What is SHA-512?
SHA-512 is the largest member of the SHA-2 family — a cryptographic hash function standardized by NIST in 2001 that produces a 512-bit (128 hex character) digest from any input.
SHA-512 is built for 64-bit architectures and uses 80 rounds of compression (vs SHA-256’s 64) with 64-bit word arithmetic and 1024-bit blocks. This makes it the most computationally thorough of the SHA-2 algorithms.
Security status: SHA-512 is fully secure. It provides a 256-bit security margin — twice the bit-security of SHA-256. No practical attacks are known.
The Counterintuitive Speed Story
SHA-512 has a larger digest and processes bigger blocks — you’d expect it to be slower than SHA-256. But on modern 64-bit CPUs, it’s often faster:
| Scenario | SHA-256 | SHA-512 |
|---|---|---|
| 64-bit CPU, large input | ~400 MB/s | ✅ ~600 MB/s |
| 32-bit CPU | ~250 MB/s | ⚠️ ~80 MB/s |
| Hardware acceleration | Multi-GB/s | Multi-GB/s |
Why? SHA-256 uses 32-bit words, processing 32 bits per operation. SHA-512 uses 64-bit words — each operation handles twice the data. On a CPU natively running 64-bit instructions, SHA-512 does more work per clock cycle. On 32-bit hardware, this advantage reverses, as 64-bit operations must be emulated.
For this reason, systems processing large amounts of data on modern 64-bit servers often prefer SHA-512.
How SHA-512 Works
Architecture
SHA-512 uses the Merkle–Damgård construction with Davies–Meyer compression, the same structural pattern as SHA-256 but scaled to 64-bit:
| Component | SHA-256 | SHA-512 |
|---|---|---|
| Word size | 32-bit | 64-bit |
| Block size | 512-bit | 1024-bit |
| Digest | 256-bit | 512-bit |
| Rounds | 64 | 80 |
| State variables | 8 × 32-bit | 8 × 64-bit |
Initialization
Eight 64-bit state variables (H₀–H₇) are set using the fractional parts of the square roots of the first 8 primes.
80 Rounds of Compression
Each 1024-bit block is expanded into 80 64-bit words. For each round, two mixing functions are applied:
- Σ₀, Σ₁ — rotation-based mixing of state variables A and E
- Ch (Choose) — bitwise selection based on state variable E
- Maj (Majority) — bitwise majority of A, B, C
- Round constants — 80 constants derived from cube roots of first 80 primes
Final Output
After all blocks, H₀–H₇ (eight 64-bit words = 512 bits) are concatenated to produce the digest.
SHA-512 Output Format
512 bits
Digest size
128 chars
Hex length
64-bit
Word size
1024 bits
Block size
80
Rounds
Yes
Deterministic
Example outputs:
| Input | SHA-512 Digest (first 40 chars) |
|---|---|
| (empty) | cf83e1357eefb8bdf1542850d66d8007d620e405... |
| a | 1f40fc92da241694750979ee6cf582f2d5d7d28e... |
| abc | ddaf35a193617abacc417349ae20413112e6fa4e... |
SHA-512 Variants
NIST also standardized two truncated variants that use SHA-512’s 64-bit engine but produce shorter digests:
| Variant | Output | Use case |
|---|---|---|
| SHA-512/224 | 224 bits (56 hex) | When SHA-224 compatibility needed with 64-bit performance |
| SHA-512/256 | 256 bits (64 hex) | SHA-256-level output with SHA-512 speed on 64-bit hardware |
SHA-512/256 is particularly useful: same security level as SHA-256, but potentially faster on 64-bit servers processing bulk data.
Real-World Uses of SHA-512
DNSSEC Record Signing
Many DNSSEC deployments use RSASHA512 for signing DNS zone records. The larger 512-bit digest provides extra collision resistance for long-lived records that may need to remain valid for years.
SSH Key Fingerprints
OpenSSH uses SHA-512 internally in MAC contexts to verify session integrity. Modern clients display fingerprints as SHA-256 for brevity, but SHA-512 operates under the hood in cipher suites like hmac-sha2-512.
sha512crypt — Linux /etc/shadow
The $6$ prefix in Linux shadow passwords means sha512crypt — SHA-512 iterated 5,000 times with a random salt. The iterations are what slow down brute-force attacks, not the raw algorithm.
JWT with HS512 / RS512 / ES512
HS512 (HMAC-SHA512) is used for API tokens where you control both sides. RS512 (RSA + SHA-512) is preferred for long-term signature validity with RSA-4096 keys — useful when JWTs must be trusted for extended periods.
Digital Signatures on Long-Lived Documents
Pairing SHA-512 with RSA-4096 is the standard recommendation for contracts, certificates, and code-signing artifacts that must remain cryptographically trustworthy for a decade or more.
SHA-512 vs SHA-256 — When to Choose
| Factor | SHA-256 | SHA-512 |
|---|---|---|
| Security (current) | ✅ Secure | ✅ Secure |
| Security margin | 128-bit | ✅ 256-bit |
| 64-bit CPU speed | Good | ✅ Often better |
| 32-bit CPU speed | Good | ⚠️ Significantly slower |
| Output size | 64 hex chars | 128 hex chars |
| Standard adoption | Ubiquitous | Common |
| Recommended for | General use | High-security, 64-bit servers |
Computing SHA-512 Hashes
echo -n "hello" | sha512sum
sha512sum filename.txtOr use the Hash Generator — all five algorithms computed instantly in your browser with no server involved.
Key Takeaways
- SHA-512 produces a 128-character hexadecimal digest (512 bits)
- Part of the SHA-2 family; uses 64-bit words and 80 rounds
- Fully secure — 256-bit security margin, strongest SHA-2 variant
- On 64-bit CPUs, can be faster than SHA-256 due to wider arithmetic
- Used in DNSSEC, SSH MACs, JWT (HS512/RS512), and long-lived digital signatures
- Variants SHA-512/224 and SHA-512/256 combine 64-bit speed with smaller output
- Do not use raw SHA-512 for passwords — use Argon2id or bcrypt instead