SHA-256
cryptographyFull Name: Secure Hash Algorithm 256-bit
Definition
SHA-256 (Secure Hash Algorithm 256-bit) is a member of the SHA-2 cryptographic hash function family, standardized by the National Institute of Standards and Technology (NIST) in FIPS 180-4. It takes arbitrary-length input data and produces a deterministic, fixed-length 256-bit (32-byte) hash digest with the following critical properties: preimage resistance (given a hash output, it is computationally infeasible to find the input), second preimage resistance (given an input, it is infeasible to find a different input producing the same hash), and collision resistance (it is infeasible to find any two different inputs that produce the same hash). In the EUDI Wallet ecosystem, SHA-256 is the foundational hash algorithm used across digital signature schemes, credential integrity verification, PKCE authorization code security, selective disclosure mechanisms in SD-JWT, certificate fingerprinting in the EU Trusted Lists, and revocation status list indexing. Its universal support across hardware platforms, including dedicated acceleration in modern mobile processors, makes it the default choice for all hashing operations in the European digital identity infrastructure.
SHA-256 in EUDI Wallet Credential Operations
Every digital signature in the EUDI Wallet ecosystem involves SHA-256 as the first step. When a credential issuer signs an attestation, the signing algorithm first computes the SHA-256 hash of the credential data, then applies the private key operation (ECDSA or RSA) to this hash rather than to the raw data. This hash-then-sign approach ensures that the signature is compact (always based on a 256-bit input regardless of credential size) and provides integrity protection for the entire credential content. The verifier independently computes the SHA-256 hash of the received credential and verifies the signature against this hash, confirming both authenticity and integrity.
In SD-JWT (Selective Disclosure JSON Web Token) credentials used by the EUDI Wallet, SHA-256 plays a central role in the selective disclosure mechanism. Each disclosable attribute in the credential is replaced with its SHA-256 hash in the signed JWT body. The actual attribute values are provided as separate disclosure objects. When the wallet presents a credential with selective disclosure, it includes only the disclosure objects for the attributes the verifier has requested. The verifier can verify that each disclosed attribute corresponds to its hash in the signed JWT, confirming integrity without the issuer needing to sign separate credentials for every possible attribute combination.
SHA-256 is also used in the PKCE (Proof Key for Code Exchange) mechanism during credential issuance via OpenID4VCI. The wallet generates a random code verifier and computes its SHA-256 hash as the code challenge, which is sent with the authorization request. This prevents authorization code interception attacks by ensuring that only the party that generated the original code verifier can complete the token exchange. The S256 code challenge method (using SHA-256) is mandatory for EUDI Wallet credential issuance flows.
Technical Properties and Security Guarantees
SHA-256 operates on 512-bit message blocks using 64 rounds of compression, with each round involving bitwise operations, modular addition, and predefined constants derived from the cube roots of the first 64 prime numbers. The algorithm maintains a 256-bit internal state that is updated with each block and produces the final hash digest after all blocks have been processed. The Merkle-Damgard construction ensures that the hash of any message is dependent on every bit of the input.
The security level of SHA-256 is 128 bits against collision attacks (finding any two inputs with the same hash) and 256 bits against preimage attacks (finding an input for a given hash output). These security levels are well above the minimum requirements for the EUDI Wallet ecosystem. The European Union Agency for Cybersecurity (ENISA) and the SOG-IS Crypto Evaluation Scheme both recommend SHA-256 as suitable for all current applications and consider it secure through at least 2030, with no migration urgency anticipated.
Modern mobile processors include dedicated SHA-256 hardware acceleration. Apple's A-series and M-series processors include SHA instructions in their ARM architecture implementation, and most Android device processors (Qualcomm Snapdragon, Samsung Exynos, Google Tensor) similarly support hardware-accelerated SHA-256. This hardware support is important for the EUDI Wallet because credential presentation may require multiple SHA-256 computations (for signature verification, selective disclosure validation, and certificate chain verification) in rapid succession, and hardware acceleration ensures these operations complete within milliseconds.
SHA-256 in the EUDI Wallet Trust Infrastructure
The EU Trusted Lists, which contain the certificates of authorized Trust Service Providers and credential issuers, use SHA-256 fingerprints as the primary method for identifying and verifying certificates. When the EUDI Wallet downloads a trusted list, it verifies the list's integrity using its SHA-256 hash and the list publisher's digital signature. Individual certificate entries are identified by their SHA-256 fingerprints, enabling efficient lookup and matching during credential verification.
Revocation status checking also relies on SHA-256. The Token Status List mechanism used for credential revocation computes SHA-256 hashes of credential identifiers to determine the index position in the status list, enabling efficient revocation lookup without revealing the credential identifier to the status list provider. This hash-based indexing preserves privacy while enabling reliable revocation checking across the EUDI Wallet ecosystem.
TLS 1.3, which secures all network communications in the EUDI Wallet ecosystem, uses SHA-256 as its default hash function for the handshake transcript hash, key derivation (via HKDF-SHA256), and certificate verification. Every time the EUDI Wallet communicates with a credential issuer, verifier, or trust registry over the network, SHA-256 is operating at the transport layer to ensure the confidentiality and integrity of the communication.