ASICs) hardware accelerators.[16]

SHA-256 is used for authenticating Debian software packages[17] and in the DKIM message signing standard; SHA-512 is part of a system to authenticate archival video from the International Criminal Tribunal of the Rwandan genocide.[18] SHA-256 and SHA-512 are used in DNSSEC.[19] Linux distributions usually use 512-bit SHA-2 for secure password hashing.[20][21]

Several cryptocurrencies, including Bitcoin, use SHA-256 for verifying transactions and calculating proof of work[22] or proof of stake.[23] The rise of ASIC SHA-2 accelerator chips has led to the use of scrypt-based proof-of-work schemes.

In both 4G and 5G mobile networks, HMAC-SHA-256 is utilized as a key derivation function (KDF) to generate cryptographic keys essential for securing communications. This process is defined in the 3rd Generation Partnership Project (3GPP) Technical Specifications TS 33.401[24] and TS 33.501[25], which outline the security architecture and procedures for these networks.

SHA-1, SHA-2, and SHA-3 are the Secure Hash Algorithms required by law for use in certain U.S. Government applications, including use within other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations. SHA-1 is being retired for most government uses; the U.S. National Institute of Standards and Technology says, "NIST recommends that federal agencies transition away from SHA-1 for all applications as soon as possible. Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1.".[26] NIST's directive that U.S. government agencies ought to, but not explicitly must, stop uses of SHA-1 after 2010[27] was hoped to accelerate migration away from SHA-1.

The SHA-2 functions were not quickly adopted initially, despite better security than SHA-1. Reasons might include lack of support for SHA-2 on systems running Windows XP SP2 or older[28] and a lack of perceived urgency since SHA-1 collisions had not yet been found. The Google Chrome team announced a plan to make their web browser gradually stop honoring SHA-1-dependent TLS certificates over a period from late 2014 and early 2015.[29][30][31] Similarly, Microsoft announced[32] that Internet Explorer and Edge [Legacy] would stop honoring public SHA-1-signed TLS certificates from February 2017. Mozilla disabled SHA-1 in early January 2016, but had to re-enable it temporarily via a Firefox update, after problems with web-based user interfaces of some router models and security appliances.[33]

Cryptanalysis and validation

[edit]

For a hash function for which L is the number of bits in the message digest, finding a message that corresponds to a given message digest can always be done using a brute force search in 2L evaluations. This is called a preimage attack and may or may not be practical depending on L and the particular computing environment. The second criterion, finding two different messages that produce the same message digest, known as a collision, requires on average only 2L/2 evaluations using a birthday attack.

Some of the applications that use cryptographic hashes, such as password storage, are only minimally affected by a collision attack. Constructing a password that works for a given account requires a preimage attack, as well as access to the hash of the original password (typically in the shadow file) which may or may not be trivial. Reversing password encryption (e.g., to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash cannot prevent brute-force attacks on weak passwords.)

In the case of document signing, an attacker could not simply fake a signature from an existing document—the attacker would have to produce a pair of documents, one innocuous and one damaging, and get the private key holder to sign the innocuous document. There are practical circumstances in which this is possible; until the end of 2008, it was possible to create forged SSL certificates using an MD5 collision which would be accepted by widely used web browsers.[34]

Increased interest in cryptographic hash analysis during the SHA-3 competition produced several new attacks on the SHA-2 family, the best of which are given in the table below. Only the collision attacks are of practical complexity; none of the attacks extend to the full round hash function.

At FSE 2012, researchers at Sony gave a presentation suggesting pseudo-collision attacks could be extended to 52 rounds on SHA-256 and 57 rounds on SHA-512 by building upon the biclique pseudo-preimage attack.[35]

Published in Year Attack method Attack Variant Rounds Complexity
New Collision Attacks Against Up To 24-step SHA-2[36][37] 2008 Differential Collision SHA-256 24/64 215.5
SHA-512 24/80 222.5
Preimages for step-reduced SHA-2[38] 2009 Meet-in-the-middle Preimage SHA-256 42/64 2251.7
43/64 2254.9
SHA-512 42/80 2502.3
46/80 2511.5
Advanced meet-in-the-middle preimage attacks[39] 2010 Meet-in-the-middle Preimage SHA-256 42/64 2248.4
SHA-512 42/80 2494.6
Higher-Order Differential Attack on Reduced SHA-256[2] 2011 Differential Pseudo-collision SHA-256 46/64 2178
33/64 246
Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family[1] 2011 Biclique Preimage SHA-256 45/64 2255.5
SHA-512 50/80 2511.5
Pseudo-preimage SHA-256 52/64 2255
SHA-512 57/80 2511
Improving Local Collisions: New Attacks on Reduced SHA-256[40] 2013 Differential Collision SHA-256 31/64 265.5
Pseudo-collision SHA-256 38/64 237
Branching Heuristics in Differential Collision Search with Applications to SHA-512[41] 2014 Heuristic differential Pseudo-collision SHA-512 38/80 240.5
Analysis of SHA-512/224 and SHA-512/256[42] 2016 Differential Collision SHA-256 28/64 practical
SHA-512 27/80 practical
Pseudo-collision SHA-512 39/80 practical
New Records in Collision Attacks on SHA-2[43] 2024 Differential Collision SHA-256 31/64 249.8
SHA-512 31/80 2115.6
Pseudo-collision SHA-256 39/64 practical

Official validation

[edit]
Main article: Cryptographic Module Validation Program

Implementations of all FIPS-approved security functions can be officially validated through the CMVP program, jointly run by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE). For informal verification, a package to generate a high number of test vectors is made available for download on the NIST site; the resulting verification, however, does not replace the formal CMVP validation, which is required by law[citation needed] for certain applications.

As of December 2013, there are over 1300 validated implementations of SHA-256 and over 900 of SHA-512, with only 5 of them being capable of handling messages with a length in bits not a multiple of eight while supporting both variants.[44]

Test vectors

[edit]

Hash values of an empty string (i.e., a zero-length input text). 

SHA224("")
0x d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
SHA256("")
0x e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA384("")
0x 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
SHA512("")
0x cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
SHA512/224("")
0x 6ed0dd02806fa89e25de060c19d3ac86cabb87d6a0ddd05c333b84f4
SHA512/256("")
0x c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a

Even a small change in the message will (with overwhelming probability) result in a different hash, due to the avalanche effect. For example, adding a period to the end of the following sentence changes approximately half (111 out of 224) of the bits in the hash, equivalent to picking a new hash at random: 

SHA224("The quick brown fox jumps over the lazy dog")
0x 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525
SHA224("The quick brown fox jumps over the lazy dog.")
0x 619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c

Pseudocode

[edit]

Pseudocode for the SHA-256 algorithm follows. Note the great increase in mixing between bits of the w[16..63] words compared to SHA-1. 

Note 1: All variables are 32 bit unsigned integers and addition is calculated modulo 232
Note 2: For each round, there is one round constant k[i] and one entry in the message schedule array w[i], 0 ≤ i ≤ 63
Note 3: The compression function uses 8 working variables, a through h
Note 4: Big-endian convention is used when expressing the constants in this pseudocode,
    and when parsing message block data from bytes to words, for example,
    the first word of the input message "abc" after padding is 0x61626380

Initialize hash values:
(first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):
h0 := 0x6a09e667
h1 := 0xbb67ae85
h2 := 0x3c6ef372
h3 := 0xa54ff53a
h4 := 0x510e527f
h5 := 0x9b05688c
h6 := 0x1f83d9ab
h7 := 0x5be0cd19

Initialize array of round constants:
(first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311):
k[0..63] :=
   0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
   0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
   0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
   0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
   0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
   0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
   0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
   0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2

Pre-processing (Padding):
begin with the original message of length L bits
append a single '1' bit
append K '0' bits, where K is the minimum number >= 0 such that (L + 1 + K + 64) is a multiple of 512
append L as a 64-bit big-endian integer, making the total post-processed length a multiple of 512 bits
such that the bits in the message are: <original message of length L> 1 <K zeros> <L as 64 bit integer> , (the number of bits will be a multiple of 512)

Process the message in successive 512-bit chunks:
break message into 512-bit chunks
for each chunk
    create a 64-entry message schedule array w[0..63] of 32-bit words
    (The initial values in w[0..63] don't matter, so many implementations zero them here)
    copy chunk into first 16 words w[0..15] of the message schedule array

    Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array:
    for i from 16 to 63
        s0 := (w[i-15] rightrotate 7) xor (w[i-15] rightrotate 18) xor (w[i-15] rightshift 3)
        s1 := (w[i-2] rightrotate 17) xor (w[i-2] rightrotate 19) xor (w[i-2] rightshift 10)
        w[i] := w[i-16] + s0 + w[i-7] + s1

    Initialize working variables to current hash value:
    a := h0
    b := h1
    c := h2
    d := h3
    e := h4
    f := h5
    g := h6
    h := h7

    Compression function main loop:
    for i from 0 to 63
        S1 := (e rightrotate 6) xor (e rightrotate 11) xor (e rightrotate 25)
        ch := (e and f) xor ((not e) and g)
        temp1 := h + S1 + ch + k[i] + w[i]
        S0 := (a rightrotate 2) xor (a rightrotate 13) xor (a rightrotate 22)
        maj := (a and b) xor (a and c) xor (b and c)
        temp2 := S0 + maj
 
        h := g
        g := f
        f := e
        e := d + temp1
        d := c
        c := b
        b := a
        a := temp1 + temp2

    Add the compressed chunk to the current hash value:
    h0 := h0 + a
    h1 := h1 + b
    h2 := h2 + c
    h3 := h3 + d
    h4 := h4 + e
    h5 := h5 + f
    h6 := h6 + g
    h7 := h7 + h

Produce the final hash value (big-endian):
digest := hash := h0 append h1 append h2 append h3 append h4 append h5 append h6 append h7

The computation of the ch and maj values can be optimized the same way as described for SHA-1.

SHA-224 is identical to SHA-256, except that:

  • the initial hash values h0 through h7 are different, and
  • the output is constructed by omitting h7.
SHA-224 initial hash values (in big endian):
(The second 32 bits of the fractional parts of the square roots of the 9th through 16th primes 23..53)
h[0..7] :=
    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4

SHA-512 is identical in structure to SHA-256, but:

  • the message is broken into 1024-bit chunks,
  • the initial hash values and round constants are extended to 64 bits,
  • there are 80 rounds instead of 64,
  • the message schedule array w has 80 64-bit words instead of 64 32-bit words,
  • to extend the message schedule array w, the loop is from 16 to 79 instead of from 16 to 63,
  • the round constants are based on the first 80 primes 2..409,
  • the word size used for calculations is 64 bits long,
  • the appended length of the message (before pre-processing), in bits, is a 128-bit big-endian integer, and
  • the shift and rotate amounts used are different.
SHA-512 initial hash values (in big-endian):

h[0..7] := 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, 
           0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179

SHA-512 round constants:

k[0..79] := 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 
            0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe, 
            0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 
            0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 
            0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab, 
            0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, 
            0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 
            0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b, 
            0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, 
            0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 
            0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, 
            0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, 
            0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c, 
            0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6, 
            0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 
            0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817

SHA-512 Sum & Sigma:

S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)
S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)

s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)
s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)

SHA-384 is identical to SHA-512, except that:

  • the initial hash values h0 through h7 are different (taken from the 9th through 16th primes), and
  • the output is constructed by omitting h6 and h7.
SHA-384 initial hash values (in big-endian):

h[0..7] := 0xcbbb9d5dc1059ed8, 0x629a292a367cd507, 0x9159015a3070dd17, 0x152fecd8f70e5939, 
           0x67332667ffc00b31, 0x8eb44a8768581511, 0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4

SHA-512/t is identical to SHA-512 except that:

  • the initial hash values h0 through h7 are given by the SHA-512/t IV generation function,
  • the output is constructed by truncating the concatenation of h0 through h7 at t bits,
  • t equal to 384 is not allowed, instead SHA-384 should be used as specified, and
  • t values 224 and 256 are especially mentioned as approved.
SHA-512/224 initial hash values (in big-endian):

h[0..7] := 0x8c3d37c819544da2, 0x73e1996689dcd4d6, 0x1dfab7ae32ff9c82, 0x679dd514582f9fcf, 
           0x0f6d2b697bd44da8, 0x77e36f7304C48942, 0x3f9d85a86a1d36C8, 0x1112e6ad91d692a1

SHA-512/256 initial hash values (in big-endian):

h[0..7] := 0x22312194fc2bf72c, 0x9f555fa3c84c64c2, 0x2393b86b6f53b151, 0x963877195940eabd, 
           0x96283ee2a88effe3, 0xbe5e1e2553863992, 0x2b0199fc2c85b8aa, 0x0eb72ddC81c52ca2


The SHA-512/t IV generation function evaluates a modified SHA-512 on the ASCII string "SHA-512/t", substituted with the decimal representation of t. The modified SHA-512 is the same as SHA-512 except its initial values h0 through h7 have each been XORed with the hexadecimal constant 0xa5a5a5a5a5a5a5a5.

Sample C implementation for SHA-2 family of hash functions can be found in RFC 6234.

Comparison of SHA functions

[edit]

In the table below, internal state means the "internal hash sum" after each compression of a data block.

Further information: Merkle–Damgård construction
Comparison of SHA functions
Algorithm and variant Output size
(bits) 		Internal
state size
(bits) 		Block size
(bits) 		Rounds Operations Security
(bits) 		Performance on Skylake (median cpb)[45] First published
Long messages 8 bytes
MD5 (as reference) 128 128
(4 × 32)		 512 4
(16 operations in each round)		 And, Xor, Or, Rot, Add (mod 232) ≤ 18
(collisions found)[46]		 4.99 55.00 1992
SHA-0 160 160
(5 × 32)		 512 80 And, Xor, Or, Rot, Add (mod 232) < 34
(collisions found)		 ≈ SHA-1 ≈ SHA-1 1993
SHA-1 < 63
(collisions found)[47]		 3.47 52.00 1995
SHA-2 SHA-224
SHA-256		 224
256		 256
(8 × 32)		 512 64 And, Xor, Or,
Rot, Shr, Add (mod 232)		 112
128		 7.62
7.63		 84.50
85.25		 2004
2001
SHA-384 384 512
(8 × 64)		 1024 80 And, Xor, Or,
Rot, Shr, Add (mod 264)		 192 5.12 135.75 2001
SHA-512 512 256 5.06 135.50 2001
SHA-512/224
SHA-512/256		 224
256		 112
128		 ≈ SHA-384 ≈ SHA-384 2012
SHA-3 SHA3-224
SHA3-256
SHA3-384
SHA3-512		 224
256
384
512		 1600
(5 × 5 × 64)		 1152
1088
832
576		 24[48] And, Xor, Rot, Not 112
128
192
256		 8.12
8.59
11.06
15.88		 154.25
155.50
164.00
164.00		 2015
SHAKE128
SHAKE256		 d (arbitrary)
d (arbitrary)		 1344
1088		 min(d/2, 128)
min(d/2, 256)		 7.08
8.59		 155.25
155.50

In the bitwise operations column, "Rot" stands for rotate no carry, and "Shr" stands for right logical shift. All of these algorithms employ modular addition in some fashion except for SHA-3.

More detailed performance measurements on modern processor architectures are given in the table below.

CPU architecture Frequency Algorithm Word size (bits) Cycles/byte x86 MiB/s x86 Cycles/byte x86-64 MiB/s x86-64
Intel Ivy Bridge 3.5 GHz SHA-256 32 16.80 199 13.05 256
SHA-512 64 43.66 76 8.48 394
AMD Piledriver APU 3.8 GHz SHA-256 32 22.87 158 18.47 196
SHA-512 64 88.36 41 12.43 292

The performance numbers labeled 'x86' were running using 32-bit code on 64-bit processors, whereas the 'x86-64' numbers are native 64-bit code. While SHA-256 is designed for 32-bit calculations, it does benefit from code optimized for 64-bit processors on the x86 architecture. 32-bit implementations of SHA-512 are significantly slower than their 64-bit counterparts. Variants of both algorithms with different output sizes will perform similarly, since the message expansion and compression functions are identical, and only the initial hash values and output sizes are different. The best implementations of MD5 and SHA-1 perform between 4.5 and 6 cycles per byte on modern processors.

Testing was performed by the University of Illinois at Chicago on their hydra8 system running an Intel Xeon E3-1275 V2 at a clock speed of 3.5 GHz, and on their hydra9 system running an AMD A10-5800K APU at a clock speed of 3.8 GHz.[49] The referenced cycles per byte speeds above are the median performance of an algorithm digesting a 4,096 byte message using the SUPERCOP cryptographic benchmarking software.[50] The MiB/s performance is extrapolated from the CPU clockspeed on a single core; real-world performance will vary due to a variety of factors.

Implementations

[edit]

Cryptography libraries that support SHA-2:

Hardware acceleration is provided by the following processor extensions:

See also

[edit]
Wikifunctions has an SHA-256 function.
Wikifunctions has an SHA-384 function.
Wikifunctions has an SHA-512 function.

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

SHA-2

View on Grokipedia
from Grokipedia
SHA-2 is a family of cryptographic hash functions developed by the (NSA) and first published by the National Institute of Standards and Technology (NIST) as part of the Secure Hash Standard (SHS) in Federal Information Processing Standard (FIPS) 180-2 in August 2002. These functions serve as one-way algorithms that produce fixed-size message digests to verify , support digital signatures, enable message codes, and contribute to pseudorandom number generation in cryptographic systems. The SHA-2 family includes six variants: SHA-224 and SHA-256, which operate on 32-bit words and produce 224-bit and 256-bit digests, respectively, with the SHA-256 digest consisting of 256 bits typically represented as 64 hexadecimal characters; SHA-384 and SHA-512, which use 64-bit words for 384-bit and 512-bit digests; and the truncated forms SHA-512/224 and SHA-512/256, which derive shorter digests from the SHA-512 computation for compatibility with legacy systems requiring specific output lengths. All variants follow an iterative Merkle–Damgård construction, preprocessing input messages through padding and parsing into blocks, then iteratively compressing them using bitwise operations, modular additions, and predefined constants derived from square roots of primes to ensure collision resistance and preimage resistance. Initial variants (SHA-256, SHA-384, SHA-512) were designed to provide security levels of 128, 192, and 256 bits, respectively, as successors to SHA-1 amid emerging concerns over its vulnerabilities, with SHA-224 added in 2004 via a change notice to FIPS 180-2 and the SHA-512 truncations incorporated in FIPS 180-4 in 2012. SHA-2 algorithms underpin numerous security protocols, including Transport Layer Security (TLS), Internet Protocol Security (IPsec), and blockchain technologies like Bitcoin, where SHA-256 is prominently used for transaction hashing. SHA-256 is also commonly used to verify the integrity and authenticity of files, including game ROMs in emulation contexts such as databases from No-Intro and Redump, where the hash is frequently described as consisting of 64 hexadecimal characters or "64 caracteres hexadecimales" or "64 dígitos hexadecimales" in Spanish-speaking communities. Despite theoretical attacks reducing the effective security of some variants in idealized models, no practical breaks have been demonstrated, maintaining their status as recommended standards for general-purpose hashing with output sizes of at least 256 bits. The family was later supplemented by SHA-3 in 2015 through a separate NIST competition, but SHA-2 remains widely deployed due to its efficiency on hardware and established ecosystem.

Introduction

Definition and Purpose

SHA-2 is a family of cryptographic hash functions designed by the National Security Agency (NSA) and first published by the National Institute of Standards and Technology (NIST) in 2002 as part of Federal Information Processing Standard (FIPS) 180-2. These one-way functions take an input message of arbitrary length and produce a fixed-size output known as a message digest, ensuring that the digest uniquely represents the input data. The SHA-2 family includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256, which generate digests of 224, 256, 384, 512, 224, and 256 bits, respectively. The primary purpose of SHA-2 is to provide a secure mechanism for generating message digests used in applications requiring and , such as digital signatures, message authentication codes, password storage, and pseudorandom number generation. These functions emphasize strong security properties, including (infeasible to find two distinct inputs producing the same digest), preimage resistance (infeasible to find an input matching a given digest), and second preimage resistance (infeasible to find a different input producing the same digest as a given input). SHA-2 was developed as a successor to , offering enhanced security against emerging vulnerabilities in the earlier algorithm through longer output sizes and improved design. Key properties of SHA-2 include the , where even a minor change in the input—such as flipping a single bit—results in approximately half the bits in the output changing, enhancing resistance to attacks. The algorithms employ the Merkle-Damgård construction, which iteratively applies a compression function based on the Davies-Meyer to padded blocks, ensuring efficiency and for inputs up to 2^64 bits (SHA-256) or 2^128 bits (SHA-384 and SHA-512).

Development History

The Secure Hash Algorithm 2 (SHA-2) family was designed by the (NSA) as an extension of the algorithm to provide enhanced security through longer message digest lengths. Development began in the late 1990s, with the algorithms first published by the NSA in 2001, motivated by the need to evolve the Secure Hash Standard amid growing concerns over potential weaknesses in earlier hash functions like and , including theoretical collision vulnerabilities identified in the early 2000s. The National Institute of Standards and Technology (NIST) incorporated SHA-256, SHA-384, and SHA-512 into the updated Secure Hash Standard as FIPS 180-2 in August 2002, following a draft review period that emphasized improved resistance to cryptanalytic attacks. Although SHA-2 predated the practical on SHA-1 demonstrated by Xiaoyun Wang and colleagues in 2005—which reduced the complexity to approximately 2^69 operations and prompted accelerated deprecation of —the design of SHA-2 incorporated structural differences from to offer larger security margins and digest sizes ranging from 224 to 512 bits. NIST's evolution of the Secure Hash Standard through SHA-2 addressed the demand for robust hashing in federal systems, digital signatures, and verification, while maintaining compatibility with existing infrastructure. Subsequent updates refined the SHA-2 family without altering core algorithms. In October 2008, FIPS 180-3 formally included SHA-224 and introduced SHA-512/224, variants providing truncated outputs for specific security levels, building on a 2004 change notice to FIPS 180-2. FIPS 180-4, published in August 2015, added SHA-512/256 with a new generation method to enhance efficiency on 64-bit platforms and ensure consistent security properties across the family. Since 2020, SHA-2 has seen no major revisions, remaining a core component of NIST's approved hash functions under FIPS 180-4. SHA-2 continues to be recommended for general-purpose use in federal and commercial systems, with serving as a supplement for additional security diversity, as NIST monitors emerging threats but confirms no immediate deprecations as of November 2025.

Algorithm Design

Core Components

The SHA-2 family of hash functions processes input messages through a series of foundational components that ensure consistent and secure digest computation. Central to this is message preprocessing, which involves the input to align with the algorithm's block size requirements. For SHA-256, the message λ in bits is extended by appending a single '1' bit, followed by k zero bits where k is the smallest non-negative integer such that λ + 1 + k is a multiple of 512, and finally a 64-bit representation of λ; this results in the padded message being a multiple of 512 bits. For SHA-512 and its variants, the process is analogous but uses 1024-bit blocks: a '1' bit is appended, followed by k zeros to make λ + 1 + k a multiple of 1024, and a 128-bit field. The padded message is then divided into blocks for processing: 512-bit blocks for the SHA-256 family, each parsed into sixteen 32-bit words, and 1024-bit blocks for the SHA-512 family, parsed into sixteen 64-bit words. This block structure facilitates the Merkle-Damgård construction underlying SHA-2, where each block is iteratively compressed starting from an initial hash value. The word size distinction—32 bits for SHA-256 variants and 64 bits for SHA-512 variants—directly influences the internal state representation and operations, with the SHA-512 family handling larger data elements to support longer digests. Initialization vectors (IVs) provide the starting hash value H^(0) as an eight-word array. For SHA-256, these are eight 32-bit words derived from the fractional parts of the square roots of the first eight prime numbers (2, 3, 5, 7, 11, 13, 17, 19), with the first word being 0x6a09e667. In the SHA-512 family, the IVs consist of eight 64-bit words from the same square root fractions taken to 64 bits, starting with 0x6a09e667f3bcc908; truncated variants like SHA-512/256 use predefined modified IVs specified in the standard. Round constants, denoted as K_i, are predefined arrays used in the compression process to introduce variability across rounds. SHA-256 employs 64 thirty-two-bit constants derived from the fractional parts of the cube roots of the first 64 primes, beginning with K_0 = 0x428a2f98. For SHA-512, there are 80 sixty-four-bit constants from the cube roots of the first 80 primes, with K_0 = 0x428a2f98d728ae22; these extend beyond 64 rounds to cover the full 80-round processing in SHA-512 variants. These constants, along with the IVs, are fixed and derived from mathematical primitives to enhance resistance to certain attacks.

Compression Function Steps

The compression function of SHA-2 processes each 512-bit (for SHA-256 variants) or 1024-bit (for SHA-512 variants) padded message block to update the hash state, iterating through a series of rounds that mix the input with round constants and apply bitwise operations. This function operates on eight 32-bit (SHA-256) or 64-bit (SHA-512) working variables, labeled A through H, which are initialized for the first block from predefined initial values (IVs) and for subsequent blocks from the previous compression output. The process begins with the message schedule, which expands the initial 16 words of the 512-bit (or 1024-bit) block into a full of 64 (or 80) words, denoted W0W_0 to W63W_{63} (or W79W_{79}). For t=0t = 0 to 15, WtW_t is directly taken from the block; for t=16t = 16 to 63 (or 79), each subsequent word is computed as Wt=σ0(Wt15)+Wt16+σ1(Wt2)+Wt7W_t = \sigma_0(W_{t-15}) + W_{t-16} + \sigma_1(W_{t-2}) + W_{t-7}, where addition is 2322^{32} (or 2642^{64}) and the sigma functions introduce through and shifts. Using SHA-256 as a representative example, σ0(x)=ROTR7(x)ROTR18(x)SHR3(x)\sigma_0(x) = \text{ROTR}^7(x) \oplus \text{ROTR}^{18}(x) \oplus \text{SHR}^3(x) and σ1(x)=ROTR17(x)ROTR19(x)SHR10(x)\sigma_1(x) = \text{ROTR}^{17}(x) \oplus \text{ROTR}^{19}(x) \oplus \text{SHR}^{10}(x), with ROTR denoting right and SHR right shift. For SHA-512, σ0(x)=ROTR1(x)ROTR8(x)SHR7(x)\sigma_0(x) = \text{ROTR}^1(x) \oplus \text{ROTR}^{8}(x) \oplus \text{SHR}^7(x) and σ1(x)=ROTR19(x)ROTR61(x)SHR6(x)\sigma_1(x) = \text{ROTR}^{19}(x) \oplus \text{ROTR}^{61}(x) \oplus \text{SHR}^{6}(x). Central to the compression are three bitwise logical functions and two additional sigma functions applied to the working variables. The choice function is defined as Ch(x,y,z)=(xy)(¬xz)\text{Ch}(x,y,z) = (x \land y) \oplus (\neg x \land z), selecting bits from yy or zz based on xx; the majority function is Maj(x,y,z)=(xy)(xz)(yz)\text{Maj}(x,y,z) = (x \land y) \oplus (x \land z) \oplus (y \land z), favoring the bit value held by at least two of the inputs. For the working variables, using SHA-256, Σ0(x)=ROTR2(x)ROTR13(x)ROTR22(x)\Sigma_0(x) = \text{ROTR}^2(x) \oplus \text{ROTR}^{13}(x) \oplus \text{ROTR}^{22}(x) and Σ1(x)=ROTR6(x)ROTR11(x)ROTR25(x)\Sigma_1(x) = \text{ROTR}^6(x) \oplus \text{ROTR}^{11}(x) \oplus \text{ROTR}^{25}(x), providing further mixing through rotations. For SHA-512, Σ0(x)=ROTR28(x)ROTR34(x)ROTR39(x)\Sigma_0(x) = \text{ROTR}^{28}(x) \oplus \text{ROTR}^{34}(x) \oplus \text{ROTR}^{39}(x) and Σ1(x)=ROTR14(x)ROTR18(x)ROTR41(x)\Sigma_1(x) = \text{ROTR}^{14}(x) \oplus \text{ROTR}^{18}(x) \oplus \text{ROTR}^{41}(x). The core iteration consists of 64 (or 80) rounds per block, each incorporating a round constant KtK_t (derived from the first 32 or 64 bits of the fractional parts of the cube roots of the first 64 or 80 primes). In each round tt, two temporary values are computed: T1=H+Σ1(E)+Ch(E,F,G)+Kt+Wt,T2=Σ0(A)+Maj(A,B,C),\begin{align*} T_1 &= H + \Sigma_1(E) + \text{Ch}(E, F, G) + K_t + W_t, \\ T_2 &= \Sigma_0(A) + \text{Maj}(A, B, C), \end{align*} where A through H represent the current working variables (with uppercase denoting the updated values from prior rounds). The variables are then shifted: HGH \leftarrow G, GFG \leftarrow F, FEF \leftarrow E, ED+T1E \leftarrow D + T_1, DCD \leftarrow C, CBC \leftarrow B, BAB \leftarrow A, and AT1+T2A \leftarrow T_1 + T_2, all 2322^{32} (or 2642^{64}). These major updates to A-H, combined with the minor computations of T1T_1 and T2T_2, ensure effects across the state. Upon completing all rounds, the final working variables are added to the input chaining values (the prior hash state) to produce the updated state: each Hj(i)=Hj(i1)+H_j^{(i)} = H_j^{(i-1)} + (corresponding working variable), for j=0j = 0 to 7. The output of the compression function is thus the concatenation of these eight updated values, serving as the chaining input for the next block or the final hash if it is the last.

Variants

Primary Members

The primary members of the SHA-2 family are SHA-256 and SHA-512, which serve as the foundational full-length variants designed for robust cryptographic hashing. These algorithms process input messages to produce fixed-size digests, emphasizing and preimage resistance to support secure applications. SHA-256 generates a 256-bit output using 32-bit words, operates on 512-bit message blocks, and employs 64 compression rounds. It is widely adopted for general-purpose hashing, such as in TLS protocol certificates and digital signatures, due to its balance of security and computational efficiency on 32-bit and 64-bit systems. The initial hash values (IVs) for SHA-256 are derived from the first 32 bits of the fractional parts of the square roots of the first eight prime numbers (2, 3, 5, 7, 11, 13, 17, 19) and are specified as follows:
IndexHexadecimal Value
H⁰6a09e667
bb67ae85
3c6ef372
a54ff53a
H⁴510e527f
H⁵9b05688c
H⁶1f83d9ab
H⁷5be0cd19
The 64 round constants for SHA-256 are the first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers, starting with 428a2f98 for the first round. SHA-512 produces a 512-bit output using 64-bit words, handles 1024-bit message blocks, and performs 80 compression rounds, making it suitable for high-security scenarios like file integrity verification in large-scale data systems. Its IVs are the first 64 bits of the fractional parts of the square roots of the first eight primes, given in hexadecimal as:
IndexHexadecimal Value
H⁰6a09e667f3bcc908
bb67ae8584caa73b
3c6ef372fe94f82b
a54ff53a5f1d36f1
H⁴510e527fade682d1
H⁵9b05688c2b3e6c1f
H⁶1f83d9abfb41bd6b
H⁷5be0cd19137e2179
The 80 round constants for SHA-512 begin with 428a2f98d728ae22 and are similarly derived from the first 64 bits of the cube roots of the first 80 primes. On 64-bit architectures, SHA-512 often achieves higher throughput than SHA-256 due to its native word size alignment, processing twice the data per operation despite additional rounds. The design of these variants provides future-proofing against brute-force attacks, with SHA-256 offering 256-bit preimage resistance (requiring approximately 2^{256} operations to invert) and SHA-512 delivering 512-bit resistance (2^{512} operations), far exceeding current computational capabilities. This extended security in SHA-512 addresses long-term threats in environments demanding maximal digest strength.

Extended Variants

The extended variants of the SHA-2 family include truncated versions designed to produce shorter hash outputs while maintaining compatibility with the core compression function of their parent algorithms. These variants employ the same message padding and processing steps as SHA-256 or SHA-512 but use modified initial hash values (IVs) and truncate the final digest to achieve the desired length, ensuring that the resulting hashes are distinct from those of the full-length variants even for identical inputs. This approach allows for tailored security levels without redesigning the underlying Merkle-Damgård structure. SHA-224 is derived from SHA-256 by processing messages in 512-bit blocks using 32-bit words and truncating the 256-bit intermediate hash to the first 224 bits for the final output. It uses a unique IV generated specifically for 224-bit security, providing approximately 112 bits of to align with the strength of legacy systems like Triple-DES. Introduced in , SHA-224 was primarily intended for in applications requiring a shorter digest than SHA-256 while transitioning from weaker hashes like SHA-1. SHA-384 follows a similar derivation from SHA-512, operating on 1024-bit blocks with 64-bit words and truncating the 512-bit result to 384 bits. Its distinct IV ensures independent hash values, supporting medium-strength applications such as where a balance between security and performance is needed, offering 192 bits of . Unlike the 224-bit variants, SHA-384 remains fully approved for ongoing use in federal standards. SHA-512/224 and SHA-512/256 were added to the SHA-2 family in to provide efficient alternatives on 64-bit platforms, deriving from SHA-512 with to 224 or 256 bits, respectively, and unique IVs computed via a dedicated generation function that modifies the SHA-512 IV based on the target output length. These variants leverage the larger block size and word operations of SHA-512 for better on modern hardware compared to their 32-bit counterparts, while delivering 112-bit and 128-bit security levels. They were standardized to support scenarios where 64-bit optimizations reduce computational overhead without compromising the core algorithm's integrity. Due to their reduced output lengths providing security strengths below the current 128-bit minimum, NIST has deprecated the 224-bit variants—SHA-224 and SHA-512/224—for new cryptographic protections through December 31, 2030, recommending migration to longer variants or to mitigate emerging threats, including those from that could further erode hash security via . Legacy use may continue post-2030 under restricted conditions, but avoidance is advised for long-term deployments.

Security Analysis

Cryptanalytic Results

SHA-2 has demonstrated strong in its full-round variants, with no practical collisions discovered for SHA-256 or SHA-512 as of 2025. The most significant theoretical advance is a higher-order differential attack achieving a second-order differential collision on the compression function of SHA-256 reduced to 46 out of 64 rounds, with a of approximately 2462^{46} compression function evaluations. This attack relies on constructing two independent differential paths and applying message modification techniques to satisfy the required conditions, but it remains far from threatening the full 64-round design. Preimage resistance for full SHA-2 remains intact at the expected levels of 22562^{256} for SHA-256 and 25122^{512} for SHA-512. Notable progress on reduced rounds includes biclique-based pseudo-preimage attacks on the SHA-256 compression function covering 52 out of 64 rounds, with a of 22552^{255}. Earlier meet-in-the-middle techniques extended preimage attacks to 41 rounds of the full SHA-256 at approximately 22552^{255} complexity. These results highlight vulnerabilities in truncated versions but affirm the security margin of the complete algorithm. Side-channel vulnerabilities primarily affect implementations rather than the core SHA-2 design. For instance, non-constant-time implementations of HMAC-SHA-2 can leak information through or electromagnetic side channels, enabling key recovery in hardware settings after collecting traces from thousands of executions. Cache-timing attacks have been demonstrated on software implementations, such as those in , where variations in memory access patterns during message expansion reveal intermediate state information. Constant-time implementations mitigate these risks effectively. As of November 2025, no cryptanalytic breakthroughs have compromised the full rounds of SHA-256 or SHA-512, with the best recent advances limited to practical semi-free-start collisions on 39 rounds of SHA-256 with practical complexity. poses a theoretical threat via , which could reduce preimage search complexity to 21282^{128} for SHA-256 and 22562^{256} for SHA-512, though practical quantum hardware remains insufficient for such scales; NIST recommends doubling hash output sizes for long-term post-quantum security. Unlike , where practical collisions were found in 2017 using specialized SMASH techniques with 2632^{63} complexity, SHA-2 variants remain unaffected by similar methods due to their enhanced round functions and message schedule.

Official Validation and Standards

The Secure Hash Standard (SHS), as specified in Federal Information Processing Standard (FIPS) 180-4 published by the National Institute of Standards and Technology (NIST) in 2015, formally defines the SHA-2 family of hash algorithms, including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. These algorithms are approved for use in federal systems and undergo validation through the Cryptographic Module Validation Program (CMVP), which certifies cryptographic modules compliant with and its successor for security requirements. The Cryptographic Algorithm Validation Program (CAVP), administered by NIST in collaboration with accredited laboratories, tests SHA-2 implementations for conformance to FIPS 180-4 specifications, ensuring correct operation in both hardware and software modules. Successful CAVP validation is a prerequisite for CMVP , with thousands of SHA-2 certificates issued as of 2025, reflecting widespread adoption in validated cryptographic products. SHA-2 has achieved broad international , with the family incorporated into ISO/IEC 10118-3:2018, which specifies dedicated hash functions including those from the SHA-2 series for cryptographic applications. It is utilized in Standards (PKCS) #1, as defined in RFC 3447, for formatting RSA signatures with SHA-2 hashes such as SHA-256 and SHA-512. In the (TLS) Protocol Version 1.3, outlined in RFC 8446, SHA-256 is mandatory for certificate signatures and the default hash in key derivation, prohibiting weaker options like SHA-1 to enhance security. Additionally, SHA-256 serves as a core primitive in Bitcoin's for transaction verification and proof-of-work computations. NIST's Special Publication 800-131A, originally issued in 2011 and updated through Revision 3 in draft form as of October 2024, provides transition recommendations for cryptographic algorithms, mandating the phase-out of by December 31, 2030, while endorsing SHA-2 variants—particularly SHA-256—as approved alternatives until the broader maturity of SHA-3. No deprecation is planned for SHA-256 or other SHA-2 members by 2030, maintaining their status as recommended secure hash functions for digital signatures, message , and integrity protection. Despite extensive validation, SHA-2 lacks formal mathematical proofs of core security properties such as , relying instead on empirical testing through CAVP, ongoing , and real-world deployment without observed practical breaks.

Practical Implementation

Pseudocode Overview

The SHA-256 algorithm, as defined in the Secure Hash Standard, processes input through a series of steps including , block parsing, schedule expansion, and a compression function applied across multiple rounds. The following high-level outlines these components for the compression function, using 32-bit words and modulo 2322^{32}. All operations are performed on 32-bit words unless otherwise specified.

SHA-256 Pseudocode

The following provides a complete imperative-style pseudocode for the SHA-256 algorithm as specified in FIPS 180-4. It combines the preprocessing, message scheduling, and compression steps into a single procedural outline. All arithmetic is performed modulo 2322^{32}, and the functions ROTR (right rotation), SHR (right shift), Ch, Maj, Σ₀ (Sigma0), Σ₁ (Sigma1), σ₀ (sigma0), and σ₁ (sigma1) are as defined in subsequent subsections. The round constants K_t are derived from the first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers.

pseudocode

function SHA-256(message): # 1. Preprocessing (Padding and Parsing) # Append a '1' bit append bit '1' to message # Append k '0' bits such that (length + 1 + k + 64) mod 512 == 0 append k zero bits accordingly # Append the original length in bits as a 64-bit big-endian integer append 64-bit big-endian representation of original message length # Divide the padded message into N 512-bit blocks M^(i), each consisting of 16 32-bit words # 2. Initialize hash values (big-endian 32-bit words) H0 = 0x6a09e667 H1 = 0xbb67ae85 H2 = 0x3c6ef372 H3 = 0xa54ff53a H4 = 0x510e527f H5 = 0x9b05688c H6 = 0x1f83d9ab H7 = 0x5be0cd19 # 3. Process each 512-bit block for i = 0 to N-1: # Prepare the message schedule array W[0..63] for t = 0 to 15: W[t] = M^(i)[t] # 32-bit words from the block (big-endian) for t = 16 to 63: s0 = ROTR(W[t-15], 7) XOR ROTR(W[t-15], 18) XOR SHR(W[t-15], 3) s1 = ROTR(W[t-2], 17) XOR ROTR(W[t-2], 19) XOR SHR(W[t-2], 10) W[t] = (W[t-16] + s0 + W[t-7] + s1) mod 2^32 # Initialize working variables a = H0 b = H1 c = H2 d = H3 e = H4 f = H5 g = H6 h = H7 # Compression function - 64 rounds for t = 0 to 63: Σ1 = ROTR(e, 6) XOR ROTR(e, 11) XOR ROTR(e, 25) Ch = (e AND f) XOR ((NOT e) AND g) T1 = (h + Σ1 + Ch + K[t] + W[t]) mod 2^32 Σ0 = ROTR(a, 2) XOR ROTR(a, 13) XOR ROTR(a, 22) Maj = (a AND b) XOR (a AND c) XOR (b AND c) T2 = (Σ0 + Maj) mod 2^32 h = g g = f f = e e = (d + T1) mod 2^32 d = c c = b b = a a = (T1 + T2) mod 2^32 # Update hash values H0 = (H0 + a) mod 2^32 H1 = (H1 + b) mod 2^32 H2 = (H2 + c) mod 2^32 H3 = (H3 + d) mod 2^32 H4 = (H4 + e) mod 2^32 H5 = (H5 + f) mod 2^32 H6 = (H6 + g) mod 2^32 H7 = (H7 + h) mod 2^32 # Produce the final 256-bit hash by concatenating H0 to H7 (big-endian) return concatenation of H0 || H1 || H2 || H3 || H4 || H5 || H6 || H7

function SHA-256(message): # 1. Preprocessing (Padding and Parsing) # Append a '1' bit append bit '1' to message # Append k '0' bits such that (length + 1 + k + 64) mod 512 == 0 append k zero bits accordingly # Append the original length in bits as a 64-bit big-endian integer append 64-bit big-endian representation of original message length # Divide the padded message into N 512-bit blocks M^(i), each consisting of 16 32-bit words # 2. Initialize hash values (big-endian 32-bit words) H0 = 0x6a09e667 H1 = 0xbb67ae85 H2 = 0x3c6ef372 H3 = 0xa54ff53a H4 = 0x510e527f H5 = 0x9b05688c H6 = 0x1f83d9ab H7 = 0x5be0cd19 # 3. Process each 512-bit block for i = 0 to N-1: # Prepare the message schedule array W[0..63] for t = 0 to 15: W[t] = M^(i)[t] # 32-bit words from the block (big-endian) for t = 16 to 63: s0 = ROTR(W[t-15], 7) XOR ROTR(W[t-15], 18) XOR SHR(W[t-15], 3) s1 = ROTR(W[t-2], 17) XOR ROTR(W[t-2], 19) XOR SHR(W[t-2], 10) W[t] = (W[t-16] + s0 + W[t-7] + s1) mod 2^32 # Initialize working variables a = H0 b = H1 c = H2 d = H3 e = H4 f = H5 g = H6 h = H7 # Compression function - 64 rounds for t = 0 to 63: Σ1 = ROTR(e, 6) XOR ROTR(e, 11) XOR ROTR(e, 25) Ch = (e AND f) XOR ((NOT e) AND g) T1 = (h + Σ1 + Ch + K[t] + W[t]) mod 2^32 Σ0 = ROTR(a, 2) XOR ROTR(a, 13) XOR ROTR(a, 22) Maj = (a AND b) XOR (a AND c) XOR (b AND c) T2 = (Σ0 + Maj) mod 2^32 h = g g = f f = e e = (d + T1) mod 2^32 d = c c = b b = a a = (T1 + T2) mod 2^32 # Update hash values H0 = (H0 + a) mod 2^32 H1 = (H1 + b) mod 2^32 H2 = (H2 + c) mod 2^32 H3 = (H3 + d) mod 2^32 H4 = (H4 + e) mod 2^32 H5 = (H5 + f) mod 2^32 H6 = (H6 + g) mod 2^32 H7 = (H7 + h) mod 2^32 # Produce the final 256-bit hash by concatenating H0 to H7 (big-endian) return concatenation of H0 || H1 || H2 || H3 || H4 || H5 || H6 || H7

Preprocessing (Padding and Parsing)

To prepare the for hashing:
  1. Append a single '1' bit to the .
  2. Append kk zero bits, where kk is the smallest non-negative such that the total length is congruent to 448 512.
  3. Append the 64-bit representation of the original length λ\lambda (in bits) as a big-endian .
The padded is then divided into NN 512-bit blocks M(i)M^{(i)} for i=0i = 0 to N1N-1, where each block consists of 16 32-bit words Mj(i)M^{(i)}_j for j=0j = 0 to 15. Implementations must ensure the length λ<264\lambda < 2^{64} bits to avoid overflow in the length encoding, and handle empty s by applying directly (resulting in a single block).

Message Schedule

For each 512-bit block M(i)M^{(i)}, compute a 64-word message schedule array WtW_t for t=0t = 0 to 63:
  • For t=0t = 0 to 15: Wt=Mt(i)W_t = M^{(i)}_t
  • For t=16t = 16 to 63:
    Wt=σ0(Wt15)+Wt7+σ1(Wt2)+Wt16W_t = \sigma_0(W_{t-15}) + W_{t-7} + \sigma_1(W_{t-2}) + W_{t-16} (mod 2322^{32})
where the expansion functions are defined as:
σ0(x)=ROTR7(x)ROTR18(x)SHR3(x)\sigma_0(x) = \text{ROTR}^7(x) \oplus \text{ROTR}^{18}(x) \oplus \text{SHR}^3(x)
σ1(x)=ROTR17(x)ROTR19(x)SHR10(x)\sigma_1(x) = \text{ROTR}^{17}(x) \oplus \text{ROTR}^{19}(x) \oplus \text{SHR}^{10}(x) Here, ROTRn(x)\text{ROTR}^n(x) denotes a right circular of xx by nn bits: (xn)(x(32n))(x \gg n) \lor (x \ll (32 - n)), and SHRn(x)\text{SHR}^n(x) is a right shift by nn bits with zero-padding. Bitwise operations include \oplus for XOR, \land for AND, \lor for OR, and ¬\lnot for NOT. Error handling in this step involves verifying that intermediate additions do not cause unintended overflows beyond 32 bits, typically managed by explicit modular reduction in code.

Compression Function

Initialize eight 32-bit working variables a,b,c,d,e,f,g,ha, b, c, d, e, f, g, h to the current hash values H0(i1)H^{(i-1)}_0 to H7(i1)H^{(i-1)}_7 (starting with predefined initial values for i=0i=0). For t=0t = 0 to 63, perform 64 rounds:

T1 = h + Σ1(e) + Ch(e, f, g) + K_t + W_t (mod 2^32) T2 = Σ0(a) + Maj(a, b, c) (mod 2^32) h = g g = f f = e e = d + T1 d = c c = b b = a a = T1 + T2

T1 = h + Σ1(e) + Ch(e, f, g) + K_t + W_t (mod 2^32) T2 = Σ0(a) + Maj(a, b, c) (mod 2^32) h = g g = f f = e e = d + T1 d = c c = b b = a a = T1 + T2

where:
Ch(x,y,z)=(xy)(¬xz)\text{Ch}(x, y, z) = (x \land y) \oplus (\lnot x \land z)
Maj(x,y,z)=(xy)(xz)(yz)\text{Maj}(x, y, z) = (x \land y) \oplus (x \land z) \oplus (y \land z)
Σ0(x)=ROTR2(x)ROTR13(x)ROTR22(x)\Sigma_0(x) = \text{ROTR}^2(x) \oplus \text{ROTR}^{13}(x) \oplus \text{ROTR}^{22}(x)
Σ1(x)=ROTR6(x)ROTR11(x)ROTR25(x)\Sigma_1(x) = \text{ROTR}^6(x) \oplus \text{ROTR}^{11}(x) \oplus \text{ROTR}^{25}(x) KtK_t are fixed 64 round constants derived from the first 32 bits of the fractional parts of the cube roots of the first 64 primes. After all rounds, update the hash values: Hj(i)=Hj(i1)+H^{(i)}_j = H^{(i-1)}_j + (corresponding working variable) for j=0j = 0 to 7. The final hash is the of H0(N)H7(N)H^{(N)}_0 \Vert \cdots \Vert H^{(N)}_7. Implementations should include bounds checks on array indices during the loop to prevent out-of-bounds access, especially for variable-length messages. For SHA-512, the structure remains analogous but operates on 1024-bit blocks with 64-bit words, adjusted rotation and shift amounts (e.g., ROTR^28, ROTR^34, ROTR^39 for Σ0), and modulo 2642^{64} arithmetic, without requiring separate as the core logic is parallel.

Performance and Test Vectors

Test vectors play a crucial role in verifying the correctness of SHA-2 implementations, ensuring compliance with the specified algorithms in FIPS 180-4. The National Institute of Standards and Technology (NIST) provides vectors through the Secure Hash Standard Validation System (SHAVS), part of the Cryptographic Algorithm Validation Program (CAVP), to detect implementation errors and confirm adherence to federal standards. These vectors are used in both informal testing (e.g., via downloadable .rsp files for byte- and bit-oriented messages) and formal validation submissions, where matching outputs against expected results verifies the hash function's behavior across various input lengths and schemes. Tools like SHAVS facilitate this process by generating comprehensive test cases, helping developers debug and certify modules for cryptographic applications. Performance of SHA-2 variants depends on factors such as processor (x86_64 versus ARM64), input size, and hardware optimizations like Intel's SHA-NI extensions or ARM's cryptographic instructions, which accelerate round computations. On modern CPUs with , SHA-256 typically achieves throughputs of 1.5–1.8 GB/s for large messages, while SHA-512 ranges from 0.6–1.1 GB/s, reflecting its larger state and operations on 64-bit words. AVX2 vector instructions further boost efficiency on x86 by parallelizing message scheduling, though SHA-512 benefits less due to its wider data paths. ARM64 implementations show comparable speeds to x86 for SHA-256 but outperform in SHA-512 scenarios with optimized crypto extensions, narrowing the gap for 64-bit-heavy workloads. The following table summarizes per-core throughput benchmarks for large (10 MB) messages on recent hardware, using hardware-accelerated libraries:
ArchitectureProcessorSHA-256 (MB/s)SHA-512 (MB/s)
x86_64AMD EPYC 9R141772657
ARM64AWS Graviton 417441067
These figures, derived from optimized Go implementations, illustrate scale on 2024-era servers; actual multi-core systems can exceed 10 GB/s aggregate. For context, an experimental analysis reported SHA-256 at 1,809 MB/s average on high-end CPUs, underscoring the impact of SHA-NI on platforms like Core i9 series. NIST-approved test vectors for SHA-256, as specified in FIPS 180-4, include the following examples for verification:
  • Empty message (zero-length input):
    e3b0c442 98fc1c14 9afbf4c8 996fb924 27ae41e4 649b934c a495991b 7852b855
  • Message "abc":
    ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
  • Longer message "abcdbcdecdefdefgefghghfghighijhijkijkljklmklmnlmnomnopnopq":
    248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
These vectors, along with bit-oriented variants, are essential for cross-platform testing and are available in NIST's SHAVS archives to support implementation certification.

Command-Line Usage in Linux

In Linux environments, SHA-256 hashes of strings can be computed using built-in command-line tools. The sha256sum utility, part of GNU coreutils, computes the SHA-256 checksum of input data. For example, to hash the string "your text" without appending a newline: echo -n "your text" | sha256sum. The -n flag prevents the inclusion of a trailing newline character. Alternatively, the OpenSSL toolkit provides the dgst command for message digests: echo -n "your text" | openssl dgst -sha256. This outputs the hash in hexadecimal format. The shasum command, often available as a Perl-based script, supports multiple SHA algorithms: echo -n "your text" | shasum -a 256. The -a 256 specifies the SHA-256 variant, and -n again avoids newline addition.

Applications and Comparisons

Key Applications

SHA-2, particularly SHA-256, serves as a foundational component in digital signature schemes, where it is paired with algorithms like RSA and ECDSA to ensure the integrity and authenticity of X.509 certificates used in public key infrastructure. For instance, in PDF document signing, SHA-256 is employed to hash the document content before applying the signature, as specified in standards for secure electronic signatures. In protocols, TLS versions 1.2 and 1.3 use SHA-256 by default for signatures and key derivation, with support for stronger hashes where appropriate, to provide robust protection against attacks. Similarly, the (SSH) protocol utilizes SHA-256 in conjunction with RSA keys for server and client authentication, enhancing security as defined in relevant RFCs. SHA-2 finds extensive application in technologies, notably in , where double SHA-256 hashing is applied to block headers to generate unique block identifiers and ensure tamper resistance. This double-hashing approach mitigates certain length-extension vulnerabilities inherent in single applications of Merkle-Damgård constructions. Beyond core , HMAC-SHA-256 is widely adopted for message authentication in communications, verifying request integrity and origin in systems like cloud services. For file integrity verification, is transitioning to SHA-256 for commit object hashing, with support added to replace the vulnerable and safeguard repository contents. Similarly, SHA-256 is employed in backup systems to ensure data integrity; for example, backup content such as JSON-serialized data is prepared in a canonical form with sorted keys and minimal separators, hashed using SHA-256 to produce a fixed-length hexadecimal digest, and verified by recomputing the hash after loading or transfer and comparing it to the original to detect any alterations. Similarly, SHA-256 is commonly used in the video game emulation community to verify the integrity and authenticity of ROM files. Emulation databases such as No-Intro and Redump provide hashes for verified game dumps, with SHA-256 often employed to confirm file authenticity and detect modifications. The 256-bit hash is represented as 64 hexadecimal digits, commonly referred to in Spanish-speaking contexts as "64 caracteres hexadecimales" or "64 dígitos hexadecimales". In password storage, HMAC-SHA-256 underpins key derivation functions such as , providing resistance to brute-force attacks in secure hashing schemes. Modern authentication frameworks like , part of the FIDO2 standard, incorporate SHA-256 to hash identifiers and challenges during public key credential operations, enabling phishing-resistant login experiences. By 2025, SHA-2 variants are integrated into post-quantum hybrid schemes, combining classical signatures with quantum-resistant algorithms as recommended by NIST for transitional security in protocols like TLS. SHA-2 shares a similar high-level structure with its predecessor , as both utilize the with a compression function derived from the –Meyer structure applied to a specialized . However, SHA-2 incorporates key design improvements, including larger word sizes in variants like SHA-512 (64 bits versus SHA-1's 32 bits), distinct right-rotation amounts (e.g., ROTR 2, 13, 22 for SHA-256's Σ₀ function, differing from SHA-1's left rotations of 5 and 30 bits), and initial constants derived from the fractional parts of the cube roots of the first 64 primes (unlike SHA-1's constants based on square roots of primes). These modifications enhance and resistance to cryptanalytic attacks. Security-wise, SHA-1 has been compromised by a practical demonstrated in 2017 using the SHAttered technique, which generated two distinct PDFs with identical hashes after approximately 2^{63} operations on specialized hardware. In contrast, SHA-2 remains secure, with no feasible identified despite extensive analysis, maintaining full up to half its output size. Compared to , SHA-2 relies on the , which processes fixed-size blocks sequentially, while SHA-3 employs a sponge construction based on the KECCAK permutation, absorbing input into a state and squeezing output as needed for variable-length operations. This fundamental difference provides SHA-3 with inherent resistance to length-extension attacks that affect Merkle–Damgård designs like SHA-2, promoting cryptographic diversity in case of future vulnerabilities in the SHA-2 family. Nonetheless, SHA-2 offers superior software performance on commodity hardware, often 1.5–2 times faster than equivalent SHA-3 variants due to optimized implementations and simpler arithmetic operations. SHA-3 adoption lags, remaining optional in protocols like TLS 1.3, while SHA-2 dominates deployments. SHA-2's minimum 256-bit output provides at least 128 bits of collision security, far exceeding SHA-1's 160-bit output with effectively under 80 bits of practical collision resistance post-2017. SHA-3 matches SHA-2's security margins but adds versatility through extendable-output functions. In TLS, SHA-256 is the predominant hash for certificate signatures as of 2024, reflecting broad migration from SHA-1.
AlgorithmOutput Size (bits)Block Size (bits)Collision Security (bits)Software Performance (relative)
SHA-1160512<80Baseline
SHA-2562565121281.5–2× faster than SHA3-256
SHA3-2562561088 (rate)128Slower on general CPUs
NIST recommends phasing out SHA-1 entirely by 2030 in favor of for ongoing applications and for new systems seeking structural diversity.

References

  1. https://csrc.nist.gov/csrc/media/projects/crypto-standards-development-process/documents/briefing_book_to_cov.pdf
  2. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf
  3. https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/secure-hashing
  4. https://csrc.nist.gov/pubs/fips/180-2/final
  5. https://www.federalregister.gov/documents/2002/08/26/02-21599/announcing-approval-of-federal-information-processing-standard-fips-180-2-secure-hash-standard-a
  6. https://csrc.nist.gov/projects/hash-functions
  7. https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions
  8. https://www.mdpi.com/2410-387X/8/3/40
  9. https://eprint.iacr.org/2018/841.pdf
  10. https://csrc.nist.gov/news/2006/nist-comments-on-cryptanalytic-attacks-on-sha-1
  11. https://www.federalregister.gov/documents/2008/10/17/E8-24743/announcing-approval-of-federal-information-processing-standard-fips-publication-180-3-secure-hash
  12. https://csrc.nist.gov/news/2022/nist-transitioning-away-from-sha-1-for-all-apps
  13. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-107r1.pdf
  14. https://datatracker.ietf.org/doc/html/rfc5246
  15. https://eprint.iacr.org/2010/548.pdf
  16. https://datatracker.ietf.org/doc/html/rfc3874
  17. https://www.federalregister.gov/documents/2011/02/11/2011-3129/announcing-draft-federal-information-processing-standard-180-4-secure-hash-standard-and-request-for
  18. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf
  19. https://eprint.iacr.org/2011/037.pdf
  20. https://eprint.iacr.org/2011/286.pdf
  21. https://eprint.iacr.org/2009/479.pdf
  22. https://dl.acm.org/doi/10.1007/978-3-030-89915-8_2
  23. https://cr.yp.to/antiforgery/cachetiming-20050414.pdf
  24. https://eprint.iacr.org/2024/349.pdf
  25. https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search
  26. https://www.iso.org/standard/67116.html
  27. https://datatracker.ietf.org/doc/html/rfc3447
  28. https://datatracker.ietf.org/doc/html/rfc8446
  29. https://developer.bitcoin.org/reference/transactions.html
  30. https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd
  31. https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
  32. https://kerkour.com/fast-secure-hash-function-sha256-sha512-sha3-blake3
  33. https://github.com/minio/sha256-simd
  34. https://openreview.net/forum?id=Y3Mn3UkPcz
  35. https://man7.org/linux/man-pages/man1/sha256sum.1.html
  36. https://docs.openssl.org/3.2/man1/openssl-dgst/
  37. https://linux.die.net/man/1/shasum
  38. https://www.rfc-editor.org/rfc/rfc8332.html
  39. https://en.bitcoin.it/wiki/Protocol_documentation
  40. https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac
  41. https://git-scm.com/docs/hash-function-transition
  42. https://www.rfc-editor.org/rfc/rfc8785
  43. https://support.owndata.com/s/article/How-to-Prove-Backups-are-Unchanged-70019
  44. https://www.w3.org/TR/webauthn-2/
  45. https://csrc.nist.gov/projects/post-quantum-cryptography/faqs
  46. https://csrc.nist.gov/pubs/fips/180-4/upd1/final
  47. https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
  48. https://eprint.iacr.org/2017/190.pdf
  49. https://csrc.nist.gov/pubs/fips/202/final
  50. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.