# SHA-2

0x 619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4c

## Contents

## Pseudocode

Pseudocode for the SHA-256 algorithm follows. Note the great increase in mixing between bits of the w[16..63] words compared to SHA-1.

h0 := 0x6a09e667 h1 := 0xbb67ae85 h2 := 0x3c6ef372 h3 := 0xa54ff53a h4 := 0x510e527f h5 := 0x9b05688c h6 := 0x1f83d9ab h7 := 0x5be0cd19 k[0..63] := 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 begin with the original message of length L bits append a single '1' bit append K '0' bits, where K is the minimum number >= 0 such that L + 1 + K + 64 is a multiple of 512 append L as a 64-bit big-endian integer, making the total post-processed length a multiple of 512 bits break message into 512-bit chunksforeach chunk create a 64-entry message schedule array w[0..63] of 32-bit words copy chunk into first 16 words w[0..15] of the message schedule arrayforifrom16 to 63 s0 := (w[i-15]rightrotate7)xor(w[i-15]rightrotate18)xor(w[i-15]rightshift3) s1 := (w[i-2]rightrotate17)xor(w[i-2]rightrotate19)xor(w[i-2]rightshift10) w[i] := w[i-16]+s0+w[i-7]+s1 a := h0 b := h1 c := h2 d := h3 e := h4 f := h5 g := h6 h := h7forifrom0 to 63 S1 := (erightrotate6)xor(erightrotate11)xor(erightrotate25) ch := (eandf)xor((note)andg) temp1 := h+S1+ch+k[i]+w[i] S0 := (arightrotate2)xor(arightrotate13)xor(arightrotate22) maj := (aandb)xor(aandc)xor(bandc) temp2 := S0+maj h := g g := f f := e e := d+temp1 d := c c := b b := a := temp1+temp2 h0 := h0+a h1 := h1+b h2 := h2+c h3 := h3+d h4 := h4+e h5 := h5+f h6 := h6+g h7 := h7+h digest := hash := h0appendh1appendh2appendh3appendh4appendh5appendh6appendh7

The computation of the ch and maj values can be optimized the same way as described for SHA-1.

SHA-224 is identical to SHA-256, except that:

- the initial hash values h0 through h7 are different, and
- the output is constructed by omitting h7.

h[0..7] := 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4

SHA-512 is identical in structure to SHA-256, but:

- the message is broken into 1024-bit chunks,
- the initial hash values and round constants are extended to 64 bits,
- there are 80 rounds instead of 64,
- the message schedule array w has 80 64-bit words instead of 64 32-bit words,
- to extend the message schedule array w, the loop is from 16 to 79 instead of from 16 to 63,
- the round constants are based on the first 80 primes 2..409,
- the word size used for calculations is 64 bits long,
- the appended length of the message (before pre-processing), in
*bits*, is a 128-bit big-endian integer, and - the shift and rotate amounts used are different.

h[0..7] := 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, 0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179 k[0..79] := [ 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817] S0 := (arightrotate28)xor(arightrotate34)xor(arightrotate39) S1 := (erightrotate14)xor(erightrotate18)xor(erightrotate41) s0 := (w[i-15]rightrotate1)xor(w[i-15]rightrotate8)xor(w[i-15]rightshift7) s1 := (w[i-2]rightrotate19)xor(w[i-2]rightrotate61)xor(w[i-2]rightshift6)

SHA-384 is identical to SHA-512, except that:

- the initial hash values <code>h0</code> through <code>h7</code> are different (taken from the 9th through 16th primes), and
- the output is constructed by omitting <code>h6</code> and <code>h7</code>.

h[0..7] := 0xcbbb9d5dc1059ed8, 0x629a292a367cd507, 0x9159015a3070dd17, 0x152fecd8f70e5939, 0x67332667ffc00b31, 0x8eb44a8768581511, 0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4

SHA-512/t is identical to SHA-512 except that:

- the initial hash values h0 through h7 are given by the SHA-512/t IV generation function,
- the output is constructed by truncating the concatenation of h0 through h7 at t bits,
- t equal to 384 is not allowed, instead SHA-384 should be used as specified, and
- t values 224 and 256 are especially mentioned as approved.

The SHA-512/t IV generation function evaluates a modified SHA-512 on the ASCII string “SHA-512/t”, substituted with the decimal representation of t. The modified SHA-512 is the same as SHA-512 except its initial values h0 through h7 have each been XORed with the hexadecimal constant 0xa5a5a5a5a5a5a5a5.

Sample C implementation for SHA-2 family of hash functions can be found in RFC 6234

## Comparison of SHA functions

In the table below, *internal state* means the “internal hash sum” after each compression of a data block.

In the bitwise operations column, “Rot” stands for rotate no carry, and “Shr” stands for right logical shift. All of these algorithms employ modular addition in some fashion except for SHA-3.

More detailed performance measurements on modern processor architectures are given in the table below.

CPU architecture | Frequency | Algorithm | Word size (bits) | Cycles/byte x86 | MiB/s x86 | Cycles/byte x86-64 | MiB/s x86-64 |
---|---|---|---|---|---|---|---|

Intel Ivy Bridge | 3.5 GHz | SHA-256 | 32-bit | 16.80 | 199 | 13.05 | 256 |

SHA-512 | 64-bit | 43.66 | 76 | 8.48 | 394 | ||

AMD Piledriver APU | 3.8 GHz | SHA-256 | 32-bit | 22.87 | 158 | 18.47 | 196 |

SHA-512 | 64-bit | 88.36 | 41 | 12.43 | 292 |

The performance numbers labeled ‘x86’ were running using 32-bit code on 64-bit processors, whereas the ‘x86-64’ numbers are native 64-bit code. While SHA-256 is designed for 32-bit calculations, it does benefit from code optimized for 64-bit processors on the x86 architecture. 32-bit implementations of SHA-512 are significantly slower than their 64-bit counterparts. Variants of both algorithms with different output sizes will perform similarly, since the message expansion and compression functions are identical, and only the initial hash values and output sizes are different. The best implementations of MD5 and SHA-1 perform between 4.5 and 6 cycles per byte on modern processors.

Testing was performed by the University of Illinois at Chicago on their hydra8 system running an Intel Xeon E3-1275 V2 at a clock speed of 3.5 GHz, and on their hydra9 system running an AMD A10-5800K APU at a clock speed of 3.8 GHz. The referenced cycles per byte speeds above are the median performance of an algorithm digesting a 4,096 byte message using the SUPERCOP cryptographic benchmarking software. The MiB/s performance is extrapolated from the CPU clockspeed on a single core; real-world performance will vary due to a variety of factors.

## SHA-1 and SHA-2

Now that you have the appropriate background, we can get on to the star of the show.

As I said earlier, SHA stands for Secure Hashing Algorithm. SHA-1 and SHA-2 are two different versions of that algorithm. They differ in both construction (how the resulting hash is created from the original data) and in the bit-length of the signature. You should think of SHA-2 as the successor to SHA-1, as it is an overall improvement.

Primarily, people focus on the bit-length as the important distinction. SHA-1 is a 160-bit hash. SHA-2 is actually a “family” of hashes and comes in a variety of lengths, the most popular being 256-bit.

The variety of SHA-2 hashes can lead to a bit of confusion, as websites and authors express them differently. If you see “SHA-2,” “SHA-256” or “SHA-256 bit,” those names are referring to the same thing. If you see “SHA-224,” “SHA-384,” or “SHA-512,” those are referring to the alternate bit-lengths of SHA-2. You may also see some sites being more explicit and writing out both the algorithm and bit-length, such as “SHA-2 384.”

The SSL industry has picked SHA as their hashing algorithm for digital signatures. From 2011 to 2015, SHA-1 was the primary algorithm. A growing body of research showing the weaknesses of SHA-1 prompted a revaluation. From 2016 onward, SHA-2 is the new standard. If you are receiving a certificate today it must be using that signature at a minimum.

Occasionally you will see certificates using SHA-2 384-bit. You will rarely see the 224-bit variety, which is not approved for use with publicly trusted certificates, or the 512-bit variety which is less widely supported by software.

SHA-2 will likely remain in use for at least five years. However, some unexpected attack against the algorithm could be discovered which would prompt an earlier transition.

## See Also on BitcoinWiki

## Source

The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms