Cryptographic

SHA-256

A 256-bit cryptographic hash function from the SHA-2 family, designed by the NSA and published by NIST in 2001. The default choice for almost every integrity use case in modern software.

At a glance

Output	256 bits (32 bytes, 64 hex chars)
Block size	512 bits
Construction	Merkle-Damgård with Davies-Meyer compression
Rounds	64
Standard	NIST FIPS 180-4
Security (collision)	2¹²⁸ generic
Security (preimage)	2²⁵⁶ generic
Status	Recommended for new designs (but see length-extension)

Where it is used

TLS 1.2 / 1.3 - transcript hashing, certificate signatures.
Bitcoin - double-SHA-256 (SHA-256d) for block headers and transaction IDs.
Git - object IDs (transition from SHA-1 to SHA-256 in progress).
Code signing - Authenticode, Apple codesign, GPG signed releases.
HMAC-SHA-256 - keyed MAC for JWT (HS256), AWS request signing, OAuth.
PBKDF2-HMAC-SHA-256 - password hashing in many legacy systems.
NIST DRBG - hash-based deterministic random bit generator.

Internal structure

SHA-256 follows the Merkle-Damgård construction. The input is padded so its length is a multiple of 512 bits, split into 512-bit blocks, and each block is fed through a one-way compression function that updates an internal 256-bit state. After all blocks are processed, the final state is the digest.

The compression function uses 64 rounds of mixing operations (rotations, XORs, modular additions) on eight 32-bit words, with round constants derived from the cube roots of the first 64 primes and an initial hash value derived from the square roots of the first 8 primes , a “nothing-up-my-sleeve” choice.

Security status

Collisions: no practical attack better than the generic 2¹²⁸ birthday bound is known.
Preimages: best known attack is on heavily reduced-round variants (e.g., 52 of 64 rounds); the full algorithm remains beyond reach.
Length extension:SHA-256 is vulnerable to length-extension attacks because of the Merkle-Damgård construction. If you use SHA-256 directly as a MAC (H(key || message)), an attacker who sees one digest can forge digests for extensions of the message. Use HMAC-SHA-256 instead, or pick a construction without this property (SHA-512/256, SHA-3, BLAKE2/3). The length-extension demo walks through this attack live.

Try it

The multi-algorithm hasher includes SHA-256 alongside MD5, SHA-1, SHA-2 variants, SHA-3, BLAKE2b, BLAKE3, and RIPEMD-160. Paste any text to see the digest update in real time, in your browser.

References

Secure Hash Standard (SHS)
National Institute of Standards and Technology·FIPS PUB 180-4·2015
Link
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)
Donald Eastlake, Tony Hansen·RFC 6234·2011
Link
HMAC: Keyed-Hashing for Message Authentication
Hugo Krawczyk, Mihir Bellare, Ran Canetti·RFC 2104·1997
Link

Visualize

SHA-256 on your input

Input

11 bytes · 0-bit digest

Hex digest

Bit grid (0 bits, teal = 1, slate = 0)

Byte pixel art (0 bytes, hue = byte value mod 360°)

Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits

Quick quiz

Test yourself on sha-256

10 multiple-choice questions. Pick an answer for each, then submit to see explanations.

Q1.What is the output size of SHA-256?
Q2.Which NIST publication standardizes SHA-256?
Q3.How many rounds does SHA-256 use per 512-bit block?
Q4.Which property does SHA-256 NOT have?
Q5.Where do SHA-256's round constants come from?
Q6.Bitcoin uses what variant of SHA-256?
Q7.What is the block size of SHA-256?
Q8.Generic collision security of SHA-256 (birthday bound)?
Q9.Which TLS version uses SHA-256 by default in its transcript hash?
Q10.Which is NOT a recommended way to use SHA-256 as a MAC?