SHA-256 Hash Function

An interactive walkthrough of SHA-256 — from the Merkle-Damgård construction to the message schedule and compression function — with live hashing, avalanche visualization, and comparison to MD5.

256-bit output 64 rounds NIST FIPS 180-4 Merkle-Damgård Used in TLS, Bitcoin, Git

0 The SHA Family

SHA stands for Secure Hash Algorithm. NIST has published several generations. SHA-256 belongs to the SHA-2 family — the current standard for most applications.

MD5
128-bit
⚠ Broken
SHA-1
160-bit
⚠ Deprecated
SHA-224
224-bit
OK
SHA-256
256-bit
✓ Standard
SHA-384
384-bit
OK
SHA-512
512-bit
OK
SHA-3
variable
✓ Modern
SHA-256 vs SHA-512: SHA-512 uses 64-bit words and 80 rounds (vs 32-bit words and 64 rounds for SHA-256). SHA-512 is faster on 64-bit processors for large data, but SHA-256 is the universal default for most protocols including TLS, Bitcoin, and Git.
SHA-3 uses a completely different structure (Keccak sponge construction) rather than Merkle-Damgård. It was designed as a backup in case SHA-2 were ever broken. SHA-2 (including SHA-256) remains unbroken as of 2025.

1 SHA-256 at a Glance

Output size
256 bits / 64 hex
Block size
512 bits / 64 bytes
Word size
32 bits
Rounds
64
Constants
64 round constants
Published
2001 (FIPS 180-2)
Status
✓ Secure

SHA-256 vs MD5 — why it's stronger

PropertyMD5SHA-256
Output length128 bits256 bits
Birthday attack cost2⁶⁴ ops2¹²⁸ ops
Collision resistance⚠ Broken (seconds)✓ No known collisions
Rounds64 (4×16)64 (single structure)
Security level⚠ None for crypto~128-bit security
TLS/certificatesForbiddenStandard
Password hashingNever useWeak alone (needs bcrypt/scrypt)

How SHA-256 Security Is Measured

A 256-bit hash provides roughly 128 bits of security against collision attacks (birthday paradox halves the effective security). For comparison:

MD5 (128-bit): 2⁶⁴ ≈ 18 quintillion ops for collision — broken in practice
SHA-1 (160-bit): 2⁸⁰ ops — deprecated, practical attacks demonstrated
SHA-256 (256-bit): 2¹²⁸ ≈ 10³⁸ ops for collision — infeasible for any attacker

2 Merkle-Damgård Construction

SHA-256 is built on the Merkle-Damgård construction: the message is split into fixed-size blocks, and a compression function is applied iteratively to produce a running hash state. The final state is the hash output.

Processing Pipeline

1
Pad the message to a multiple of 512 bits — same scheme as MD5 but big-endian: append 0x80, then zeros, then 64-bit message length.
2
Initialize 8 state words (H₀–H₇) from the fractional parts of √2, √3, √5, √7, √11, √13, √17, √19.
3
For each 512-bit block: expand 16 input words → 64 message schedule words (W[0..63]).
4
Run 64 rounds of the compression function on 8 working variables (a–h), mixing in W[i] and K[i] each round.
5
Add the round output back to the state (Davies-Meyer feed-forward). Repeat from step 3 for all blocks.
6
Output the concatenation of final H₀‖H₁‖…‖H₇ = 256 bits = 64 hex characters.

Initial Hash Values (H₀–H₇)

First 32 bits of the fractional parts of the square roots of the first 8 primes. They are "nothing up my sleeve" numbers — no special weakness can be hidden in them.

H₀ = 0x6a09e667 (√2)
H₁ = 0xbb67ae85 (√3)
H₂ = 0x3c6ef372 (√5)
H₃ = 0xa54ff53a (√7)
H₄ = 0x510e527f (√11)
H₅ = 0x9b05688c (√13)
H₆ = 0x1f83d9ab (√17)
H₇ = 0x5be0cd19 (√19)

3 Message Schedule: 16 → 64 Words

Each 512-bit block contains 16 input words (W[0..15]). SHA-256 extends these to 64 words using a recurrence relation. This expansion ensures every input bit eventually influences all 64 rounds.

\( W_i = \sigma_1(W_{i-2}) + W_{i-7} + \sigma_0(W_{i-15}) + W_{i-16} \quad \text{for } i = 16 \ldots 63 \)

The σ (sigma) mixing functions

σ₀ (sigma-0)
ROTR⁷(x) ⊕ ROTR¹⁸(x) ⊕ SHR³(x)
Applied to W[i-15]
σ₁ (sigma-1)
ROTR¹⁷(x) ⊕ ROTR¹⁹(x) ⊕ SHR¹⁰(x)
Applied to W[i-2]

ROTR = rotate right, SHR = shift right. These operations "smear" bits across word boundaries, ensuring that changing a single input word perturbs many schedule words.

Schedule Visualizer

Enter a message to see the first block's message schedule. The first 16 words are the padded message; the next 48 are derived.

4 The Compression Function

Each of the 64 rounds updates 8 working variables (a, b, c, d, e, f, g, h). Two temporary values T1 and T2 are computed from complex bitwise functions, and the state is shifted down like a chain.

One Round Step

\[T_1 = h + \Sigma_1(e) + \text{Ch}(e,f,g) + K_i + W_i\]
\[T_2 = \Sigma_0(a) + \text{Maj}(a,b,c)\]
\[h \leftarrow g, \quad g \leftarrow f, \quad f \leftarrow e, \quad e \leftarrow d + T_1\]
\[d \leftarrow c, \quad c \leftarrow b, \quad b \leftarrow a, \quad a \leftarrow T_1 + T_2\]

Σ₀ and Σ₁ (capital sigma) — for state

Σ₀(a) = ROTR²(a) ⊕ ROTR¹³(a) ⊕ ROTR²²(a)
Σ₁(e) = ROTR⁶(e) ⊕ ROTR¹¹(e) ⊕ ROTR²⁵(e)

These "big sigma" functions mix the bits of a single word using three different rotation amounts for maximum diffusion.

Ch and Maj (bit-selection functions)

Ch(e,f,g) = (e ∧ f) ⊕ (¬e ∧ g)
Maj(a,b,c) = (a ∧ b) ⊕ (a ∧ c) ⊕ (b ∧ c)

Ch (choice): if e=1, choose f; else choose g. Maj (majority): output 1 if majority of a,b,c are 1.

64 Round Constants (K[0..63])

The first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers. Like the initial hash values, these are "nothing up my sleeve" numbers.

Show all 64 constants

Davies-Meyer Feed-Forward

After all 64 rounds, the working variables are added back to the state from before the block was processed:

\( H_j \leftarrow H_j + \text{(working variable}_j\text{)} \quad \text{for } j = 0 \ldots 7 \)
This feed-forward ensures SHA-256 is not invertible even if the compression function were — it prevents length-extension attacks (unlike plain Merkle-Damgård). Actually, SHA-256 is vulnerable to length-extension attacks, but this is handled by using HMAC-SHA256 for keyed authentication.

5 Live SHA-256 Demo

Type anything and watch the hash update in real time. SHA-256 outputs exactly 64 hex characters = 256 bits, always.

Real-time Hash

Preset Examples

Known reference values (verify your implementation):
SHA-256("") = e3b0c44298fc1c14...308627943e
SHA-256("abc") = ba7816bf8f01cfea...2e3cbbf952
SHA-256("The quick brown fox...") = d7a8fbb307d78...4e62e0c

6 Avalanche Effect

SHA-256's avalanche effect is thorough: even a 1-bit difference in input should flip roughly 50% of the 256 output bits. More rounds and a more complex compression function give SHA-256 better diffusion than MD5.

Bit-level Comparison

One-character Increment Table

Change one character at a time and observe that every position produces ~50% bit change:

7 Real-world Applications

🌐
TLS / HTTPS
Certificates are signed with SHA-256. Every HTTPS connection you make uses SHA-256 in the handshake and for HMAC-SHA256 in record authentication.
Bitcoin
Mining runs SHA-256 twice (SHA-256d). Block headers are hashed, and transactions use Pay-to-Script-Hash. Bitcoin uses SHA-256 more than any other algorithm.
🐙
Git
Git's object model identifies every commit, tree, blob, and tag by its SHA-256 (or SHA-1 in older repos). The hash is the content's identity.
🔑
HMAC
HMAC-SHA256 is used to authenticate API requests, JWT tokens, and TLS message authentication. A shared secret key prevents forgery.
🗝️
Key Derivation
HKDF and PBKDF2 build on SHA-256 to derive encryption keys from passwords or shared secrets (e.g., after Diffie-Hellman).
File Integrity
Software distributions publish SHA-256 checksums. Compare after download to verify no tampering occurred in transit.
SHA-256 is NOT a password hash. It's extremely fast — an attacker can compute billions of SHA-256 hashes per second on a GPU. For passwords, use a slow function: bcrypt, scrypt, or Argon2. You can use PBKDF2 with many iterations as a compromise.

SHA-256 + RSA = Digital Signature

This is how documents, code, and TLS certificates are signed:

Sign: hash = SHA-256(document)  →  signature = RSA_sign(hash, private_key)
Verify: hash' = SHA-256(document)  →  RSA_verify(signature, hash', public_key)

Hashing the document first (rather than encrypting the whole thing) makes RSA signatures fast regardless of document size. Review RSA →