What is SHA-384?
SHA-384 is a cryptographic hash function in the SHA-2 family, standardized by NIST in 2001. It produces a 384-bit digest displayed as 96 hexadecimal characters.
SHA-384 is essentially SHA-512 run with different initial values and the output truncated to 384 bits. This makes it faster than independently designed 384-bit hashes — it reuses the optimized SHA-512 pipeline.
Security status: SHA-384 is fully secure. No practical attacks are known. It provides a larger security margin than SHA-256.
SHA-384 vs the SHA-2 Family
SHA-384 sits between SHA-256 and SHA-512 in the SHA-2 family:
| Algorithm | Output bits | Hex chars | Word size | Block size | Rounds |
|---|---|---|---|---|---|
| SHA-256 | 256 | 64 | 32-bit | 512-bit | 64 |
| SHA-384 | 384 | 96 | 64-bit | 1024-bit | 80 |
| SHA-512 | 512 | 128 | 64-bit | 1024-bit | 80 |
SHA-384 and SHA-512 share the same underlying algorithm — 80 rounds with 64-bit arithmetic and 1024-bit blocks. They differ only in their initialization constants and output length (SHA-384 truncates SHA-512’s state before output).
How SHA-384 Works
SHA-384 follows the same four-step process as SHA-512:
1. Padding
Message padded to multiple of 1024 bits, with original length encoded in 128 bits.
2. Initialize State
Eight 64-bit words (H₀–H₇) set from fractional parts of square roots of the 9th–16th primes (different from SHA-512).
3. 80 Rounds of Compression
64-bit rotations, XOR, Ch/Maj mixing functions — same as SHA-256 but with 64-bit words.
4. Output Truncation
Only the first 384 bits (H₀–H₅) are output. H₆ and H₇ are discarded, giving SHA-512 speed with smaller output.
SHA-384 Output Format
384 bits
Digest size
96 chars
Hex length
64-bit
Word size
1024 bits
Block size
Yes
Deterministic
Example outputs:
| Input | SHA-384 Digest (first 32 chars shown) |
|---|---|
| (empty string) | 38b060a751ac96384cd9... |
| a | 54a59b9f22b0b80880d8... |
| abc | cb00753f45a35e8bb5a0... |
Where SHA-384 is Used
TLS 1.2 Cipher Suites
Suites like TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 use SHA-384 for PRF and MAC when 256-bit symmetric keys are negotiated.
HMAC-SHA384 in APIs
Financial and government APIs mandate HMAC-SHA384 for request signing — higher security margin than HMAC-SHA256.
ECDSA with P-384
When using NIST P-384 elliptic curve, SHA-384 is the natural hash pairing. Matching security levels: ~192-bit security.
NSA Suite B / CNSA
SHA-384 is in the US government's Commercial National Security Algorithm Suite alongside P-384 ECDH and AES-256.
SHA-384 Performance
Since SHA-384 uses the same 64-bit arithmetic engine as SHA-512, performance characteristics are nearly identical:
- On 64-bit CPUs: slightly faster than SHA-256 per byte for large inputs (wider words, more bits per operation)
- On 32-bit CPUs: significantly slower (64-bit operations emulated)
- Hardware acceleration: Intel and ARM both provide SHA-512 instructions that also accelerate SHA-384
When to Choose SHA-384
| Scenario | Recommended |
|---|---|
| General file integrity | ✅ SHA-256 (sufficient, faster) |
| TLS cipher suite requiring SHA-384 | ✅ SHA-384 |
| P-384 ECDSA signatures | ✅ SHA-384 |
| Government/compliance requiring 192-bit security | ✅ SHA-384 |
| API signing with SHA-384 mandate | ✅ SHA-384 |
| Everything else | ✅ SHA-256 or SHA-512 |
Computing SHA-384 Hashes
echo -n "hello" | sha384sum
sha384sum filename.txtOr use the Hash Generator for instant in-browser computation across all SHA-2 variants.
Key Takeaways
- SHA-384 produces a 96-character hexadecimal digest (384 bits)
- It’s SHA-512 internally, with different init values and truncated output
- Fully secure — larger security margin than SHA-256
- Used in TLS cipher suites, P-384 signatures, and government security requirements
- On 64-bit CPUs, performance is comparable to or faster than SHA-256
- For most applications, SHA-256 is sufficient; SHA-384 when compliance demands it