Is there a limit on the message size for SHA-256?
Solution 1
There is technically a limit, but it's quite large. The padding scheme used for SHA-256 requires that the size of the input (in bits) be expressed as a 64-bit number. Therefore, the maximum size is (264-1)/8 bytes ~= 2'091'752 terabytes.
That renders the limit almost entirely theoretical, not practical.
Most people don't have the storage for nearly that much data anyway, but even if they did, processing it all serially to produce a single hash would take an amount of time most would consider prohibitive.
A quick back-of-the-envelope kind of calculation indicates that even with the fastest enterprise SSDs currently1 listed on Tom's hardware, and striping them 16 wide to improve bandwidth, just reading that quantity of data would still take about 220 years.
1. As of April 2016.
Solution 2
There is no such limit, other than the maximum message size of 264-1 bits. SHA2 is frequently used to generate hashes for executables, which tend to be much larger than a few dozen bytes.
Solution 3
The upper limit is given in the NIST Standard FIPS 180-4. The reason for the upper limit is the padding scheme to countermeasure against the MOV attack that Merkle-Damgard construction's artifact. The message length l is lastly appended to the message during padding.
Then append the 64-bit block that is equal to the number
lexpressed using a binary representation
Therefore by the NIST standard, the maximum file size can be hashed with SHA-256 is 2^64-1 in bits ( approx 2.305 exabytes - that is close to the lower range of the estimated NSA's data center in UTAH, so you don't need to worry).
NIST enables the hash of the size zero message. Therefore the message length starts from 0 to 2^64-1.
If you need to hash files larger than 2^64-1 then either use SHA-512 which has 2^128-1 limit or use SHA3 which has no limit.
Related videos on Youtube
13 : 01
22 : 59
02 : 53
14 : 50
10 : 06
09 : 38
32 : 34
05 : 06
Jackson
Professional software developer and life-long computer enthusiast. Has JavaScript flowing out of his ears. Bash and LISP are also fun. Live free or die GNU/Linux. Graphical and typographical obsessor.
Updated on July 19, 2021Comments
-
Jackson almost 3 years
When hashing a string, like a password, with SHA-256, is there a limit to the length of the string I am hashing? For example, is it only "safe" to hash strings that are smaller than 64 characters?
-
Stefan over 10 yearsI try to understand your answer: Do you mean 2^{64}-1 bits or do you mean 65 bits length? 2^64 is quite a lot bits.
-
Michael Petrotta over 10 yearsThe former, @Stefan. Yep, that's a lot of bits. :-)
-
Stefan over 10 yearshaha - ok yeah I don't need that much bits but that's good to know. Thank you!
-
Erkin Alp Güney over 7 yearsBlock cipher techniques can be applied to inputs larger than and equal to 2^64 bytes.
-
Jerry Coffin over 6 years@ErkinAlpGüney: SHA-256 isn't a block cipher (or any other kind of cipher). It's a hash. Hashing can be applied to large inputs as well, of course--but larger than 2^64 bits (not to mention 2^64 bytes) isn't something most people need to worry about. Those who do will need to use something other than SHA-256 to do so (though depending on their needs, the only part they need to change may well be the padding).
-
Maarten Bodewes almost 3 yearsNot that it matters much, an exabyte more or less ;), removed comments.
