Performance of SHA-256 and SHA-512
The popular hash function to use these days for security is SHA-256, and for good reason: it's fast, secure, well-supported, and has a reasonable length. But what if I told you there were a better alternative for the first three.
Turns out, there is: SHA-512.
“But wait,” you're probably asking me, “how is SHA-512 better than SHA-256?” Well, it's not only secure and well-supported, on most messages exceeding 55 bytes (which is almost all the data you care about), SHA-512 is faster than SHA-256.
The reason is that on 64-bit systems, SHA-512 hashes twice as much data as SHA-256 (128 bytes per block instead of 64), but performs only 25% more work (80n 64-bit operations instead of 64n 32-bit operations). Now, granted, the processor will have to do a bit more work loading all the data from memory, but for most messages, it's a bunch faster.
Furthermore, everything I said here about SHA-512 applies to SHA-384, and the same goes for SHA-256 and SHA-224. In fact, this is the reason that NIST created SHA-512/t, so you could get the performance of SHA-512 on 64-bit systems when you need a 256-bit output size.
So why would you still want to use SHA-256? Well, if you want better performance on 32-bit systems, or if you need output that is shorter for human reasons (because, say, you want it to fit on an 80-column terminal or humans are going to have to manually read it), then you might want SHA-256. Also, if you're using a 256-bit elliptic curve or some other place with a fixed 256-bit size (or where size is a concern), it only makes sense to use SHA-256.
Overall, though, if you're doing things like setting up SSH parameters or signing data with GnuPG and an RSA key, you might as well use SHA-512.
