What SHA-256 Really Is Cuadernos Lacre · Concept · May 19, 2026 https://solo2.net/en/notebooks/articulos/what-sha-256-actually-is.html A mathematical fingerprint that fits into sixty-four characters and changes entirely if a single comma of the original text is moved. Why we call it a digital sealing wax. --- The simple idea behind the technical name Imagine there is a machine with a single slot and a single screen. Through the slot, you insert a text: a word, a sentence, an entire novel. On the screen, moments later, a sequence of exactly sixty-four characters appears. That sequence, to the professional reader, we call a hash or cryptographic summary; to the general reader, we can call it for now a mathematical fingerprint of the text, just as a fingerprint is for a person. If you insert the same text twice, the machine shows the same fingerprint both times. If you insert a slightly different text—a single moved comma, an uppercase letter that becomes lowercase—the machine shows a fingerprint completely different from the first one. Not similar: different. These two properties together—determinism and sensitivity—are the simple idea. Everything else about SHA-256 is the machinery that makes them hold up well. It's worth saying from the beginning what the machine does not do. It does not encrypt the text. It does not hide it. It does not save it. The machine looks at the text, calculates the fingerprint, and forgets the text. The fingerprint does not allow the reconstruction of the text that produced it; it only allows, given a candidate text, checking whether it matches the original or not. That's why we say it's a one-way summary: it goes out, it doesn't come back. A hash is not the same as encrypting Confusion is frequent and worth clearing up: encrypting and hashing are different operations. Encrypting consists of transforming a text so that only the holder of the key can return it to its original form. Hashing consists of producing a fingerprint of the text from which the original text can never be recovered, with or without a key. The first is reversible by design; the second, irreversible by design. The practical consequence matters. When an application says "we save your password encrypted", there is someone who has the key to decrypt it—the application itself, in any case. When an application says "we save your password hashed", the application itself cannot read the original password even if it wanted to; it can only check if what you type produces the same fingerprint again. The second model, done well, is much preferable to the first for storing passwords. Later we will see why "done well" requires something more than just SHA-256. The four properties that make a cryptographic hash useful A hash function that deserves the adjective cryptographic meets four properties: 1. Determinism. The same input always produces the same fingerprint. 2. Avalanche effect. A small change in the input produces a completely different fingerprint, with no visible resemblance to the previous one. 3. Pre-image resistance. Given a fingerprint, it is not computationally feasible to find the text that produced it. 4. Collision resistance. It is not computationally feasible to find two different texts that produce the same fingerprint. "Not computationally feasible" does not mean "it is mathematically impossible." It means that the cost in time, energy, and money of achieving it exceeds by orders of magnitude the sum of all reasonably available computing capacity. For SHA-256, that threshold is measured in quadrillions of years even for the most optimistic approaches with specialized hardware. Which, for the reader's practical purposes, is the same as "it cannot be done." SHA-256, specifically The name says it all. SHA stands for Secure Hash Algorithm. The number 256 indicates the size of the fingerprint in bits: two hundred and fifty-six bits, that is, thirty-two bytes, which shown in hexadecimal are the sixty-four characters that the reader already recognizes. The standard was published by the US NIST, the body that normalizes this type of functions, in 2001 as part of the SHA-2 family; the current version of the standard, FIPS 180-4, is from 2015. The dimensions deserve a moment. Two hundred and fifty-six bits allow two to the power of two hundred and fifty-six different values: a number with seventy-eight decimal digits, several orders of magnitude greater than the estimated number of atoms in the observable universe. Every text in the world—every book, every email, every message—falls on one of those values. The probability of two different texts coinciding by chance is, for practical purposes, indistinguishable from zero. How it looks in code Why we call it a sealing wax In European correspondence from the fifteenth to the nineteenth centuries, sealing wax closed the letter. A drop of melted wax, a seal pressed on top, and the letter was marked in an unrepeatable way. It did not protect the content from the determined snooper—the paper could be read against the light, the wax could be broken—but it did evidence it. Any alteration of the closure was visible to the recipient even before opening the paper. The wax did not prevent the damage; it declared it. The SHA-256 of the body of each Cuaderno serves the same function in its digital version. If a single word of the article changed between the time it was published and the time you read it, the hexadecimal seal at the foot of the text would no longer match the SHA-256 of the text in front of you. Any reader with five lines of code could check it. The publication cannot rewrite its history without the seal betraying it. It does not protect against damage; it makes it verifiable. What a hash is not Four uses are sometimes asked of SHA-256 that do not belong to it: 1. Encrypting. A hash summarizes; it does not hide. If you want the text not to be readable, you need to encrypt it, not hash it. 2. Authenticating the author. A hash does not say who wrote the text, only what text was hashed. To associate authorship, a cryptographic signature is needed on top of the hash, not the hash alone. 3. Storing passwords. There is a trap here that's worth understanding. SHA-256 is designed to be very fast—which is good for many things, but bad for this. An attacker with specialized hardware can test billions of passwords per second against a SHA-256 hash until finding yours. To store passwords, one must use deliberately slow key derivation functions like Argon2, scrypt, or bcrypt, combined with a salt (a unique random piece of data per user, which prevents two people with the same password from having the same hash). 4. Reading the hash as an author identifier. It is not. A hash identifies the content. If two people hash the word hello with SHA-256, both get the same summary—and that is the central property, not a defect: if they were different summaries, we could not check coincidence between what is published and what is received. Where SHA-256 appears in your day-to-day life Although you don't see it, SHA-256 sustains a good part of what you use daily on the internet. The Bitcoin blockchain is built by chaining the SHA-256 of each block to the next; altering a past block forces the recalculation of the entire subsequent chain. Git, the system with which half the world's code is versioned, identifies each commit by the SHA-256 (in recent versions) or by its predecessor SHA-1 (in older versions) of its full content. The HTTPS certificates that verify the identity of a website when you enter have an associated SHA-256 fingerprint. Software downloads are often accompanied by a SHA-256 published by the developer so you can verify that the file was not altered along the way. And, as we have said, at the foot of each Cuaderno Lacre. For the professional reader Four operational reminders for those who decide on or audit systems: 1. Hash is not encryption. If a provider confuses the two terms in their technical documentation, it's worth asking exactly what they mean. 2. For storing passwords, SHA-256 alone should never be used. SHA-256 is too fast for this task (see point 3 of What a hash is not). The current standard is Argon2id: slow by design, configurable according to the server's capacity, combined with a different random salt per user. 3. For document integrity—contracts, records, files—SHA-256 remains the reference standard. It is the one used by qualified time sealers in the EU. 4. For long-term preservation (decades), it is worth calculating and archiving also a SHA-3 or a SHA-512 alongside the SHA-256; cryptographic prudence recommends not relying on a single function during century-long archives. Imagine you have assembled the most elaborate domino circuit in the world: thousands of tiles, dozens of forks, mechanical bridges, and ramps crossing the entire room, carefully placed piece by piece. If you give a tap to the first tile, the chain falls in a precise and repeatable sequence. Same assembly, same initial tap → identical final pattern of fallen tiles, over and over again. Here's the interesting part: move **a single tile** half a centimeter to one side before starting and tap again. A ramp that should have activated remains inert, a bridge doesn't fall, a different fork is triggered. The final pattern of tiles on the floor is completely unrecognizable compared to the first one. SHA-256 is mathematically this circuit. The text you write is the initial position of the tiles. The algorithm is the tap that releases the cascade. And the final result —what we call a *hash*— is the still photo of the floor when everything has stopped. Change a single comma in the original text and the photo will be radically different. As simple as that, and as drastic as that. --- If you go back to the foot of this article, you will see a sixty-four character hexadecimal seal. It is the SHA-256 of the text you have just read, in this language. If we translated the article, the seal would be different; if a word of the Spanish version changed, the Spanish seal would change. The seal does not protect the content—for that there are other tools—but it identifies it uniquely. And that, as modest as it sounds, is enough so that no step in the editorial chain can alter what has been said without it being noticed. Everything else—encrypting, signing, identifying—is built on top of this simple idea. Sources and further reading - NIST — FIPS PUB 180-4: Secure Hash Standard (SHS), August 2015. Official specification of the SHA-2 family, including SHA-256. - RFC 6234 — US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF), IETF, May 2011. Normative version for implementers. - Ferguson, N.; Schneier, B.; Kohno, T. — Cryptography Engineering: Design Principles and Practical Applications (Wiley, 2010). Chapters 5 and 6 cover hash functions and their legitimate and illegitimate uses. - Nakamoto, S. — Bitcoin: A Peer-to-Peer Electronic Cash System (2008). Practical example of using SHA-256 to chain blocks in a structure immutable by construction. - Regulation (EU) 910/2014 (eIDAS) — framework for qualified time sealers. SHA-256 is the reference function for qualified electronic signatures and seals issued in the EU. - Reference implementation in Zig: std.crypto.hash.sha2.Sha256 in the language's official repository (github.com/ziglang/zig → lib/std/crypto/sha2.zig). It is the optimized and audited version that Solo2 actually uses. Useful for contrasting with the didactic implementation in the appendix. --- Cuadernos Lacre · A publication of Menzuri Gestión S.L. · written by R.Eugenio · edited by the team of Solo2. https://solo2.net/en/notebooks/