SHA-256 vs SHA-512: Performance, Security, and When to Use Each

The short answer

How SHA-256 and SHA-512 differ internally

Block size and word size

Both algorithms are members of the SHA-2 family, designed by NSA and standardised by NIST. They share the same compression function design but differ in scale:

• SHA-256: 512-bit input blocks, 32-bit words, 64 compression rounds → 256-bit output
• SHA-512: 1024-bit input blocks, 64-bit words, 80 compression rounds → 512-bit output

Output size in practice

SHA-256("hello") =
  2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
  (64 hex characters = 32 bytes)

SHA-512("hello") =
  9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca7
  2323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043
  (128 hex characters = 64 bytes)

The performance counterintuitive: SHA-512 is often faster on 64-bit CPUs

Why this happens

SHA-512 uses 64-bit arithmetic operations internally. On any x86-64 or ARM64 CPU — which is every modern server, desktop, and recent mobile chip — these operations execute natively in a single clock cycle. SHA-256 uses 32-bit operations, which execute in the same registers but process half the data per operation.

The result: SHA-512 can process a 1024-bit block in roughly the same number of clock cycles that SHA-256 uses to process a 512-bit block. Per byte of input, SHA-512 is faster.

Approximate throughput on a typical x86-64 server

Figures are illustrative averages. Actual throughput varies by CPU model, message size, and OpenSSL version.

The SHA-NI exception: when SHA-256 wins

Intel (Goldmont+ architecture, 2016+) and AMD (Zen 2+, 2019+) include SHA-NI — hardware extensions that implement SHA-256 compression in dedicated silicon. On SHA-NI-enabled CPUs, SHA-256 throughput jumps to near-memory-bandwidth speeds, completely reversing the software advantage SHA-512 has.

To check if your Linux server has SHA-NI:

grep -o 'sha_ni' /proc/cpuinfo | head -1
# outputs "sha_ni" if supported, empty if not

AWS Graviton2/3 (ARM), most recent Intel Xeon, and AMD EPYC all support SHA-NI. If you are on modern cloud infrastructure, SHA-256 is likely the faster choice at high throughput.

Where SHA-512 is definitively slower

• 32-bit CPUs (ARM Cortex-M, older embedded chips) — SHA-512's 64-bit words require multiple 32-bit operations
• Any hardware with SHA-NI acceleration (SHA-256 wins by a large margin)
• WebAssembly environments — most Wasm runtimes use 32-bit word operations

Security comparison

Are both secure today?

Yes. No practical attacks exist against SHA-256 or SHA-512. Both are collision-resistant and pre-image resistant under all known cryptanalytic techniques. The SHA-2 family has been in use for over 20 years without a break.

Collision resistance

• SHA-256: 128-bit collision resistance. Finding a collision requires approximately 2¹²⁸ operations — far beyond any feasible computation.
• SHA-512: 256-bit collision resistance. Finding a collision requires 2²⁵⁶ operations — a larger margin, though both are practically unbreakable.

Post-quantum considerations

Grover's algorithm (a quantum computing speedup) halves the effective security of hash functions against pre-image attacks:

• SHA-256: 128-bit post-quantum pre-image security
• SHA-512: 256-bit post-quantum pre-image security

NIST's current guidance considers 128-bit post-quantum security adequate for near-term use. SHA-256 meets this threshold. SHA-512 provides a comfortable extra margin if long-term archival security matters.

Which to use for each use case

JWT (JSON Web Tokens)

HS256 (HMAC-SHA-256) is the most widely supported JWT algorithm and is secure for all practical purposes. Use HS512 when your threat model requires the larger security margin or when a compliance requirement specifies it. The performance difference at JWT scale (short messages, low volume) is negligible.

HMAC for API request signing

SHA-256 is the standard. AWS Signature Version 4, Stripe webhook verification, Slack event signatures, and GitHub webhook payloads all use HMAC-SHA-256. Use SHA-256 unless a partner API explicitly requires SHA-512.

File integrity checksums

SHA-256 is the ecosystem standard — it is what GitHub, npm, Docker Hub, and most Linux package managers publish. SHA-512 checksums appear in some Linux distributions (Fedora, Arch). Either works; prefer SHA-256 for the broadest tooling support.

# Verify a file checksum (Linux / macOS)
sha256sum downloaded-file.tar.gz
sha512sum downloaded-file.tar.gz

# Compare against published hash
echo "expected_hash  downloaded-file.tar.gz" | sha256sum --check

TLS certificate fingerprints

SHA-256 only. Browsers display certificate fingerprints in the SHA-256 format. All modern Certificate Authorities use SHA-256 for certificate signing. SHA-512 is not used in TLS certificate chains.

Password storage — use neither

This is the most important point: do not use SHA-256 or SHA-512 to store passwords. Both algorithms are designed to be fast. Fast is dangerous for passwords because it means an attacker with a GPU can test billions of guesses per second against a stolen hash database.

Use a dedicated password hashing function instead:

// Node.js — bcrypt (npm install bcrypt)
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12); // cost factor 12
const valid = await bcrypt.compare(input, hash);

// Node.js — Argon2 (npm install argon2)
import argon2 from 'argon2';
const hash = await argon2.hash(password); // Argon2id by default
const valid = await argon2.verify(hash, input);

# Python — bcrypt
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
valid = bcrypt.checkpw(input.encode(), hashed)

How to generate SHA-256 and SHA-512 hashes in code

Node.js

import { createHash } from 'crypto';

const h256 = createHash('sha256').update('hello').digest('hex');
const h512 = createHash('sha512').update('hello').digest('hex');

console.log(h256); // 2cf24dba...
console.log(h512); // 9b71d224...

Browser (WebCrypto API)

async function sha(algorithm, text) {
  const data = new TextEncoder().encode(text);
  const buffer = await crypto.subtle.digest(algorithm, data);
  return [...new Uint8Array(buffer)]
    .map(b => b.toString(16).padStart(2, '0')).join('');
}

const h256 = await sha('SHA-256', 'hello');
const h512 = await sha('SHA-512', 'hello');

Python

import hashlib

h256 = hashlib.sha256(b'hello').hexdigest()
h512 = hashlib.sha512(b'hello').hexdigest()

Go

import (
  "crypto/sha256"
  "crypto/sha512"
  "fmt"
)

h256 := sha256.Sum256([]byte("hello"))
h512 := sha512.Sum512([]byte("hello"))
fmt.Printf("%x\n", h256)
fmt.Printf("%x\n", h512)

Bash (file hash)

sha256sum file.txt
sha512sum file.txt

What about SHA-3?

SHA-3 (based on the Keccak sponge construction) was standardised by NIST in 2015 as an alternative to SHA-2, not a replacement. SHA-2 has no known weaknesses, and SHA-3 is only required if a specific standard or regulatory document mandates it. In practice, SHA-3 sees very limited adoption — stick with SHA-256 or SHA-512 for all new systems.

Frequently Asked Questions

Is SHA-512 more secure than SHA-256?

Marginally — SHA-512 has a larger collision resistance (256-bit vs 128-bit) and more post-quantum margin. In practice, SHA-256's 128-bit security is far beyond any foreseeable attack. The security difference only matters in specific threat models involving nation-state adversaries or very long-term archival.

Can I switch from SHA-256 to SHA-512 in an existing system?

Yes, but any previously computed hashes cannot be compared directly — SHA-256 and SHA-512 of the same input produce completely different outputs. You will need to re-hash all stored values and update verification logic. For HMAC-based systems (API signatures, JWTs), both sides must agree on the algorithm.

Why does AWS use SHA-256 and not SHA-512?

Standardisation and hardware acceleration. SHA-256 benefits from SHA-NI hardware extensions on modern Intel and AMD server CPUs, making it extremely fast on AWS infrastructure. SHA-256 also has the widest client-library support, simplifying integration across SDK languages.

Does SHA-512 produce a longer hash string?

Yes. SHA-256 outputs 64 hex characters (32 bytes). SHA-512 outputs 128 hex characters (64 bytes). If you store hashes in a database, size the column accordingly: CHAR(64) for SHA-256, CHAR(128) for SHA-512.