up:: Classical Cryptography MOC
FIPS 180-4
FIPS 180-4 is the NIST Secure Hash Standard (SHS), the federal specification that defines the approved SHA-1 and SHA-2 hash functions, the fingerprinting algorithms that sit underneath digital signatures, TLS certificates, software integrity checks, and password storage. It specifies seven functions in one document: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. The quantum headline is reassuring: every hash in FIPS 180-4 survives the arrival of a quantum computer with room to spare, because the only relevant quantum attack, Grover’s algorithm, gives a mild square-root speedup that a longer digest fully restores. That is the opposite of the public-key algorithms RSA and ECDH, which Shor’s algorithm breaks outright. The newer SHA-3 family is a separate standard, FIPS 202, not part of FIPS 180-4.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
The short version:
- FIPS 180-4 is NIST’s Secure Hash Standard, and it specifies exactly seven hash functions: SHA-1 plus the six members of the SHA-2 family.
- These are the hashes behind almost everything that proves data is genuine and unchanged: signatures, certificates, code signing, and integrity checks.
- SHA-3 is a different standard (FIPS 202), so “the SHA-3 note” and “the FIPS 180-4 functions” are separate documents that both stay approved.
- All of these hashes survive quantum computing. Grover’s algorithm halves the effective preimage strength, and moving to a longer digest restores the full margin, so the fix is a size choice, not a new algorithm.
- The quantum migration is a public-key story, not a hashing story. SHA-1 is being retired for an unrelated classical reason, and the practical hash move is raising policy to SHA-384 for the longest-lived, highest-assurance work.
Think of FIPS 180-4 as the official, government-published parts catalog for a single kind of tool: the tamper-evident seal. It doesn’t build anything on its own. It names the approved seals, spells out exactly how each one is made so any two labs produce the identical seal from the same input, and lists their sizes so an engineer can pick the right one. When a standard like the Digital Signature Standard or a TLS profile says “hash it first,” this is the catalog it’s pointing at.
What is FIPS 180-4?
FIPS 180-4 is the Federal Information Processing Standard titled “Secure Hash Standard (SHS),” published by the National Institute of Standards and Technology, that specifies the approved cryptographic hash functions in the SHA-1 and SHA-2 lines. A cryptographic hash function takes a message of any length and deterministically compresses it into a fixed-size output called a digest, built so the digest behaves like a fingerprint: the same input always gives the same digest, any change to the input scrambles the output, and you cannot run the function backward to recover the input.
The current edition was published in August 2015, superseding the 2012 revision, and the “-4” marks the fourth revision of the original 1993 Secure Hash Standard. As a FIPS, it is mandatory for U.S. federal systems and the cryptographic modules they buy, and because insurers, sector regulators, and procurement programs align to NIST, it functions as the practical reference for hashing far beyond government. NIST announced in 2023 that it intends to revise FIPS 180-4 again, so the specific document number will move over time even as the SHA-2 functions inside it carry forward.
FIPS 180-4 defines the functions themselves. The rules for how those hashes get used inside other constructions live in companion standards: the Digital Signature Standard (FIPS 186-5) for signatures, FIPS 198-1 for HMAC message authentication, and SP 800-107 for general guidance on choosing hash strength.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
Which hash functions does FIPS 180-4 define?
FIPS 180-4 specifies seven hash functions: the legacy SHA-1, and the six members of the SHA-2 family. They differ by output (digest) size, which sets both their classical and their quantum security margin. The table lists each function, its digest size, and where it stands today.
| Function | Digest size | Family | Status |
|---|---|---|---|
| SHA-1 | 160-bit | SHA-1 | Legacy, being retired; broken by a classical collision attack, unrelated to quantum |
| SHA-224 | 224-bit | SHA-2 | Approved; thin margin, prefer SHA-256 for new work |
| SHA-256 | 256-bit | SHA-2 | Approved; the everyday workhorse, survives quantum |
| SHA-384 | 384-bit | SHA-2 | Approved; high-assurance and long-retention default |
| SHA-512 | 512-bit | SHA-2 | Approved; maximum margin, often faster on 64-bit hardware |
| SHA-512/224 | 224-bit | SHA-2 | Approved; 64-bit-hardware alternative to SHA-224 |
| SHA-512/256 | 256-bit | SHA-2 | Approved; 64-bit-hardware alternative to SHA-256 |
The six SHA-2 functions split into two internal branches by the word size their compression function operates on. The 32-bit branch holds SHA-224 and SHA-256; the 64-bit branch holds SHA-384, SHA-512, and the two truncated variants SHA-512/224 and SHA-512/256. SHA-1 is the odd one out: it shares the same broad Merkle-Damgard shape but produces only a 160-bit digest, which is why it fell to a real-world attack while the SHA-2 members held. The round-by-round mechanism of how these functions actually compute a digest lives in the SHA-256 note, the single-algorithm deep dive for the family.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
What is the difference between FIPS 180-4 and FIPS 202 (SHA-3)?
FIPS 180-4 and FIPS 202 are two separate NIST hash standards, and both stay fully approved. FIPS 180-4 specifies the SHA-1 and SHA-2 functions, which use the Merkle-Damgard construction (chaining a compression function block by block). FIPS 202 specifies the SHA-3 family, SHA3-224 through SHA3-512 plus the SHAKE extendable-output functions, built on the structurally different Keccak sponge construction.
NIST standardized SHA-3 in 2015 as an alternative to SHA-2, not a replacement, so that the world would have a hash family with a completely independent internal design ready in case a weakness ever surfaced in the SHA-2 line. No such weakness has appeared, so SHA-2 remains the more widely deployed of the two. A common source of confusion is treating “SHA-3” as the newer, mandatory upgrade to “SHA-2.” It’s an approved sibling that lives in a different document, and picking between them is an engineering choice, not a compliance deadline.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
What are the FIPS 180-4 hash functions used for?
The functions in FIPS 180-4, and SHA-256 above all, are among the most widely deployed cryptographic primitives on earth, and they usually sit underneath systems people think of as certificates, signatures, or integrity checks rather than appearing as a visible feature. Their common jobs:
- Integrity verification. Comparing the SHA-256 digest of a downloaded file, package, or firmware image against a published value confirms the bytes were not altered in transit or storage.
- Digital signature preprocessing. A digital signature is almost never computed over a whole document. The document is hashed first with a FIPS 180-4 function, and the signature is computed over the small fixed-size digest.
- Certificate signatures. TLS and other X.509 certificates are signed over a SHA-2 digest of the certificate contents, which binds a certificate’s identity to the issuing authority.
- Message authentication. HMAC-SHA-256 authenticates API requests, session tokens, and webhooks, proving both that a message is intact and that it came from someone holding the shared key.
- Key derivation and password handling. SHA-2 is the underlying hash in constructions like HKDF and inside slow, salted password-storage schemes.
- Content addressing and ledgers. Version-control systems, content-addressed storage, and blockchains identify and link data by its SHA-2 digest, so the identifier itself certifies the content.
The pattern across all of these is that these hashes are an integrity-and-trust workhorse. They prove that data is what it claims to be, which is a different job from keeping data secret, and that difference is exactly why their quantum story is so much calmer than the public-key one.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
Do the FIPS 180-4 hashes survive quantum computers?
Yes. Every hash function in FIPS 180-4 survives the quantum transition, because none of them rests on the hidden mathematical structure that a quantum computer exploits. Shor’s algorithm, the quantum attack that actually breaks cryptography, solves integer factorization and the discrete logarithm, and neither of those has anything to do with a hash function. The only quantum pressure a hash faces comes from Grover’s algorithm, and Grover weakens rather than breaks:
- Preimage resistance takes a square-root hit. Grover searches an unstructured space of
Npossibilities in about√Nsteps instead of up toN, which halves the effective preimage strength. A 256-bit digest drops from 256-bit toward about 128-bit strength, still astronomically out of reach, and a 384-bit digest keeps about 192 bits. - Collision resistance is barely touched. Finding a collision already costs about half the digest size in bits classically, because of the birthday effect, and realistic quantum collision attacks add little practical advantage once their enormous memory and hardware costs are counted.
NIST states the general case plainly: Grover’s quadratic speedup “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output rather than a new algorithm. So the response for hashing is upsize where a workflow needs more margin, and there is no separate post-quantum hash family to migrate to. The full mechanism behind these numbers lives in the SHA-256 and SHA-2 notes.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Why is the quantum migration a public-key story, not a hashing story?
Because quantum computers do opposite things to the two halves of cryptography, and the FIPS 180-4 hashes sit firmly on the surviving side. The public-key algorithms (RSA, Diffie-Hellman, ECDH, and the elliptic-curve signature schemes) all rest on factoring or discrete logarithms, and Shor’s algorithm solves both efficiently, so those algorithms stop working entirely and need brand-new replacements like ML-KEM and ML-DSA. The hashes in FIPS 180-4 face only Grover’s mild square-root dent.
So a more accurate headline than “quantum breaks all cryptography” is that quantum computers break the public-key half and dent the hash-and-symmetric half. The practical consequence for anyone planning a migration is that effort spent worrying about replacing SHA-256 is effort not spent on the urgent work, which is finding and replacing the vulnerable public-key algorithms that sign and exchange keys around it. The one genuine hash-side move is raising policy to SHA-384 for the highest-value, longest-lived integrity (firmware roots of trust, decades-long compliance records, national-security workflows), and even that is a parameter change inside FIPS 180-4, not a new standard.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Which FIPS 180-4 functions should you still use?
Use SHA-256 as the default for most integrity, signature, and authentication work, and raise policy to SHA-384 or SHA-512 where the assurance or the data lifetime genuinely demands the wider margin. Two functions in the standard are on the way out or worth phasing down:
- SHA-1 is being retired for a classical reason. Its 160-bit digest gives only about 80 bits of collision resistance, and in 2017 a research team produced the first real-world SHA-1 collision, two distinct PDF files with the same digest. NIST deprecated SHA-1 in 2011, disallowed it for digital signatures at the end of 2013, and published a plan in December 2022 to remove it from cryptographic modules by the end of 2030. This break has nothing to do with quantum computing.
- SHA-224 and SHA-512/224 carry the thinnest margin. Their roughly 112-bit strength is the lowest in the family, so SHA-256 is the natural default for new designs.
Everything else in the standard is a keeper. SHA-256, SHA-384, and SHA-512 all carry comfortable margins that no foreseeable quantum machine threatens, and choosing among them is a policy decision by use case, not a broken-versus-safe judgment.
Sources: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov.
Marc Stevens et al., “The first collision for full SHA-1,” CRYPTO 2017, shattered.io.
Common misconceptions
- “FIPS 180-4 includes SHA-3.” It does not. FIPS 180-4 covers SHA-1 and the SHA-2 family; SHA-3 is a separate standard, FIPS 202, with a different internal design.
- “Quantum computers will break the FIPS 180-4 hashes.” They will not. The only relevant quantum attack is Grover’s, which halves the preimage margin and barely touches collision resistance, both still far out of reach for SHA-256 and above.
- “SHA-1 is weak because of quantum.” No. SHA-1 fell to a classical collision attack in 2017 because its 160-bit output is too short. Its retirement is unrelated to quantum computing.
- “The whole standard is obsolete, so I need a post-quantum hash.” There is no post-quantum hash family to move to. SHA-256 and above already carry enough margin, and the fix where more is wanted is a longer digest inside FIPS 180-4.
- “SHA-256 and SHA-384 are a broken-versus-safe pair.” Both are safe. SHA-384 simply carries a wider margin for high-assurance and decades-long integrity, not for ordinary checks.
- “FIPS 180-4 is frozen because it’s old.” The document is from 2015, but NIST has announced plans to revise it, and the SHA-2 functions it defines carry forward into any successor.
Questions people ask
What does FIPS 180-4 actually specify? It specifies seven cryptographic hash functions: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Together these are the SHA-1 and SHA-2 families. It defines exactly how each one turns a message into a fixed-size digest, so any correct implementation produces identical output.
Is FIPS 180-4 the same as SHA-2? Not quite. SHA-2 is the family of six functions (SHA-224 through SHA-512/256), and FIPS 180-4 is the NIST standard document that specifies those six plus the older SHA-1. People often say “SHA-2” to mean the functions and “FIPS 180-4” to mean the standard that defines them.
Where is SHA-3? In a different standard, FIPS 202, not in FIPS 180-4. SHA-3 uses the Keccak sponge construction and was standardized as an approved alternative to SHA-2, so both remain valid choices.
Do I need to replace the FIPS 180-4 hashes for post-quantum security? No, with one caveat. SHA-256 and above survive the quantum transition, so there is no hash family to migrate to. The move worth planning is raising policy to SHA-384 where the data lifetime or assurance demands it, and retiring SHA-1 for its unrelated classical break.
Why is SHA-1 still in the standard if it’s broken? It remains specified for backward compatibility and for a few non-security uses, but NIST has deprecated it and set a plan to remove it from cryptographic modules by the end of 2030. New designs should not use it.
Does FIPS 180-4 tell me how to use a hash inside a signature or HMAC? No, that guidance lives in companion standards: FIPS 186-5 for digital signatures, FIPS 198-1 for HMAC, and SP 800-107 for choosing hash strength. FIPS 180-4 defines the hash functions themselves.
Which function should I default to? SHA-256 for the vast majority of work, moving up to SHA-384 or SHA-512 for firmware roots of trust, long-lived compliance records, and national-security workflows. Avoid SHA-1 and phase SHA-224 out of new designs.
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.