Is SHA-384 Quantum Safe?

SHA-384 IS quantum safe.

How SHA-384 Works

SHA-384 is a truncated variant of SHA-512, both part of the SHA-2 family designed by the NSA and standardized by NIST in FIPS 180-4. SHA-384 uses the same internal 512-bit state and 64-round compression function as SHA-512 but outputs only the first 384 bits of the final hash value. This design provides stronger collision resistance than SHA-256 (192 bits vs. 128 bits classically) while maintaining excellent performance on 64-bit processors.

SHA-384 processes input in 1024-bit blocks (twice the size of SHA-256's 512-bit blocks) using eight 64-bit working variables. The algorithm is optimized for 64-bit architectures, often performing faster than SHA-256 on modern CPUs despite producing a larger output.

SHA-384 is mandated for high-security applications: NSA Suite B (now CNSA 2.0) specifies SHA-384 as the minimum for TOP SECRET classification, FIPS 140-3 certified cryptographic modules commonly implement SHA-384 for hash-based operations, TLS cipher suites for government and defense (TLS_AES_256_GCM_SHA384) use SHA-384, and code signing for high-assurance systems uses SHA-384 for certificate fingerprints.

Quantum Vulnerability Explained

Grover's algorithm provides a quadratic speedup against hash functions, reducing security levels by a square root factor. For SHA-384:

Preimage resistance: Classically requires 2³⁸⁴ operations to find an input producing a target hash. Grover reduces this to 2¹⁹² operations — still astronomically large (approximately 6.3 × 10⁵⁷ operations), far beyond any foreseeable quantum computer.

Collision resistance: Classically requires approximately 2¹⁹² operations (birthday attack). Quantum collision-finding algorithms (Brassard-Høyer-Tapp) reduce this to approximately 2^(384/3) ≈ 2¹²⁸ quantum operations. This matches the 128-bit post-quantum security threshold NIST recommends, providing exactly the security margin desired for long-term protection.

NSA CNSA 2.0 mandates SHA-384 (minimum) for national security systems specifically because it maintains 128-bit post-quantum collision resistance — the gold standard for cryptographic security margins. SHA-384 provides conservative security for data requiring confidentiality through 2050 and beyond.

Migration Path

No migration required for SHA-384 — it is the recommended hash function for post-quantum high-security applications. Organizations should consider:

• Adopt SHA-384 as default: For government, defense, healthcare, and financial systems handling sensitive long-term data, SHA-384 should be the minimum hash function.
• TLS cipher suite preference: Configure TLS 1.3 to prioritize TLS_AES_256_GCM_SHA384 over TLS_AES_256_GCM_SHA256 for connections requiring post-quantum security margins.
• Certificate hierarchies: Use SHA-384 for root CA and intermediate CA certificate signatures, especially for certificates with 10+ year lifetimes.
• HMAC and key derivation: Implement HMAC-SHA384 and HKDF-SHA384 for generating cryptographic keys from master secrets.

Industries at Risk

No industries are at risk from SHA-384 — it provides robust quantum-safe hashing. However, industries must ensure SHA-384 is not combined with quantum-vulnerable signature algorithms:

Government and defense: NSA CNSA 2.0 requires SHA-384 for TOP SECRET systems. These deployments are secure as long as signature algorithms (currently RSA-SHA384 or ECDSA-SHA384) migrate to ML-DSA-SHA384 or SLH-DSA-SHA384.

Financial services: High-security payment systems, trading platforms, and regulatory compliance systems (SEC, FINRA) should use SHA-384 for transaction hashing, audit logs, and cryptographic commitments. The hash is quantum-safe; ensure signature schemes are also PQC-compliant.

Healthcare: Medical research involving genomic data, clinical trials, and long-term patient records benefits from SHA-384's conservative security margins, ensuring hash integrity through multi-decade data retention periods.

Timeline

• 2025-2026: SHA-384 is quantum-safe and approved for the highest-security applications. Use as the standard hash for new high-security deployments.
• 2030: NSA CNSA 2.0 requires SHA-384 (minimum) for TOP SECRET national security systems.
• 2040+: SHA-384 expected to remain approved indefinitely. No deprecation timeline.

SHA-384 represents the gold standard for post-quantum hash function security and should be the default for systems requiring long-term data protection.