Is SHA-384 Quantum Safe?
Yes. SHA-384 is quantum safe. It provides 192-bit post-quantum preimage security and 128-bit collision resistance — well above security thresholds.
Key Takeaway: SHA-384 is considered quantum safe. Approved. CNSA 2.0 specifies SHA-384 as minimum for national security systems.
Technical Analysis
SHA-384 IS quantum safe. **How SHA-384 Works:** SHA-384 is a truncated variant of SHA-512, both part of the SHA-2 family designed by the NSA and standardized by NIST in FIPS 180-4. SHA-384 uses the same internal 512-bit state and 64-round compression function as SHA-512 but outputs only the first 384 bits of the final hash value. This design provides stronger collision resistance than SHA-256 (192 bits vs. 128 bits classically) while maintaining excellent performance on 64-bit processors. SHA-384 processes input in 1024-bit blocks (twice the size of SHA-256's 512-bit blocks) using eight 64-bit working variables. The algorithm is optimized for 64-bit architectures, often performing faster than SHA-256 on modern CPUs despite producing a larger output. SHA-384 is mandated for high-security applications: NSA Suite B (now CNSA 2.0) specifies SHA-384 as the minimum for TOP SECRET classification, FIPS 140-3 certified cryptographic modules commonly implement SHA-384 for hash-based operations, TLS cipher suites for government and defense (TLS_AES_256_GCM_SHA384) use SHA-384, and code signing for high-assurance systems uses SHA-384 for certificate fingerprints. **Quantum Vulnerability Explained:** Grover's algorithm provides a quadratic speedup against hash functions, reducing security levels by a square root factor. For SHA-384: **Preimage resistance:** Classically requires 2^384 operations to find an input producing a target hash. Grover reduces this to 2^192 operations — still astronomically large (approximately 6.3 × 10^57 operations), far beyond any foreseeable quantum computer. **Collision resistance:** Classically requires approximately 2^192 operations (birthday attack). Quantum collision-finding algorithms (Brassard-Høyer-Tapp) reduce this to approximately 2^(384/3) ≈ 2^128 quantum operations. This matches the 128-bit post-quantum security threshold NIST recommends, providing exactly the security margin desired for long-term protection. NSA CNSA 2.0 mandates SHA-384 (minimum) for national security systems specifically because it maintains 128-bit post-quantum collision resistance — the gold standard for cryptographic security margins. SHA-384 provides conservative security for data requiring confidentiality through 2050 and beyond. **Migration Path:** No migration required for SHA-384 — it is the recommended hash function for post-quantum high-security applications. Organizations should consider: - **Adopt SHA-384 as default**: For government, defense, healthcare, and financial systems handling sensitive long-term data, SHA-384 should be the minimum hash function. - **TLS cipher suite preference**: Configure TLS 1.3 to prioritize TLS_AES_256_GCM_SHA384 over TLS_AES_256_GCM_SHA256 for connections requiring post-quantum security margins. - **Certificate hierarchies**: Use SHA-384 for root CA and intermediate CA certificate signatures, especially for certificates with 10+ year lifetimes. - **HMAC and key derivation**: Implement HMAC-SHA384 and HKDF-SHA384 for generating cryptographic keys from master secrets. **Industries at Risk:** No industries are at risk from SHA-384 — it provides robust quantum-safe hashing. However, industries must ensure SHA-384 is not combined with quantum-vulnerable signature algorithms: **Government and defense:** NSA CNSA 2.0 requires SHA-384 for TOP SECRET systems. These deployments are secure as long as signature algorithms (currently RSA-SHA384 or ECDSA-SHA384) migrate to ML-DSA-SHA384 or SLH-DSA-SHA384. **Financial services:** High-security payment systems, trading platforms, and regulatory compliance systems (SEC, FINRA) should use SHA-384 for transaction hashing, audit logs, and cryptographic commitments. The hash is quantum-safe; ensure signature schemes are also PQC-compliant. **Healthcare:** Medical research involving genomic data, clinical trials, and long-term patient records benefits from SHA-384's conservative security margins, ensuring hash integrity through multi-decade data retention periods. **Timeline:** - **2024-2025**: SHA-384 is quantum-safe and approved for the highest-security applications. Use as the standard hash for new high-security deployments. - **2030**: NSA CNSA 2.0 requires SHA-384 (minimum) for TOP SECRET national security systems. - **2040+**: SHA-384 expected to remain approved indefinitely. No deprecation timeline. SHA-384 represents the gold standard for post-quantum hash function security and should be the default for systems requiring long-term data protection.
| Full Name | Secure Hash Algorithm 384-bit |
| Category | hash |
| Quantum Vulnerability | Grover reduces preimage to 192 bits. Still highly secure. |
| NIST Status | Approved. CNSA 2.0 specifies SHA-384 as minimum for national security systems. |
| Deprecation Timeline | No deprecation planned. CNSA 2.0 approved. |
| Replaced By | No replacement needed — SHA-384 is quantum resistant |
Deployment Guidance
No migration needed. SHA-384 is the preferred hash for high-security post-quantum applications.
Related Algorithms
How Qryptonic Can Help
Verify Your Full Cryptographic Posture
SHA-384 is quantum safe, but your cryptographic posture is only as strong as its weakest link. Qscout26 maps your entire cryptographic inventory in 7 days.