up:: Classical Cryptography MOC

SHA-2

SHA-2 is the NIST-standardized family of cryptographic hash functions defined in FIPS 180-4, made up of SHA-224, SHA-256, SHA-384, SHA-512, and the truncated variants SHA-512/224 and SHA-512/256, each of which turns an input of any size into a fixed-length digest that acts as a tamper-evident fingerprint. The whole family survives the quantum transition.

The strongest known quantum attack on a hash, Grover’s algorithm, only gives a square-root speedup on preimage search, which drops each member’s effective preimage strength to roughly half its output size while leaving collision resistance about where it already was. That is the opposite of what Shor’s algorithm does to public-key algorithms like RSA and ECDH, which it breaks outright. NIST and CNSA 2.0 both keep SHA-2 for the quantum era and point to SHA-384 and SHA-512 for the highest-assurance work, which is what separates SHA-2 from the retired SHA-1.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

The short version:

  • SHA-2 is a family of six hash functions in one standard (FIPS 180-4), not a single algorithm, and it rests on output size rather than the factoring or discrete-log math that quantum computers demolish.
  • Grover’s algorithm gives only a quadratic speedup on preimage search, so every member keeps about half its output size in effective strength: SHA-256 stays near 128 bits, SHA-384 near 192, and SHA-512 near 256.
  • Collision resistance was already about half the output size classically because of the birthday effect, and realistic quantum collision attacks buy little practical advantage, so the collision side is barely touched.
  • SHA-2 is generally retained through the transition. The move worth making is raising hash policy to SHA-384 or SHA-512 for high-assurance and long-retention workflows, not replacing the family.
  • CNSA 2.0 keeps hashing in the SHA-2 family and requires SHA-384 or SHA-512 for U.S. national-security systems, which is the clearest signpost that SHA-2 survives the quantum era.
  • SHA-2 is a completely different case from SHA-1, which NIST is retiring by the end of 2030 because it fell to a real classical collision attack. SHA-2 has no such break.

What is the SHA-2 family?

SHA-2 is a family of cryptographic hash functions published by NIST in the Secure Hash Standard, FIPS 180-4. A hash function takes a message of arbitrary length and deterministically compresses it into a fixed-length output called a digest, and a cryptographic one is built so the digest behaves like a fingerprint: the same input always gives the same digest, a different input almost always gives a different digest, and you cannot run the process backward to recover the input. The “2” distinguishes this family from the older SHA-0 and SHA-1 designs and from the structurally different SHA-3 family, which NIST standardized separately in FIPS 202.

Every member of SHA-2 aims to provide the same three security properties:

  1. Preimage resistance. Given a digest, you cannot feasibly find any input that hashes to it. This is what protects a stored hash of a secret.
  2. Second-preimage resistance. Given one input, you cannot feasibly find a different input with the same digest. This protects a signed or published file from being swapped for another that hashes identically.
  3. Collision resistance. You cannot feasibly find any two different inputs that share a digest at all. This is the property that certificate signatures and content-addressing lean on.

The family splits into two internal branches by the word size the compression function operates on. The 32-bit branch holds SHA-224 and SHA-256. The 64-bit branch holds SHA-384, SHA-512, and the truncated variants SHA-512/224 and SHA-512/256. Members within a branch share a compression function and differ mainly in their initial constants and how much of the final state they output, which is why SHA-224 is essentially SHA-256 truncated and SHA-384 is essentially SHA-512 truncated. SHA-2 is a hash family and nothing more. It is not an encryption scheme, not a public-key primitive, and not a signature scheme on its own, though signatures and message authentication codes are built on top of it.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

What are the members of the SHA-2 family?

FIPS 180-4 defines six SHA-2 hash functions across the two word-size branches. They differ by output size, which sets both their classical and their quantum security margin. The table gives each member, its branch, its digest size, and its effective strength once you account for the quantum picture below.

MemberBranchOutput sizeEffective quantum preimage strengthEffective collision strengthTypical disposition
SHA-22432-bit224-bit~112-bit~112-bitRetire in favor of SHA-256 for new work
SHA-25632-bit256-bit~128-bit~128-bitKeep for most integrity and signature work
SHA-38464-bit384-bit~192-bit~192-bitHigh-assurance and long-retention default
SHA-51264-bit512-bit~256-bit~256-bitMaximum margin, often faster on 64-bit hardware
SHA-512/22464-bit224-bit~112-bit~112-bit64-bit-hardware alternative to SHA-224
SHA-512/25664-bit256-bit~128-bit~128-bit64-bit-hardware alternative to SHA-256

The effective preimage numbers come from halving the output size under an idealized Grover attack, and the collision numbers from the birthday bound of about half the output. The truncated 64-bit variants exist because SHA-512’s compression is faster than SHA-256’s on 64-bit processors, so SHA-512/256 gives you a 256-bit digest at 64-bit speed, with a fresh set of initial constants that make its output a distinct digest rather than a truncated prefix of a SHA-512 digest.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

How does SHA-2 work?

Every SHA-2 member uses the Merkle-Damgard construction, which turns a fixed-size compression function into a hash that accepts any length of input by chaining the compression over the message block by block. The process runs in a fixed sequence:

  1. Padding. The message is padded so its total length is a multiple of the block size (512 bits for the 32-bit branch, 1024 bits for the 64-bit branch), and the original message length is encoded into the final bits of the padding.
  2. Blocking. The padded message is split into fixed-size blocks.
  3. Chaining. SHA-2 maintains an internal chaining state initialized to a fixed set of constants. Each block is fed into the compression function together with the current state, and the output becomes the new state for the next block.
  4. Compression. For each block, the compression function runs a fixed number of rounds (64 for the 32-bit branch, 80 for the 64-bit branch), expanding the block into a longer message schedule and mixing it into the state using modular addition, bitwise XOR, logical selection functions, rotations, and a different round constant at each round.
  5. Output. After the last block, the final chaining state, truncated to the member’s output length, is the digest.

The combination of nonlinear logical functions, rotations, and the expanding message schedule gives SHA-2 the avalanche property: flipping a single bit of the input changes roughly half the output bits unpredictably. The full mechanism, round by round, lives in the SHA-256 note, which is the single-algorithm deep dive for this family.

One structural caveat matters for real systems. Merkle-Damgard hashes are open to a length-extension attack, where someone who knows hash(secret || message) and the length of the secret can compute hash(secret || message || extra) without knowing the secret. This is why you never authenticate a message by hashing a secret and the message together with a bare SHA-2 call. The correct construction is HMAC, which nests the hash so the length-extension hole is closed. That is a property of the construction, and it has nothing to do with quantum computing.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

What is SHA-2 used for?

SHA-2 is one of the most widely deployed cryptographic primitives on earth, and it usually sits underneath systems people think of as certificates, signatures, or integrity checks rather than appearing as a visible feature. Its common jobs:

  1. Integrity verification. Comparing the SHA-2 digest of a downloaded file, package, or firmware image against a published value confirms the bytes were not altered in transit or storage.
  2. Digital signature preprocessing. A digital signature is almost never computed over a whole document. The document is hashed first, and the signature is computed over the small fixed-size digest. SHA-2 produces that digest for a large share of signatures in use.
  3. Certificate signatures. TLS and other X.509 certificates are signed over a SHA-2 digest of the certificate contents, which is what binds a certificate’s identity to the issuing authority.
  4. Message authentication. HMAC-SHA-256 and its siblings authenticate API requests, session tokens, and webhooks, proving both that a message is intact and that it came from someone holding the shared key.
  5. Key derivation. SHA-2 is the underlying hash in constructions like HKDF and in password-storage schemes, usually as a building block inside a slow, salted design rather than as a bare hash of a secret.
  6. Content addressing and ledgers. Version-control systems, content-addressed storage, and blockchains identify and link data by its SHA-2 digest, so the identifier itself certifies the content.

The pattern across all of these is that SHA-2 is an integrity-and-trust workhorse. It rarely protects confidentiality directly. It proves that data is what it claims to be, which is a different job from keeping data secret, and that difference shapes its quantum exposure.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

Is SHA-2 quantum-vulnerable?

No, not in the way public-key cryptography is. SHA-2 is not structurally broken by a quantum computer, because it does not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, solves those number-theoretic problems and does not apply to a hash function. The only relevant quantum pressure on SHA-2 comes from Grover’s algorithm, and Grover weakens rather than breaks. Walking the two properties that matter:

  1. Preimage resistance takes a square-root hit. Grover searches an unstructured space of N possibilities in about √N steps instead of up to N. Finding a preimage for an n-bit digest is a search over roughly 2^n inputs, which Grover reduces to about 2^(n/2) work. So each member keeps about half its output size in effective preimage strength: SHA-256 drops toward about 128 bits, SHA-384 toward about 192, and SHA-512 toward about 256, all astronomically out of reach.
  2. Collision resistance is barely touched. Collision-finding was never a 2^n problem to begin with. The birthday effect already lets a classical attacker find a collision in an n-bit hash in about 2^(n/2) work, so SHA-256 offers roughly 128 bits of collision resistance even today. Quantum collision algorithms exist, but in realistic cost models that account for the enormous memory and hardware they require, they offer little or no practical advantage over the classical birthday attack.

NIST states the general case plainly: Grover’s quadratic speedup on unstructured search “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output rather than a new algorithm. The practical read is that every SHA-2 member keeps about half its output size in security on both counts, which stays strong for the overwhelming majority of uses.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

Which SHA-2 member should you use, and when is SHA-384 worth it?

Use SHA-256 for the vast majority of work, and move to SHA-384 or SHA-512 where the assurance or the data lifetime genuinely demands the wider margin. SHA-256 and SHA-384 are not a broken-versus-safe pair. They are a “safe” and a “safe with more headroom” pair, and the choice is a policy decision by use case. SHA-256’s roughly 128 bits of quantum-adjusted strength is a margin no foreseeable machine threatens, so it stays the sensible default for TLS certificates, code signing, package integrity, and everyday authentication.

The reason to raise policy to SHA-384 or SHA-512 is margin for the highest-value, longest-lived integrity: firmware root-of-trust, long-horizon audit and compliance records, national-security workflows, and anything whose integrity guarantee has to hold for decades. Moving up the family is a policy and parameter change, not a migration to a new algorithm family, which is exactly why hash policy belongs in the “review and strengthen” pile rather than the “rip and replace” pile. SHA-224 and SHA-512/224 are the two members worth phasing out of new designs, since their roughly 112-bit margin is the thinnest in the family, and SHA-256 is the natural replacement.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

How is SHA-2 different from the broken SHA-1?

SHA-2 survives because no practical attack breaks it, while SHA-1 is being retired because a practical attack does break it, and the two facts are independent of quantum computing. SHA-1 produces a 160-bit digest, which gives only about 80 bits of classical collision resistance under the birthday bound. In 2017 a research team produced the first real collision for full SHA-1, two distinct PDF files with the same SHA-1 digest, using a large but achievable amount of computation. That was a classical break of collision resistance, with no quantum computer involved.

NIST responded by formally retiring SHA-1. Its guidance is that federal agencies should stop using SHA-1 in the affected applications and that cryptographic modules may not use SHA-1 after December 31, 2030, with the recommendation to “migrate to SHA-2 or SHA-3 as soon as possible.” SHA-2 is where that migration lands precisely because its members carry enough output size that no analogous collision or preimage attack exists against them, classical or quantum. Conflating the two is a common mistake: SHA-1 falls to a real classical collision, and SHA-2 keeps its margin, so treating SHA-2 as “the next SHA-1 waiting to break” gets the situation backward.

Sources: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov; Marc Stevens et al., “The first collision for full SHA-1,” CRYPTO 2017, shattered.io.

Why is “quantum breaks all cryptography” wrong for SHA-2?

The claim is wrong because it collapses two very different halves of cryptography into one, and quantum computers do opposite things to each half. SHA-2 sits firmly on the surviving side. The distinction the headline erases:

  1. Public-key cryptography is the catastrophe. RSA, Diffie-Hellman, ECDH, and the elliptic-curve signature schemes all rest on factoring or discrete logarithms, and Shor’s algorithm solves both efficiently. Those algorithms stop working entirely, which is why they need brand-new post-quantum replacements like ML-KEM and ML-DSA.
  2. Hash functions and symmetric ciphers mostly survive. SHA-2 faces only Grover’s algorithm, which halves the preimage margin and barely touches collision resistance. The fix, where one is even needed, is a longer digest inside the same family, not a new family.

So a more accurate headline is that quantum computers break the public-key half of cryptography and dent the hash-and-symmetric half. Repeating “quantum breaks everything” aims remediation at the wrong layer. Time and money spent worrying about replacing SHA-2 is time and money not spent on the urgent work, which is replacing the vulnerable public-key algorithms that sign and protect the data around it, ideally with the crypto-agility to swap algorithms and hash sizes cleanly.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Does CNSA 2.0 keep SHA-2, and what does it require?

CNSA 2.0, the NSA suite that sets post-quantum algorithm requirements for U.S. National Security Systems, keeps hashing inside the SHA-2 family and requires SHA-384 or SHA-512 for national-security work at all classification levels. It does not deprecate SHA-2 the way it retires classical public-key algorithms. The same advisory that removes RSA and ECDH in favor of ML-KEM and ML-DSA holds SHA-2 in place and simply sets the required output at 384 bits or larger for its highest-assurance domain.

That choice is strong public evidence for SHA-2’s standing. When the most conservative cryptographic authority in the U.S. government treats hashing as survivable and moves the dial from 256 to 384 bits for its most sensitive systems rather than to a new hash family, it confirms two things at once: the SHA-2 design carries forward through the quantum era, and SHA-384 is the specific high-assurance step for the workflows that need the most margin. For everything below that bar, SHA-256’s roughly 128-bit margin remains the reasonable default.

Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022, nsa.gov.

Common misconceptions

  1. “Quantum computers will break SHA-2.” They will not. The only relevant quantum attack is Grover’s, which halves the preimage margin of each member and barely touches collision resistance, both still far out of reach.
  2. “SHA-2 needs to be replaced with a post-quantum hash.” It does not. There is no separate post-quantum hash family to migrate to, because SHA-2 already carries enough margin. The replacements are for public-key algorithms.
  3. “SHA-2 is the next SHA-1, waiting to fall.” No. SHA-1 fell to a real classical collision because its 160-bit output gives only about 80 bits of collision resistance. SHA-2’s members carry 224 to 512 bits, and no analogous attack exists against them.
  4. “Grover halves collision resistance the same way it halves preimage resistance.” It does not. Collision resistance was already about half the output size classically because of the birthday effect, and realistic quantum collision attacks add little practical advantage, so the collision side is roughly unchanged.
  5. “SHA-256 and SHA-384 are a broken-versus-safe pair.” Both are safe. SHA-384 simply carries a wider margin, which matters for high-assurance and decades-long integrity, not for ordinary integrity checks.
  6. “You can authenticate a message by hashing a secret and the message with a bare SHA-2 call.” You should not, because the Merkle-Damgard construction allows a length-extension attack. Use HMAC with a SHA-2 member, which is built to close that hole.

Questions people ask

Is SHA-2 still safe to use today? Yes, and it is a reasonable long-term default for most integrity and signature work. Every member is strong against classical attackers and keeps roughly half its output size in security against a quantum attacker, so SHA-256 holds about 128 bits and SHA-384 about 192, both wide margins.

Do I have to replace SHA-2 for post-quantum security? No. SHA-2 is one of the primitives that carries forward through the transition. The post-quantum replacements target public-key algorithms like RSA and ECDH, not hash functions. The only hash-side move worth planning is raising policy to SHA-384 or SHA-512 where the assurance or data lifetime demands it.

Which SHA-2 member should I use? SHA-256 is the right default for TLS certificates, code signing, and everyday integrity and authentication. Move to SHA-384 or SHA-512 for firmware root-of-trust, long-lived compliance records, and national-security workflows. Phase SHA-224 and SHA-512/224 out of new designs, since their roughly 112-bit margin is the thinnest in the family.

What is the difference between SHA-256 and SHA-384 for quantum? Both survive. Grover halves the preimage margin of each, so SHA-256 keeps about 128 bits and SHA-384 keeps about 192. SHA-384 is the high-assurance and long-retention choice, and CNSA 2.0 requires it for U.S. national-security systems, while SHA-256 stays fine for everyday use.

Is SHA-2 the same as SHA-256? Not quite. SHA-256 is one member of the SHA-2 family, the 256-bit function on the 32-bit branch. People often say “SHA-2” when they mean SHA-256 because it is the most common member, but the family also includes SHA-224, SHA-384, SHA-512, and the truncated 512-based variants.

How is SHA-2 different from SHA-3? SHA-2 uses the Merkle-Damgard construction, while SHA-3 uses a completely different sponge construction based on the Keccak permutation. NIST standardized SHA-3 as an alternative, not a replacement, so both are approved. SHA-3 is naturally immune to the length-extension weakness, but SHA-2 remains fully supported and is more widely deployed.

Does a quantum computer break SHA-2 the way it breaks RSA? No. RSA and ECDH fall to Shor’s algorithm, which solves the exact math they rest on, so they stop working entirely. SHA-2 faces only Grover’s algorithm, which merely halves the preimage margin and leaves collision resistance about where it was.

If SHA-2 is safe, what should the migration actually focus on? The public-key layer: the RSA and ECDH key exchanges and the ECDSA and RSA signatures that quantum computers break. Replacing those with post-quantum standards, with the agility to swap algorithms and hash sizes cleanly, is where the effort belongs.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.