up:: Classical Cryptography MOC

SHA-512/256

SHA-512/256 is the 256-bit truncated variant of the 64-bit branch of the SHA-2 family of cryptographic hash functions, standardized by NIST in FIPS 180-4, and it turns an input of any size into a fixed 256-bit digest that acts as a tamper-evident fingerprint. It runs the full SHA-512 engine with distinct initial values and then keeps only the leading 256 bits, which gives it two things at once: the speed of the 64-bit branch on 64-bit hardware, and resistance to the length-extension attack that bare SHA-256 and full-width SHA-512 carry. It survives the quantum transition. The strongest known quantum attack on it, Grover’s algorithm, only gives a square-root speedup on preimage search, which drops its effective preimage strength toward about 128 bits while leaving collision resistance near 128 bits. That is the opposite of what happens to public-key algorithms like RSA and ECDH, which Shor’s algorithm breaks outright.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

The short version:

  • SHA-512/256 is a hash function, so it rests on output size, not on the factoring or discrete-log math that quantum computers demolish.
  • It runs the SHA-512 compression (1024-bit blocks, 64-bit words, 80 rounds) from a different set of initial hash values, then truncates the 512-bit state to 256 bits of output.
  • The truncation gives it length-extension resistance, because an attacker never sees the full internal state in the digest, so it can be used more directly than bare SHA-256 in some constructions.
  • It has the same 256-bit output as SHA-256 but the speed profile of the 64-bit branch, which on 64-bit hardware is frequently faster than SHA-256.
  • Grover’s algorithm halves the preimage margin, so SHA-512/256 keeps about 128-bit preimage strength, and the birthday-bounded collision resistance stays near 128 bits.
  • It is not structurally broken by quantum, so it carries forward on the same terms as the rest of SHA-2.

What is SHA-512/256?

SHA-512/256 is a 256-bit cryptographic hash function in the SHA-2 family, defined in NIST’s Secure Hash Standard, FIPS 180-4, as one of two truncated members of the 64-bit branch (the other being SHA-384). A hash function takes a message of arbitrary length and deterministically compresses it into a fixed-length output called a digest, and a cryptographic one is built so the digest behaves like a fingerprint: the same input always gives the same digest, a different input almost always gives a different digest, and you cannot run the process backward to recover the input. SHA-512/256’s digest is 256 bits, written as 64 hexadecimal characters, the same length as a SHA-256 digest.

The name encodes exactly what it is: the SHA-512 algorithm, producing a 256-bit output. It is designed to provide the same three properties as the rest of the family:

  1. Preimage resistance. Given a digest, you cannot feasibly find any input that hashes to it.
  2. Second-preimage resistance. Given one input, you cannot feasibly find a different input with the same digest.
  3. Collision resistance. You cannot feasibly find any two different inputs that share a digest at all.

The reason SHA-512/256 exists as a distinct standardized function, rather than just running SHA-512 and chopping the output, is that FIPS 180-4 specifies a dedicated set of initial hash values for it, generated by a defined procedure so that its output is not a simple prefix of a SHA-512 digest. That independent initialization is what makes it a proper function in its own right rather than a truncation an implementer could get subtly wrong. It is a hash function and nothing else, not an encryption algorithm, not a public-key primitive, and not a stand-alone signature scheme, though signatures and message authentication codes are built on top of it.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015 (SHA-512/256: 1024-bit block, 64-bit word, 256-bit digest, distinct initial hash values), csrc.nist.gov/pubs/fips/180-4/final.

How does SHA-512/256 work?

SHA-512/256 uses the same Merkle-Damgard construction and the same compression function as SHA-512, differing only in its starting constants and its final truncation. The process runs in a fixed sequence:

  1. Padding. The message is padded so its total length is a multiple of 1024 bits, and the original length is encoded into the final bits of the padding.
  2. Blocking. The padded message is split into 1024-bit blocks.
  3. Chaining. SHA-512/256 maintains a 512-bit internal chaining state, initialized to a set of eight fixed 64-bit constants that are unique to SHA-512/256 and distinct from SHA-512’s and SHA-384’s. Each 1024-bit block is fed into the compression function together with the current state.
  4. Compression. For each block, the compression function runs the same 80 rounds as SHA-512, mixing the message schedule into the state with modular addition on 64-bit words, bitwise XOR, logical selection functions, and right-rotations and shifts, with a different fixed 64-bit round constant at each round.
  5. Output. After the last block, the final 512-bit chaining state is truncated to its leading 256 bits, and that is the digest.

The truncation is the security-relevant difference. Because SHA-512/256 emits only 256 of the 512 internal state bits, an attacker who holds a digest cannot reconstruct the full internal state, which closes the length-extension attack. An attacker who knows hash(secret || message) cannot extend it to hash(secret || message || extra) without knowing the secret, because half the state stayed hidden. Bare SHA-256 and full-width SHA-512 do not have this property and need HMAC to authenticate messages safely. That is a property of the construction, and it has nothing to do with quantum computing.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

What is SHA-512/256 used for?

SHA-512/256 is the pick when a system wants a 256-bit digest but prefers the 64-bit branch’s speed or its length-extension resistance. Its common jobs:

  1. Integrity verification at 256-bit output on 64-bit hardware. Where a 256-bit digest is the target and the platform is 64-bit, SHA-512/256 can match SHA-256’s output length while running the faster 64-bit compression.
  2. Length-extension-safe fingerprinting. Constructions that would be exposed to length extension with bare SHA-256 can use SHA-512/256 more directly, because its truncation closes that hole without wrapping the hash in HMAC.
  3. Digital signature preprocessing. A digital signature is computed over a small fixed-size digest, not the whole document, and SHA-512/256 produces a 256-bit digest for that step.
  4. Message authentication. HMAC-SHA-512/256 authenticates API traffic and trust metadata, and even the bare function’s length-extension resistance is a convenience in some protocol designs.
  5. Content addressing where a 256-bit identifier is expected. Systems standardized on a 256-bit hash identifier can adopt SHA-512/256 to keep the identifier length while changing the underlying speed and length-extension profile.

The pattern is the same as the rest of SHA-2: SHA-512/256 is an integrity-and-trust primitive that proves data is what it claims to be, rather than keeping it secret. It is less pervasive than SHA-256 in deployed systems, and it shows up where its specific 64-bit-branch speed or its length-extension resistance is the reason to choose it.

Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

Is SHA-512/256 quantum-vulnerable?

No, not in the way public-key cryptography is. SHA-512/256 is not structurally broken by a quantum computer, because it does not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, solves those number-theoretic problems and does not apply to a hash function. The only relevant quantum pressure on SHA-512/256 comes from Grover’s algorithm, and Grover only weakens, it does not break. Walking the two security properties that matter:

  1. Preimage resistance takes a square-root hit. Grover searches an unstructured space of N possibilities in about √N steps instead of up to N. Finding a preimage for a 256-bit digest is a search over roughly 2^256 inputs, which Grover reduces to about 2^128 work. So SHA-512/256’s effective preimage strength drops from 256 bits toward about 128 bits, which is still astronomically out of reach.
  2. Collision resistance is barely touched. Collision-finding was never a 2^256 problem to begin with. The birthday effect already lets a classical attacker find a collision in a 256-bit hash in about 2^128 work, so SHA-512/256 offers roughly 128 bits of collision resistance even today. Quantum collision-finding algorithms exist, but in realistic cost models that account for the enormous memory and hardware they require, they offer little or no practical advantage over the classical birthday attack.

NIST states the general case plainly: Grover’s quadratic speedup on unstructured search “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output rather than a new algorithm. SHA-512/256 keeps roughly 128 bits of security on both counts, the same quantum-adjusted margin as SHA-256, which is a wide margin for the overwhelming majority of uses. Where a workflow wants more, the move is to a wider output like SHA-384 or SHA-512, not to a different family.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

How does SHA-512/256 compare to SHA-256?

SHA-512/256 and SHA-256 produce the same 256-bit digest and offer the same quantum-adjusted strength, and they differ in the branch they run on and in length-extension behavior. The comparison:

PropertySHA-256SHA-512/256
SHA-2 branch32-bit64-bit
Block size512-bit1024-bit
Word size32-bit64-bit
Output size256-bit256-bit
Rounds6480
Length-extension weaknessPresent in bare use, closed by HMACClosed by truncation
Effective quantum preimage strength~128-bit~128-bit
Collision strength~128-bit~128-bit
Typical speed advantage32-bit and constrained hardware64-bit hardware

The two are interchangeable on strength, both classically and against a quantum attacker, so the choice is an engineering one. SHA-512/256 is the pick when the target hardware is 64-bit and the extra speed of the wider branch matters, or when a design wants length-extension resistance without wrapping the hash in HMAC. SHA-256 stays the more widely deployed and more broadly hardware-accelerated default, especially on 32-bit and constrained devices. Neither needs a post-quantum replacement, because both already carry roughly 128 bits of quantum-adjusted margin.

Sources: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final; NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Common misconceptions

  1. “Quantum computers will break SHA-512/256.” They will not. The only relevant quantum attack is Grover’s, which halves the preimage margin to about 128 bits and barely touches collision resistance, both still far out of reach.
  2. “SHA-512/256 is just SHA-512 with the output chopped off.” It runs SHA-512’s engine, but from a dedicated set of initial hash values defined in FIPS 180-4, so its output is not a prefix of a SHA-512 digest. The distinct initialization is what makes it a proper standardized function.
  3. “SHA-512/256 is stronger than SHA-256 because it uses SHA-512.” At the same 256-bit output, both offer the same security level, classically and against quantum. SHA-512/256’s advantages are 64-bit-branch speed and built-in length-extension resistance, not a higher security level.
  4. “It has the same length-extension weakness as SHA-256.” It does not. The truncation to 256 of 512 state bits hides the internal state, which closes the length-extension attack that bare SHA-256 and full-width SHA-512 are open to.
  5. “SHA-512/256 needs a post-quantum replacement.” It does not. There is no separate post-quantum hash family to migrate to. It carries the same roughly 128-bit quantum-adjusted margin as SHA-256.

Questions people ask

Is SHA-512/256 quantum-safe? Yes. It faces only Grover’s algorithm, which halves its preimage margin to about 128 bits and leaves collision resistance near 128 bits, the same margins as SHA-256. It is not the kind of primitive a quantum computer breaks.

What is the point of SHA-512/256 if it has the same output as SHA-256? Two things: on 64-bit hardware it runs the faster 64-bit SHA-2 branch, and its truncation gives it length-extension resistance that bare SHA-256 lacks, so it can be used more directly in some constructions.

Does SHA-512/256 resist length-extension attacks? Yes. Because it emits only 256 of its 512 internal state bits, an attacker cannot reconstruct the full state from a digest, which closes the length-extension attack. Bare SHA-256 and full SHA-512 need HMAC for that.

Do I have to replace SHA-512/256 for post-quantum security? No. It carries forward through the transition on the same terms as the rest of SHA-2. The post-quantum replacements target public-key algorithms like RSA and ECDH, not hash functions.

Is SHA-512/256 approved by NIST? Yes. It is specified in NIST’s Secure Hash Standard, FIPS 180-4, as one of the truncated members of the 64-bit SHA-2 branch.

When should I choose SHA-512/256 over SHA-256? When the target hardware is 64-bit and the extra speed of the wider branch is worth having, or when a design wants length-extension resistance without wrapping the hash in HMAC. For 32-bit or constrained hardware, SHA-256 is usually the better fit.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.