Is there a limit on the message size for SHA-256?

Question

When hashing a string, like a password, with SHA-256, is there a limit to the length of the string I am hashing? For example, is it only "safe" to hash strings that are smaller than 64 characters?

Jerry Coffin · Accepted Answer · 2016-04-05T19:39:16.320

86

There is technically a limit, but it's quite large. The padding scheme used for SHA-256 requires that the size of the input (in bits) be expressed as a 64-bit number. Therefore, the maximum size is (2⁶⁴-1)/8 bytes ~= 2'091'752 terabytes.

That renders the limit almost entirely theoretical, not practical.

Most people don't have the storage for nearly that much data anyway, but even if they did, processing it all serially to produce a single hash would take an amount of time most would consider prohibitive.

A quick back-of-the-envelope kind of calculation indicates that even with the fastest enterprise SSDs currently¹ listed on Tom's hardware, and striping them 16 wide to improve bandwidth, just reading that quantity of data would still take about 220 years.

^{1. As of April 2016.}

edited Apr 05 '16 at 19:39

answered Jun 30 '13 at 07:36

Jerry Coffin

476,176
80
629
1,111

Block cipher techniques can be applied to inputs larger than and equal to 2^64 bytes. – Erkin Alp Güney Mar 21 '17 at 15:17
3

@ErkinAlpGüney: SHA-256 isn't a block cipher (or any other kind of cipher). It's a hash. Hashing can be applied to large inputs as well, of course--but larger than 2^64 bits (not to mention 2^64 bytes) isn't something most people need to worry about. Those who do will need to use something other than SHA-256 to do so (though depending on their needs, the only part they need to change may well be the padding). – Jerry Coffin Oct 14 '17 at 18:20

score 7 · Answer 2 · answered Jun 30 '13 at 07:35

7

There is no such limit, other than the maximum message size of 2⁶⁴-1 bits. SHA2 is frequently used to generate hashes for executables, which tend to be much larger than a few dozen bytes.

answered Jun 30 '13 at 07:35

Michael Petrotta

59,888
27
145
179

1

I try to understand your answer: Do you mean 2^{64}-1 bits or do you mean 65 bits length? 2^64 is quite a lot bits. – Stefan Jan 14 '14 at 10:53
The former, @Stefan. Yep, that's a lot of bits. :-) – Michael Petrotta Jan 14 '14 at 14:52
haha - ok yeah I don't need that much bits but that's good to know. Thank you! – Stefan Jan 14 '14 at 16:14

kelalaka · Answer 3 · 2021-07-18T20:19:18.020

The upper limit is given in the NIST Standard FIPS 180-4. The reason for the upper limit is the padding scheme to countermeasure against the MOV attack that Merkle-Damgard construction's artifact. The message length l is lastly appended to the message during padding.

Then append the 64-bit block that is equal to the number l expressed using a binary representation

Therefore by the NIST standard, the maximum file size can be hashed with SHA-256 is 2^64-1 in bits ( approx 2.305 exabytes - that is close to the lower range of the estimated NSA's data center in UTAH, so you don't need to worry).

NIST enables the hash of the size zero message. Therefore the message length starts from 0 to 2^64-1.

If you need to hash files larger than 2^64-1 then either use SHA-512 which has 2^128-1 limit or use SHA3 which has no limit.

Not that it matters much, an exabyte more or less ;), removed comments. — Maarten Bodewes, Jul 18 '21 at 21:05

Is there a limit on the message size for SHA-256?

3 Answers3

Linked