92

I'm confused on the difference between SHA-2 and SHA-256 and often hear them used interchangeably (which seems really wrong). I think SHA-2 a "family" of hash algorithms and SHA-256 a specific algorithm in that family.

Is that correct? Can someone please clarify?

Mike B
  • 3,366
  • 4
  • 29
  • 39

2 Answers2

115

Just to cite wikipedia: http://en.wikipedia.org/wiki/SHA-2:

The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

So yes, SHA-2 is a range of hash functions and includes SHA-256.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 40
    In light of SHA-3, it would be better if the SHA-2 variants had been called `SHA2-224`, `SHA2-256` etc. as was done with the SHA-3 variants, but they aren't commonly, so oh well. SHA-1 doesn't come in multiple sizes, so SHA-*n* where *n* is large always means SHA-2 with a size of *n*. – hobbs Apr 30 '15 at 02:02
32

The SHA-2 family consists of multiple closely related hash functions. It is essentially a single algorithm in which a few minor parameters are different among the variants.

The initial spec covered four variants with output sizes of 224, 256, 384 and 512 bits.

The most significant difference between the variants is that some are designed for 32 bit registers and some are designed for 64 bit registers. In terms of performance this is the only difference that matters.

On a 32 bit CPU SHA-224 and SHA-256 will be a lot faster than the other variants because they are the only 32 bit variants in the SHA-2 family. Executing the 64 bit variants on a 32 bit CPU will be slow due to the added complexity of performing 64 bit operations on a 32 bit CPU.

On a 64 bit CPU SHA-224 and SHA-256 will be a little slower than the other variants. This is because due to only processing 32 bits at a time, they will have to perform more operations in order to make it through the same number of bytes. You do not get quite a doubling in speed from switching to a 64 bit variant because the 64 bit variants do have a larger number of rounds than the 32 bit variants.

The internal state is 256 bits in size for the two 32 bit variants and 512 bits in size for all four 64 bit variants. So the number of possible sizes for the internal state is less than the number of possible sizes for the final output. Going from a large internal state to a smaller output can be good or bad depending on your point of view.

If you keep the output size fixed it can in general be expected that increasing the size of the internal state will improve security. If you keep the size of the internal state fixed and decrease the size of the output, collisions become more likely, but length extension attacks may become easier. Making the output size larger than the internal state would be pointless.

Due to the 64 bit variants being both faster (on 64 bit CPUs) and likely to be more secure (due to larger internal state), two new variants were introduced using 64 bit words but shorter outputs. Those are the ones known as 512/224 and 512/256.

The reasons for wanting variants with output that much shorter than the internal state is usually either that for some usages it is impractical to use such a long output or that the output need to be used as key for some algorithm that takes an input of a certain size.

Simply truncating the final output to your desired length is also possible. For example a HMAC construction specify truncating the final hash output to the desired MAC length. Due to HMAC feeding the output of one invocation of the hash as input to another invocation it means that using a hash with shorter output results in a HMAC with less internal state. For this reason it is likely to be slightly more secure to use HMAC-SHA-512 and truncate the output to 384 bits than to use HMAC-SHA-384.

The final output of SHA-2 is simply the internal state (after processing length extended input) truncated to the desired number of output bits. The reason SHA-384 and SHA-512 on the same input look so different is that a different IV is specified for each of the variants.

kasperd
  • 5,442
  • 1
  • 19
  • 38