Hash Function

Is SHA-256 Quantum Safe?

Quantum Safe

Yes. SHA-256 is considered quantum safe. Grover's algorithm reduces collision resistance to 85 bits and preimage resistance to 128 bits — both still secure.

Key Takeaway: SHA-256 is considered quantum safe. Approved for post-quantum use. No deprecation planned.

Technical Analysis

SHA-256 IS quantum safe.

How SHA-256 Works

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function from the SHA-2 family, designed by the NSA and standardized by NIST in FIPS 180-4 (2001). Hash functions take an arbitrary-length input and produce a fixed-size output (256 bits for SHA-256) called a digest or hash. SHA-256 is deterministic (same input always produces same output), one-way (computationally infeasible to reverse), and collision-resistant (extremely difficult to find two inputs producing the same hash).

The algorithm processes input data in 512-bit blocks through 64 rounds of bitwise operations (rotations, shifts, XOR, AND, OR) and modular additions. It uses eight 32-bit working variables initialized with specific constants derived from the square roots of prime numbers. The final hash is the concatenation of these variables after processing all input blocks.

SHA-256 is critical infrastructure: Bitcoin and other proof-of-work blockchains use SHA-256 for mining and transaction IDs, TLS/SSL certificate chains use SHA-256 for certificate fingerprints and signature hashing (RSA-SHA256, ECDSA-SHA256), password storage systems use SHA-256 as input to key derivation functions (PBKDF2, scrypt, Argon2), and integrity verification for software downloads, git commits, and file systems rely on SHA-256 checksums.

Quantum Vulnerability Explained

Hash functions face two primary quantum threats: preimage attacks (finding an input that produces a given hash) and collision attacks (finding two inputs with the same hash). Grover's algorithm accelerates both attacks but does not break SHA-256.

For preimage resistance, a classical brute-force attack requires 2²⁵⁶ hash computations on average to find an input matching a target hash. Grover's algorithm reduces this to approximately 2^(256/2) = 2¹²⁸ quantum operations. While this is a quadratic speedup, 2¹²⁸ operations remains astronomically large — approximately 340 undecillion (3.4 × 10³⁸) attempts. No quantum computer, even with optimistic projections for 2040-2050, could perform 2¹²⁸ operations within a human lifetime.

For collision resistance (the birthday attack), classical collision-finding requires approximately 2^(n/2) operations, where n is the hash output size. For SHA-256, this is 2¹²⁸ operations classically. Brassard, Høyer, and Tapp showed that Grover's algorithm can find collisions in approximately 2^(n/3) operations — for SHA-256, this reduces to 2^(256/3) ≈ 2⁸⁵ quantum operations. While 2⁸⁵ is significantly smaller than 2¹²⁸, it still represents over 38 septillion (3.8 × 10²⁵) operations, far beyond foreseeable quantum computational capacity.

Critically, quantum collision attacks also require enormous quantum memory (storing 2⁸⁵ quantum states), which faces severe practical limitations. NIST and NSA have concluded that SHA-256 provides adequate post-quantum security margins for collision resistance.

Migration Path

No migration is required for SHA-256 itself — it remains approved for post-quantum cryptographic use. However, organizations must be careful about how SHA-256 is used:

Signature schemes: Algorithms like RSA-SHA256 or ECDSA-SHA256 are vulnerable — not because SHA-256 is broken, but because RSA and ECDSA are Shor-vulnerable. Replace these with ML-DSA-SHA256 or SLH-DSA-SHA256 (quantum-safe signature + quantum-safe hash).
Key derivation: Functions like PBKDF2-HMAC-SHA256 or HKDF-SHA256 remain secure for deriving encryption keys, but ensure the master key material is protected via quantum-safe key exchange (ML-KEM).
Certificate fingerprints: X.509 certificates currently use SHA-256 fingerprints for integrity verification. The hash itself is quantum-safe, but the certificate signatures (RSA/ECDSA) must migrate to ML-DSA or SLH-DSA.
Blockchain integrity: Bitcoin's use of SHA-256 for proof-of-work and transaction hashing is quantum-resistant. However, wallet signatures (ECDSA secp256k1) are Shor-vulnerable and require migration.

Organizations should audit cryptographic implementations to distinguish between SHA-256 usage (quantum-safe) and signature algorithm vulnerability (quantum-vulnerable).

Industries at Risk

While SHA-256 itself is quantum-safe, its association with vulnerable signature schemes creates indirect risk:

Cryptocurrency networks like Bitcoin use SHA-256 extensively for mining (proof-of-work), transaction IDs, and Merkle tree construction. These hash-based components are quantum-resistant. However, Bitcoin's ECDSA signatures are vulnerable, creating a common misconception that "Bitcoin isn't quantum-safe." The hash function is safe; the signature layer requires upgrading.

Software supply chains rely on SHA-256 for file integrity verification (checksums, hash trees) and git commit IDs. These hash uses are quantum-safe. However, code signing certificates (RSA-SHA256, ECDSA-SHA256) require PQC migration because the signature algorithm is vulnerable, not the hash.

Certificate authorities use SHA-256 for certificate fingerprints, TLS handshake transcript hashing, and OCSP response integrity. The hash operations remain secure, but the CA's signature on certificates must migrate from RSA/ECDSA to ML-DSA or SLH-DSA by 2030-2035 per NIST timelines.

Timeline

2025-2026: SHA-256 is quantum-safe and remains the standard hash for new systems. No migration needed.
2030: NSA CNSA 2.0 approves SHA-256 (minimum) for national security systems, with SHA-384 recommended for higher security margins.
2035+: SHA-256 expected to remain approved indefinitely. No deprecation timeline.
Future considerations: If quantum computing advances beyond current projections (e.g., error correction breakthroughs enabling 2¹⁰⁰+ operations), NIST may recommend SHA-384 or SHA-512 for additional margin. CNSA 2.0 already specifies SHA-384 as the minimum for national security systems.

Organizations should maintain SHA-256 for hashing but immediately plan PQC migration for any signature algorithms (RSA-SHA256, ECDSA-SHA256) to ML-DSA or SLH-DSA.

Full Name	Secure Hash Algorithm 256-bit
Category	hash
Quantum Vulnerability	Grover's algorithm reduces preimage search to 128-bit security. Still considered secure.
NIST Status	Approved for post-quantum use. No deprecation planned.
Deprecation Timeline	No deprecation planned.
Replaced By	No replacement needed — SHA-256 is quantum resistant

Deployment Guidance

No migration needed for SHA-256 when used as a hash function. Ensure it is not used as part of a vulnerable signature scheme (e.g., RSA-SHA256 — the RSA part is vulnerable).

Related Algorithms

SHA-384

Secure Hash Algorithm 384-bit

SHA-512

Secure Hash Algorithm 512-bit

SHA-1

Secure Hash Algorithm 1

How Qtonic Quantum Can Help

QScout Surface/Silver/Gold — Discover instances of SHA-256 across your infrastructure. 7-day cryptographic inventory with HNDL exposure scoring.

Assessment Methodology — 70+ modules covering cryptographic discovery, quantum threat modeling, and migration planning.

Back to Algorithm Database — Explore 25+ cryptographic algorithms and their quantum safety status.

Verify Your Full Cryptographic Posture

SHA-256 is quantum safe, but your cryptographic posture is only as strong as its weakest link. QScout maps your entire cryptographic inventory in 7 days.

Schedule Assessment Try Risk Calculator

Assess your quantum-vulnerable cryptography with QScout, validate readiness with QStrike, or plan your migration with QSolve.