SHA-512/256 is a 256-bit cryptographic hash from the SHA-2 family. It runs the SHA-512 engine with its own initialization vector and truncates the result to 256 bits. The outcome is a hash as compact as SHA-256, faster on modern 64-bit hardware, and immune to the length-extension attacks that affect plain SHA-256 and SHA-512.
How SHA-512/256 differs from SHA-256
Both produce 256-bit digests, but they are not the same hash and must not be used interchangeably:
| Property | SHA-256 | SHA-512/256 |
|---|---|---|
| Internal word size | 32 bits | 64 bits |
| Block size | 512 bits | 1024 bits |
| Rounds per block | 64 | 80 |
| State size | 256 bits (8 × 32) | 512 bits (8 × 64, truncated) |
| Length-extension safe | No | Yes |
| Speed on 64-bit CPUs | Baseline | Often faster |
| Native browser support | Yes (Web Crypto) | No |
The 64-bit word size means two SHA-512/256 data words can be processed in one 128-bit SIMD lane on modern CPUs, whereas SHA-256’s 32-bit words use lanes less efficiently for throughput-oriented workloads.
The initialization vector matters
FIPS 180-4 derives SHA-512/256’s eight initial hash values through a separate “IV generation” procedure — hashing the ASCII string SHA-512/256 through a reduced SHA-512 variant — rather than reusing SHA-512’s IV. This domain separation guarantees that truncating SHA-512/256 to 256 bits is not the same as taking the first half of a SHA-512 digest, which would be weaker.
The SHA-512/256 initial values are:
h0 = 0x22312194fc2bf72c
h1 = 0x9f555fa3c84c64c2
h2 = 0x2393b86b6f53b151
h3 = 0x963877195940eabd
h4 = 0x96283ee2a88effe3
h5 = 0xbe5e1e2553863992
h6 = 0x2b0199fc2c85b8aa
h7 = 0x0eb72ddc81c52ca2
Compare those to SHA-512’s starting values (derived from square roots of 2, 3, 5, 7 …) — they are completely different.
How it works step by step
- Pad the message: append a
1bit, then zeros, then a 128-bit big-endian bit count, to reach a multiple of 1024 bits. - Schedule each 1024-bit block into eighty 64-bit message words using
sigma0/sigma1expansion. - Compress through 80 rounds updating eight 64-bit working variables with
Ch,Maj, and the Sigma rotation functions. - Truncate: after all blocks, take only the first four 64-bit words (
h0–h3) — the left 256 bits of the eight-word state.
Because the full 512-bit state is compressed to a 256-bit output, the hidden bits make it impossible for an attacker to reconstruct the internal state from the digest and craft a length extension.
Reference values
These are the FIPS 180-4 official test vectors:
| Input | SHA-512/256 digest |
|---|---|
| (empty) | c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a |
abc | 53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23 |
abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu | 3928e184fb8690f840da3988121d31be65cb9d3ef83ee6146feac861e19b563a |
Verify the tool against the first two vectors by typing abc and checking the output matches exactly.
When to use SHA-512/256
- Amazon S3 uses SHA-256 for AWS Signature Version 4, but some AWS services internally use SHA-512/256 for performance — the truncation scheme matches Amazon’s
x-amz-content-sha256header on some endpoints. - High-throughput pipelines on 64-bit servers where you need a 256-bit digest and can avoid the overhead of SHA-256’s 32-bit operations.
- Length-extension safety without switching to SHA-3 or paying the overhead of HMAC.
- Not when the receiving system expects SHA-256 — the digests are completely different for the same input.
Input is encoded as UTF-8, so multibyte characters are hashed as their byte sequence. The digest is always 64 lowercase hex characters. Everything runs locally in your browser; nothing is uploaded.