SHA-2

Secure Hash Algorithms
Concepts
hash functions, SHA, DSA
Main standards
SHA-0, SHA-1, SHA-2, SHA-3
SHA-2
General
DesignersNational Security Agency
First published2001; 23 years ago (2001)
Series(SHA-0), SHA-1, SHA-2, SHA-3
CertificationFIPS PUB 180-4, CRYPTREC, NESSIE
Detail
Digest sizes224, 256, 384, or 512 bits
StructureMerkle–Damgård construction with Davies–Meyer compression function
Rounds64 or 80
Best public cryptanalysis
A 2011 attack breaks preimage resistance for 57 out of 80 rounds of SHA-512, and 52 out of 64 rounds for SHA-256.[1]

Pseudo-collision attack against up to 46 rounds of SHA-256.[2]

SHA-256 and SHA-512 are prone to length extension attacks. By guessing the hidden part of the state, length extension attacks on SHA-224 and SHA-384 succeed with probability 2−(256−224) = 2−32 > 2−224 and 2−(512−384) = 2−128 > 2−384 respectively.

SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001.[3][4] They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits:[5] SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-256 and SHA-512 are novel hash functions whose digests are eight 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are truncated versions of SHA-256 and SHA-512 respectively, computed with different initial values. SHA-512/224 and SHA-512/256 are also truncated versions of SHA-512, but the initial values are generated using the method described in Federal Information Processing Standards (FIPS) PUB 180-4.

SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard. The SHA-2 family of algorithms are patented in the U.S.[6] The United States has released the patent under a royalty-free license.[5]

As of 2011, the best public attacks break preimage resistance for 52 out of 64 rounds of SHA-256 or 57 out of 80 rounds of SHA-512, and collision resistance for 46 out of 64 rounds of SHA-256.[1][2]

  1. ^ a b Cite error: The named reference preimage-khov was invoked but never defined (see the help page).
  2. ^ a b Cite error: The named reference collision-lamberger was invoked but never defined (see the help page).
  3. ^ Penard, Wouter; van Werkhoven, Tim. "On the Secure Hash Algorithm family" (PDF). staff.science.uu.nl. Archived from the original (PDF) on 2016-03-30.
  4. ^ Cite error: The named reference :0 was invoked but never defined (see the help page).
  5. ^ a b "IPR Details: The United States of America as represented by the National Security Agency's general license statement". IETF Datatracker. 858. Archived from the original on 2016-06-16. Retrieved 2008-02-17.
  6. ^ US 6829355, Lilly, Glenn M., "Device for and method of one-way cryptographic hashing", published 2004-12-07, assigned to National Security Agency