SHA-512/256 Hash Generator

Compute the SHA-512/256 truncated digest of any text

Generate the SHA-512/256 hash of any text, a 256-bit digest computed with the SHA-512 engine, its own initialization vector, and truncation. Faster than SHA-256 on 64-bit machines and resistant to length-extension. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is SHA-512/256?

SHA-512/256 is a member of the SHA-2 family defined in FIPS 180-4. It runs the full SHA-512 compression function but with a distinct set of initial hash values and truncates the result to the leftmost 256 bits, producing a 256-bit digest.

SHA-512/256 is a 256-bit cryptographic hash from the SHA-2 family. It runs the SHA-512 engine with its own initialization vector and truncates the result to 256 bits. The outcome is a hash as compact as SHA-256, faster on modern 64-bit hardware, and immune to the length-extension attacks that affect plain SHA-256 and SHA-512.

How SHA-512/256 differs from SHA-256

Both produce 256-bit digests, but they are not the same hash and must not be used interchangeably:

PropertySHA-256SHA-512/256
Internal word size32 bits64 bits
Block size512 bits1024 bits
Rounds per block6480
State size256 bits (8 × 32)512 bits (8 × 64, truncated)
Length-extension safeNoYes
Speed on 64-bit CPUsBaselineOften faster
Native browser supportYes (Web Crypto)No

The 64-bit word size means two SHA-512/256 data words can be processed in one 128-bit SIMD lane on modern CPUs, whereas SHA-256’s 32-bit words use lanes less efficiently for throughput-oriented workloads.

The initialization vector matters

FIPS 180-4 derives SHA-512/256’s eight initial hash values through a separate “IV generation” procedure — hashing the ASCII string SHA-512/256 through a reduced SHA-512 variant — rather than reusing SHA-512’s IV. This domain separation guarantees that truncating SHA-512/256 to 256 bits is not the same as taking the first half of a SHA-512 digest, which would be weaker.

The SHA-512/256 initial values are:

h0 = 0x22312194fc2bf72c
h1 = 0x9f555fa3c84c64c2
h2 = 0x2393b86b6f53b151
h3 = 0x963877195940eabd
h4 = 0x96283ee2a88effe3
h5 = 0xbe5e1e2553863992
h6 = 0x2b0199fc2c85b8aa
h7 = 0x0eb72ddc81c52ca2

Compare those to SHA-512’s starting values (derived from square roots of 2, 3, 5, 7 …) — they are completely different.

How it works step by step

  1. Pad the message: append a 1 bit, then zeros, then a 128-bit big-endian bit count, to reach a multiple of 1024 bits.
  2. Schedule each 1024-bit block into eighty 64-bit message words using sigma0/sigma1 expansion.
  3. Compress through 80 rounds updating eight 64-bit working variables with Ch, Maj, and the Sigma rotation functions.
  4. Truncate: after all blocks, take only the first four 64-bit words (h0–h3) — the left 256 bits of the eight-word state.

Because the full 512-bit state is compressed to a 256-bit output, the hidden bits make it impossible for an attacker to reconstruct the internal state from the digest and craft a length extension.

Reference values

These are the FIPS 180-4 official test vectors:

InputSHA-512/256 digest
(empty)c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a
abc53048e2681941ef99b2e29b76b4c7dabe4c2d0c634fc6d46e0e2f13107e7af23
abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu3928e184fb8690f840da3988121d31be65cb9d3ef83ee6146feac861e19b563a

Verify the tool against the first two vectors by typing abc and checking the output matches exactly.

When to use SHA-512/256

  • Amazon S3 uses SHA-256 for AWS Signature Version 4, but some AWS services internally use SHA-512/256 for performance — the truncation scheme matches Amazon’s x-amz-content-sha256 header on some endpoints.
  • High-throughput pipelines on 64-bit servers where you need a 256-bit digest and can avoid the overhead of SHA-256’s 32-bit operations.
  • Length-extension safety without switching to SHA-3 or paying the overhead of HMAC.
  • Not when the receiving system expects SHA-256 — the digests are completely different for the same input.

Input is encoded as UTF-8, so multibyte characters are hashed as their byte sequence. The digest is always 64 lowercase hex characters. Everything runs locally in your browser; nothing is uploaded.