SHA-256

1. **Deterministic:** The same input always produces the same 256-bit hash. 2. **Avalanche effect:** Changing a single bit of the input produces a completely different hash.

In e-signatures, the entire document content (including the certificate page itself) is hashed using SHA-256. This hash is included in the certificate. Anyone can verify the document's integrity by re-hashing the content and comparing it to the stored hash.

SHA-256 is computationally infeasible to reverse — there is no known way to derive the original document from its hash, or to create a different document that produces the same hash.

**Example of SHA-256 in practice**

A 50-page contract produces a hash like: a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a. If someone changes a single comma in the contract, the hash changes completely — perhaps to: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. This makes tampering immediately detectable.

**Why SHA-256 and not other algorithms?**

SHA-256 is the industry standard because it balances security with performance. SHA-1 (160-bit) was deprecated after collision attacks were demonstrated in 2017. SHA-512 exists but offers more security than necessary for document signing. SHA-256 has no known practical attacks and is used by Bitcoin, TLS certificates, and government systems worldwide.

**How Signbee uses SHA-256**

Every document signed through Signbee includes a certificate page with the SHA-256 hash. The hash covers the entire document content, both signatures, timestamps, and IP addresses. This creates a chain of evidence: if any element changes after signing, the hash verification fails. Anyone can verify document integrity by running the same SHA-256 algorithm on the PDF content and comparing the result to the stored hash.