SHA-256
A 256-bit fingerprint for any input — one-way, collision-resistant, and the verification engine of the digital world.
Why This Matters
A hash function takes any input — one byte or one terabyte — and produces a fixed-length output that acts as a unique fingerprint. SHA-256 is the workhorse hash of the post-2010 internet: Git commit IDs, Bitcoin block hashes, TLS certificate signatures, and most password-storage schemes are all built on it. It is not a cipher: there is no key, no decryption, and no way to recover the input from the output. That irreversibility is the entire point.
SHA-0 (1993) was the NSA's first published hash; an undisclosed weakness led to SHA-1 in 1995. Cryptanalytic advances against MD5 (broken 2004) and SHA-1 (theoretical break 2005, full collision 2017) prompted NIST to standardise the SHA-2 family in 2001 (FIPS 180-2): SHA-224, SHA-256, SHA-384, SHA-512. SHA-256 became the default. After the SHA-1 wake-up call NIST also ran an open competition (2007–2012) for a structurally different backup; Keccak won and became SHA-3 in 2015 — not because SHA-256 broke, but to avoid a single-point-of-failure design.
The input is padded so its length is congruent to 448 mod 512, then a 64-bit length is appended. The padded message is split into 512-bit blocks. Each block is processed by the compression function, which mixes the block into a 256-bit internal state through 64 rounds of bitwise operations: rotations, XORs, AND/OR/NOT, modular addition, and round constants derived from the cube roots of the first 64 primes. After the last block the internal state is the hash output.
Two security properties matter: preimage resistance (given a hash, you cannot find an input that produces it — would take ~2256 tries) and collision resistance (you cannot find two inputs with the same hash — would take ~2128 tries by the birthday bound).
No collision has ever been found in SHA-256. The best published attack reaches 31 of the 64 rounds. SHA-256 is theoretically vulnerable to length-extension attacks — if you know H(secret ‖ data) and len(secret ‖ data), you can compute H(secret ‖ data ‖ padding ‖ extension) without knowing the secret. The standard mitigation is HMAC-SHA-256 or SHA-3, neither of which has the flaw. Quantum computers using Grover's algorithm reduce SHA-256 preimage resistance from 2256 to 2128 — still secure, which is why SHA-256 is considered post-quantum-safe at lower security levels.
| Where | How SHA-256 is Used |
|---|---|
| TLS / HTTPS | Every certificate's signature uses SHA-256 (SHA-1 deprecated since 2017) |
| Git | Every commit, tree, and blob is identified by its SHA-1 hash today; Git is migrating to SHA-256 |
| Bitcoin | Proof-of-work mines for inputs whose double SHA-256 hash starts with N zero bits |
| Password storage | Used inside KDFs like PBKDF2-HMAC-SHA256, scrypt, Argon2 (which uses BLAKE2) |
| Software integrity | sha256sum, package manager checksums, signed releases on every modern OS |
| Digital signatures | RSA-PSS, ECDSA, and Ed25519 all sign the SHA-256 hash of the message, not the raw bytes |
| Era | Modern · 2001 |
| Status | Secure; SHA-3 (Keccak) standardised 2015 as a structural alternative, not a replacement |
| Origin | NSA (designed); published by NIST as FIPS 180-2 in 2001 |
| Year | 2001 |
| Type | Cryptographic hash function (Merkle-Damgård construction over the SHA-2 compression function) — not a cipher |
| Modern Role | TLS certificate signatures, software integrity (Git commits, package managers), password storage (with KDFs), Bitcoin proof-of-work, any digital signature scheme |