SHA-2: Deep Dive
While MD5 and SHA-1 have fallen, SHA-2 stands strong. Published in 2001, the SHA-2 family has weathered over two decades of cryptanalysis and remains the workhorse of modern cryptography. This post explores every member of the SHA-2 family, how they work, and when to use each one.
The SHA-2 Family
SHA-2 isn't a single algorithm—it's a family of six related hash functions:
| Algorithm | Output Size | Block Size | Word Size | Rounds | Security Level |
|---|---|---|---|---|---|
| SHA-224 | 224 bits | 512 bits | 32 bits | 64 | 112 bits |
| SHA-256 | 256 bits | 512 bits | 32 bits | 64 | 128 bits |
| SHA-384 | 384 bits | 1024 bits | 64 bits | 80 | 192 bits |
| SHA-512 | 512 bits | 1024 bits | 64 bits | 80 | 256 bits |
| SHA-512/224 | 224 bits | 1024 bits | 64 bits | 80 | 112 bits |
| SHA-512/256 | 256 bits | 1024 bits | 64 bits | 80 | 128 bits |
Security Level refers to collision resistance. A 128-bit security level means an attacker needs approximately 2^128 operations to find a collision.
History and Development
SHA-2 was designed by the National Security Agency (NSA) and published by NIST in 2001 as FIPS PUB 180-2. It was created as a successor to SHA-1, which was already showing theoretical weaknesses.
The name "SHA-2" is informal—NIST calls them "SHA-224," "SHA-256," etc. The "2" distinguishes them from SHA-1 and the later SHA-3.
Timeline
2001 — SHA-256, SHA-384, SHA-512 published (FIPS 180-2)
2004 — SHA-224 added (FIPS 180-2 change notice)
2008 — Wang's team attacks SHA-1, validates SHA-2 migration
2012 — SHA-512/224, SHA-512/256 added (FIPS 180-4)
2015 — SHA-3 published as alternative, SHA-2 remains primary
2025 — Still secure, no practical attacks
How SHA-2 Works
All SHA-2 variants use the Merkle-Damgård construction with a Davies-Meyer compression function. The core algorithm follows these steps:
1. Padding
The message is padded so its length is congruent to 448 (mod 512) for SHA-224/256, or 896 (mod 1024) for SHA-384/512:
Original Message | 1 | 000...000 | 64-bit length
└─ padding ─┘
The padding always starts with a 1 bit, followed by zeros, then a 64-bit (or 128-bit for SHA-512 variants) representation of the original message length.
2. Initialize Hash Values
Each algorithm starts with different Initial Hash Values (IHV). These aren't arbitrary—they're derived from the fractional parts of square roots of prime numbers:
SHA-256 initial values (first 8 primes):
h0 = 0x6a09e667 (√2)
h1 = 0xbb67ae85 (√3)
h2 = 0x3c6ef372 (√5)
h3 = 0xa54ff53a (√7)
h4 = 0x510e527f (√11)
h5 = 0x9b05688c (√13)
h6 = 0x1f83d9ab (√17)
h7 = 0x5be0cd19 (√19)
SHA-224 uses different initial values (from the 9th through 16th primes), which is why it produces different output despite using the same compression function as SHA-256.
3. Process Each Block
For each 512-bit (or 1024-bit) block:
a. Message Schedule (W)
The 16 words of the message block are expanded into 64 words (or 80 for SHA-512):
For i = 0 to 15:
W[i] = message block word i
For i = 16 to 63:
W[i] = σ1(W[i-2]) + W[i-7] + σ0(W[i-15]) + W[i-16]
Where σ0 and σ1 are bitwise functions involving rotation and shift.
b. Compression Function
Eight working variables (a, b, c, d, e, f, g, h) are initialized from the current hash state. Then, for each round:
T1 = h + Σ1(e) + Ch(e,f,g) + K[i] + W[i]
T2 = Σ0(a) + Maj(a,b,c)
h = g
g = f
f = e
e = d + T1
d = c
c = b
b = a
a = T1 + T2
Where:
- Ch(e,f,g) = (e AND f) XOR (NOT e AND g) — "Choice" function
- Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c) — "Majority" function
- Σ0, Σ1 = Rotation-based mixing functions
- K[i] = Round constants (derived from cube roots of primes)
c. Update Hash State
After all rounds, add the working variables to the hash state:
h0 = h0 + a
h1 = h1 + b
... (and so on)
4. Produce Final Hash
Concatenate the final hash values. For truncated variants (SHA-224, SHA-384, SHA-512/224, SHA-512/256), only use the required number of bits.
The Six Algorithms in Detail
SHA-256
Output: 256 bits (32 bytes, 64 hex characters)
Block size: 512 bits
Rounds: 64
SHA256("Hello, World!") = ae97eca8f8ae1672bcc5c79e3fbafd8ee86f65f775e2250a291d3788b7a8af95
SHA-256 is the most widely used SHA-2 variant:
- TLS/SSL: Default for certificate signatures
- Bitcoin: Block hashing and transaction verification
- Code signing: Microsoft Authenticode, Apple codesign
- File integrity: Package managers, download verification
When to use: General-purpose hashing where 128-bit security is sufficient.
SHA-224
Output: 224 bits (28 bytes, 56 hex characters)
Block size: 512 bits
Rounds: 64
SHA224("Hello, World!") = a48bbf61e5c9f0449a02545a4f0fdc29f02b3cdc96fe4972f9bb2d06
SHA-224 is a truncated version of SHA-256 with different initial values. It was designed to match the 112-bit security level of 3DES (Triple DES).
When to use: When you need compatibility with 3DES security requirements, or when 224 bits is specifically required (rare).
SHA-512
Output: 512 bits (64 bytes, 128 hex characters)
Block size: 1024 bits
Rounds: 80
SHA512("Hello, World!") = da73ffa8c95e8f252951e3e2a21062f53ad8fc3a977da67f627c20fc2c13949f1be4fa07beed0383e79767b205c42b9f947938ba4d9eea0c8e88bf912f526011
SHA-512 uses 64-bit words and 80 rounds, providing 256-bit security. Surprisingly, it's often faster than SHA-256 on 64-bit processors because it processes larger blocks with native 64-bit operations.
When to use:
- Maximum security requirements
- 64-bit systems (better performance than SHA-256)
- Long-term security (resistant to quantum speedup for longer)
SHA-384
Output: 384 bits (48 bytes, 96 hex characters)
Block size: 1024 bits
Rounds: 80
SHA384("Hello, World!") = 7aa4463f2b26e9e01947984f60d2b38835368f377c682900cd31b0cfe184d297c6f503a4f9963c9f12283cb0e738b7c4
SHA-384 is a truncated SHA-512 with different initial values. It provides 192-bit security.
When to use: When you need more than 128-bit security but don't need the full 512-bit output. Common in government and financial applications requiring 192-bit security.
SHA-512/256
Output: 256 bits (32 bytes, 64 hex characters)
Block size: 1024 bits
Rounds: 80
SHA512/256("Hello, World!") = 0686f0a605973dc1bf035d1e2b9bad1985a0bff712ddd88abd8d2593e5f99030
SHA-512/256 uses the SHA-512 algorithm but truncates the output to 256 bits. It has different initial values than SHA-512.
Why use it instead of SHA-256?
- Faster on 64-bit systems (uses SHA-512 internals)
- Resistant to length extension attacks (different structure)
- Same output size as SHA-256, often better performance
When to use: When you want SHA-256-sized output but are running on 64-bit systems and want better performance.
SHA-512/224
Output: 224 bits (28 bytes, 56 hex characters)
Block size: 1024 bits
Rounds: 80
SHA512/224("Hello, World!") = 766745f058e8a0438f19de48ae56ea5f123fe738af39bca050a7547a
SHA-512/224 uses SHA-512 internals but produces 224-bit output.
When to use: Rare. When you need 224-bit output but want SHA-512 performance on 64-bit systems.
Comparison: Which One Should You Use?
Decision Flowchart
Need a hash function?
│
├─► 64-bit system?
│ │
│ ├─► Yes ─► Need 256-bit output? ─► SHA-512/256
│ │ (faster than SHA-256)
│ │
│ └─► No ──► SHA-256
│
├─► Maximum security needed?
│ │
│ └─► Yes ─► SHA-512
│
├─► Government/compliance requirement?
│ │
│ ├─► 192-bit security ─► SHA-384
│ └─► 112-bit security ─► SHA-224
│
└─► Default choice ─► SHA-256
Performance Comparison
On a typical 64-bit processor:
| Algorithm | Relative Speed | Best Use Case |
|---|---|---|
| SHA-256 | 1.0x (baseline) | 32-bit systems, general use |
| SHA-512 | 1.5x faster | 64-bit systems, max security |
| SHA-512/256 | 1.5x faster | 64-bit systems, 256-bit output |
| SHA-384 | 1.5x faster | 64-bit systems, 192-bit security |
The SHA-512 family is faster on 64-bit systems because they use native 64-bit operations. On 32-bit systems, SHA-256 is faster because it uses native 32-bit operations.
Security Analysis
Known Attacks
As of 2025, no practical attacks exist against any SHA-2 variant. The best known attacks are:
| Attack Type | SHA-256 | SHA-512 |
|---|---|---|
| Collision (theoretical) | 2^128 | 2^256 |
| Collision (best attack) | 2^127.5 (trivial improvement) | 2^255.5 |
| Preimage | 2^256 | 2^512 |
| Preimage (best attack) | 2^254.9 (for reduced rounds) | None significant |
These "attacks" are against reduced-round versions or provide negligible improvements. Full SHA-2 remains secure.
Length Extension Attacks
SHA-256 and SHA-512 are vulnerable to length extension attacks due to their Merkle-Damgård construction:
Given: hash(message) and length of message
Attacker can compute: hash(message || padding || attacker_data)
Without knowing: the original message
Mitigations:
- Use HMAC-SHA256 instead of hash(key || message)
- Use SHA-512/256 or SHA-512/224 (resistant due to truncation)
- Use SHA-3 (inherently resistant)
Quantum Resistance
Grover's algorithm provides a quadratic speedup for hash preimages:
- SHA-256: 2^256 → 2^128 (still secure)
- SHA-512: 2^512 → 2^256 (very secure)
For collision finding, quantum computers provide less advantage. SHA-256 remains secure against foreseeable quantum attacks.
Real-World Usage
Bitcoin and Cryptocurrencies
Bitcoin uses SHA-256 extensively:
- Mining: SHA256(SHA256(block_header)) — double SHA-256
- Addresses: RIPEMD160(SHA256(public_key))
- Merkle trees: Transaction verification
TLS/SSL Certificates
Since the SHA-1 deprecation, SHA-256 is the standard:
Certificate:
Signature Algorithm: sha256WithRSAEncryption
Git (Transitioning)
Git is migrating from SHA-1 to SHA-256:
# New repositories can use SHA-256
git init --object-format=sha256
File Integrity
Package managers and downloads:
# Verify a download
sha256sum -c SHA256SUMS
# Generate checksum
sha256sum file.tar.gz > SHA256SUMS
Code Examples
Python
import hashlib
# SHA-256
hash_256 = hashlib.sha256(b"Hello, World!").hexdigest()
print(f"SHA-256: {hash_256}")
# SHA-512
hash_512 = hashlib.sha512(b"Hello, World!").hexdigest()
print(f"SHA-512: {hash_512}")
# SHA-384
hash_384 = hashlib.sha384(b"Hello, World!").hexdigest()
print(f"SHA-384: {hash_384}")
# SHA-512/256 (Python 3.9+)
hash_512_256 = hashlib.new('sha512_256', b"Hello, World!").hexdigest()
print(f"SHA-512/256: {hash_512_256}")
Node.js
const crypto = require('crypto');
// SHA-256
const hash256 = crypto.createHash('sha256')
.update('Hello, World!')
.digest('hex');
console.log(`SHA-256: ${hash256}`);
// SHA-512
const hash512 = crypto.createHash('sha512')
.update('Hello, World!')
.digest('hex');
console.log(`SHA-512: ${hash512}`);
Command Line
# SHA-256
echo -n "Hello, World!" | sha256sum
# SHA-512
echo -n "Hello, World!" | sha512sum
# SHA-384
echo -n "Hello, World!" | sha384sum
# File hashing
sha256sum myfile.txt
SHA-2 vs Other Hash Functions
| Property | SHA-2 | SHA-3 | BLAKE3 |
|---|---|---|---|
| Design | Merkle-Damgård | Sponge (Keccak) | Merkle tree |
| Speed | Fast | Moderate | Very fast |
| Parallelizable | No | No | Yes |
| Length extension | Vulnerable | Resistant | Resistant |
| Hardware support | AES-NI helps | Dedicated instructions | AVX2/AVX-512 |
| Maturity | 24+ years | 10+ years | 5+ years |
| Standard | NIST FIPS | NIST FIPS | Not NIST |
Conclusion
SHA-2 has earned its place as the cryptographic workhorse of the internet. After more than two decades, it remains unbroken and continues to secure everything from Bitcoin transactions to TLS certificates.
Quick recommendations:
- Default choice: SHA-256
- 64-bit systems: SHA-512/256 (same security, better performance)
- Maximum security: SHA-512
- Compliance: Check your requirements (SHA-384 for 192-bit security)
While SHA-3 offers a backup with a completely different design, and BLAKE3 offers better performance, SHA-2 remains the safe, well-analyzed choice for production systems.
References
- NIST FIPS 180-4. Secure Hash Standard
- NIST SP 800-107 Rev 1. Recommendation for Applications Using Approved Hash Algorithms
- Guido Bertoni et al. The Design of SHA-3 and Its Role
- Bitcoin Wiki. Block hashing algorithm
- OpenSSL Documentation. SHA256, SHA384, SHA512