Understanding SHA-2

The Internet's Trusted Standard

SHA-2 is a family of cryptographic hash functions published by NIST in 2001, designed by the NSA. The family includes SHA-224, SHA-256, SHA-384, and SHA-512, named after their output digest sizes in bits. SHA-256 is by far the most widely deployed variant, securing TLS certificates, Bitcoin's proof-of-work consensus, code signing, and virtually every digital signature system in production today.

Despite sharing a similar Merkle-Damgård construction with its broken predecessors MD5 and SHA-1, SHA-2 uses significantly more complex internal operations and longer message schedules. SHA-256 processes data in 512-bit blocks through 64 rounds of compression using bitwise operations, modular addition, and non-linear functions (Ch, Maj, Σ, σ). No practical or theoretical collision attacks against SHA-256 have ever been published, and the full 256-bit security margin remains intact.

SHA-512 operates on 1024-bit blocks through 80 rounds and uses 64-bit word arithmetic, making it faster than SHA-256 on 64-bit processors. SHA-512/256 is a truncated variant that takes SHA-512's speed advantage while producing a 256-bit output, offering both performance and protection against length-extension attacks. For password hashing, raw SHA-2 should never be used alone because it is too fast. Instead, it serves as the internal primitive inside KDFs like PBKDF2 and HKDF.

Everyday Example

SHA-2 is like a professional-grade paper shredder that cuts documents into exactly 256 tiny, perfectly uniform confetti pieces every time. No matter whether you feed in a single page or an entire encyclopedia, you always get exactly 256 pieces. Change a single comma on any page, and every single confetti piece comes out completely different. Nobody has ever figured out how to reassemble the confetti back into the original document.

The Deep Mathematics

SHA-256 initializes eight 32-bit working variables (a through h) from fractional parts of the square roots of the first eight primes. Each of the 64 rounds computes: T₁ = h + Σ₁(e) + Ch(e,f,g) + K_i + W_i and T₂ = Σ₀(a) + Maj(a,b,c), where Ch(x,y,z) = (x AND y) XOR (NOT x AND z) and Maj(x,y,z) = (x AND y) XOR (x AND z) XOR (y AND z). The collision resistance bound is 2¹²⁸ and the pre-image resistance bound is 2²⁵⁶, both of which remain unbroken.