About

SHA-224 is a cryptographic hash function defined in FIPS 180-4, producing a 224-bit (56 hex character) digest. It operates identically to SHA-256 in its compression rounds but uses distinct initial hash values H₀…H₆ and truncates the final output to 7 words instead of 8. This generator feeds cryptographically secure random bytes from the browser's CSPRNG (crypto.getRandomValues) into a full SHA-224 implementation. The result is indistinguishable from hashing arbitrary data. It is not a random hex string - it is a real SHA-224 digest of random input.

Common use cases include generating unique test identifiers, populating database seed fixtures, validating hash-comparison logic, and creating content-addressable keys where SHA-256's 64-character output is unnecessarily long. Note: SHA-224 provides 112-bit collision resistance per the birthday bound. For security-critical applications requiring ≥128-bit collision resistance, use SHA-256 or SHA-3.

Formulas

SHA-224 follows the Merkle-Damgård construction. The input message M is padded, split into 512-bit blocks, and processed through 64 compression rounds per block. The compression function uses 8 working variables but the final digest is truncated to 7 words (224 bits).

H(M) = Truncate₂₂₄(SHA-256_IV₂₂₄(M))

The initial hash values for SHA-224 (distinct from SHA-256) are defined in FIPS 180-4 §5.3.2:

H₀ = c1059ed8 H₁ = 367cd507 H₂ = 3070dd17 H₃ = f70e5939
H₄ = ffc00b31 H₅ = 68581511 H₆ = 64f98fa7 H₇ = befa4fa4

Each compression round applies six logical functions. The core round function for round t:

T₁ = h + Σ₁(e) + Ch(e, f, g) + K_t + W_t

T₂ = Σ₀(a) + Maj(a, b, c)

Where Ch(x, y, z) = (x ∧ y) &xor; (¬x ∧ z) is the choice function, Maj(x, y, z) = (x ∧ y) &xor; (x ∧ z) &xor; (y ∧ z) is the majority function, K_t are the 64 round constants (first 32 bits of cube roots of first 64 primes), and W_t is the message schedule word. Collision resistance is 2¹¹² operations by the birthday paradox: n2 = 2242 = 112 bits.

Reference Data

Hash Function	Digest Size (bits)	Hex Length	Block Size (bits)	Rounds	Collision Resistance (bits)	Standard	Status
MD5	128	32	512	64	Broken	RFC 1321	Deprecated
SHA-1	160	40	512	80	Broken	FIPS 180-4	Deprecated
SHA-224	224	56	512	64	112	FIPS 180-4	Active
SHA-256	256	64	512	64	128	FIPS 180-4	Active
SHA-384	384	96	1024	80	192	FIPS 180-4	Active
SHA-512	512	128	1024	80	256	FIPS 180-4	Active
SHA-512/224	224	56	1024	80	112	FIPS 180-4	Active
SHA-512/256	256	64	1024	80	128	FIPS 180-4	Active
SHA3-224	224	56	1152	24	112	FIPS 202	Active
SHA3-256	256	64	1088	24	128	FIPS 202	Active
SHA3-384	384	96	832	24	192	FIPS 202	Active
SHA3-512	512	128	576	24	256	FIPS 202	Active
BLAKE2b	256	64	1024	12	128	RFC 7693	Active
BLAKE3	256	64	512	7	128	Spec v1	Active
RIPEMD-160	160	40	512	80	80	ISO/IEC 10118-3	Legacy
Whirlpool	512	128	512	10	256	ISO/IEC 10118-3	Active

Frequently Asked Questions

Each hash is computed by feeding cryptographically secure random bytes (generated via the browser's crypto.getRandomValues CSPRNG) into a full SHA-224 implementation. The random input is 32 bytes of entropy per hash. This is not random hex - it is a genuine SHA-224 digest of unpredictable input, making each output uniformly distributed across the 2^224 output space.

Both use the same compression function with 64 rounds and identical round constants. They differ in two ways: (1) SHA-224 uses different initial hash values H₀ - H₇ derived from the 9th through 16th primes, while SHA-256 uses values from the first 8 primes; (2) SHA-224 truncates the final state to 7 words (224 bits), dropping H₇ entirely. This means SHA-224 provides 112-bit collision resistance versus SHA-256's 128-bit.

Theoretically yes, but practically no. The birthday bound for SHA-224 is approximately 2^112 ≈ 5.19 × 10^33 hashes before a 50% collision probability. Generating 1000 hashes per second continuously for the age of the universe would produce roughly 4.3 × 10^20 hashes - still 10^13 times fewer than needed. For bulk test data, collisions are not a concern.

SHA-224 saves 4 bytes per digest compared to SHA-256. In systems storing billions of checksums (e.g., content-addressable storage, deduplication indices), this reduces storage by ~6.25%. It is also specified in certain TLS cipher suites and X.509 certificate profiles. SHA-3-224 offers equivalent security with a different construction (Keccak sponge), useful where resistance to length-extension attacks matters without HMAC.

No. SHA-224 is a fast hash function designed for integrity verification, not password storage. An attacker with a GPU can compute billions of SHA-224 hashes per second. For passwords, use a slow, memory-hard function: Argon2id (winner of the Password Hashing Competition), bcrypt (cost factor ≥ 12), or scrypt. These functions are deliberately expensive to compute, making brute-force attacks impractical.

No. Hexadecimal is case-insensitive. The strings a3f0 and A3F0 represent identical byte sequences. However, if you are comparing hashes as raw strings (e.g., in a database WHERE clause without COLLATE), case mismatch will cause false negatives. Standardize on one convention - lowercase is more common in Unix tooling (sha224sum), uppercase in Windows (CertUtil).