Cryptographic
SHA-512
A 512-bit hash function in the SHA-2 family, published by NIST in 2001 alongside SHA-256. Operates on 64-bit words and 1024-bit blocks; on modern 64-bit CPUs it is often faster than SHA-256 per byte while delivering twice the output size.
At a glance
| Output | 512 bits (64 bytes, 128 hex chars) |
|---|---|
| Block size | 1024 bits |
| Word size | 64 bits |
| Construction | Merkle-Damgård + Davies-Meyer |
| Rounds | 80 |
| Standard | NIST FIPS 180-4 |
| Collision security | 2256 generic |
| Preimage security | 2512 generic |
| Length extension | Yes (use SHA-512/256 or HMAC to avoid) |
| Status | Recommended |
SHA-512 variants
- SHA-384 , SHA-512 truncated to 384 bits with a different IV. Immune to length-extension thanks to the truncation.
- SHA-512/224, SHA-512/256 , SHA-512 truncated to 224 or 256 bits respectively with a derived IV. Same speed advantage as SHA-512 on 64-bit CPUs and no length-extension. Recommended drop-in replacement for SHA-256 in new designs that want length-extension immunity without changing to SHA-3.
Where it is used
- TLS 1.3 , in the transcript hash and certificate signatures.
- Linux
crypt,$6$usessha512_crypt(note: this is a password hash on top of SHA-512, not a recommended choice today , prefer Argon2id). - HMAC-SHA-512 , in cipher suites and JWT (HS512).
- PBKDF2-HMAC-SHA-512 , for password stretching.
- Ed25519 / Ed448 , internal hash is SHA-512.
Internal structure
Same shape as SHA-256, but everything moves to 64-bit words: eight 64-bit state words, a 1024-bit message block expanded into 80 words, and 80 rounds of mixing. The round constants come from the fractional parts of the cube roots of the first 80 primes; the initial hash value from the fractional parts of the square roots of the first 8 primes.
Security status
No collision or preimage attack better than generic is known on full SHA-512. The best published cryptanalysis covers reduced-round variants (typically up to about 52 of 80 rounds). The construction inherits the same length-extension property as the rest of SHA-2 with non-truncated output: use HMAC-SHA-512 for keyed authentication, or SHA-512/256 for length-extension-immune integrity.
Try it
The multi-algorithm hasher shows SHA-512 alongside SHA-256 and SHA-384, so you can see how the digest length and family relationships look.
References
- NIST FIPS 180-4 , Secure Hash Standard (SHS)
- RFC 6234 , US Secure Hash Algorithms (reference implementation)
- Mendel, Nad, Schläffer , reduced-round preimage attacks on SHA-2
Visualize
SHA-512 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on sha-512
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.What is the output size of SHA-512?
Q2.What is the block size of SHA-512?
Q3.How many rounds does SHA-512 use per block?
Q4.Why is SHA-512 often faster than SHA-256 on modern CPUs?
Q5.Which SHA-512 variant is immune to length-extension?
Q6.Which signature algorithm uses SHA-512 internally?
Q7.Linux `crypt` identifier $6$ corresponds to which hash family?
Q8.Generic collision security of SHA-512?
Q9.Where do SHA-512's round constants come from?
Q10.Which SHA-512 variant is recommended as a length-extension-immune drop-in for SHA-256 in new designs?