In light of the assumed arrival of CRQC's NIST appears to no longer recommend SHA256 as a collision resistant hash.
I have been unable to find something definitive on the subject of how a 256-bit hash is collision resistant to a CRQC.
Is it 64 bit security with Grover? (128 / 2) Or something else?
According to NIST SHA256 is Level II (out of 5).
According to Bernstein you don't even need a quantum computer.
Many authors have claimed that quantum computers will have an impact on the complexity of hash collisions, reducing time 2^b/2 to time 2^b/3 . In fact, time 2^b/3 had already been achieved by non-quantum machines of size just 2^b/6 , and smaller time 2^b/4 had already been achieved by non-quantum machines of size 2^b/4 . Anyone afraid of quantum hash-collision algorithms already has much more to fear from non-quantum hash-collision algorithms.
https://cr.yp.to/hash/collisioncost-20090823.pdf
It will likely always remain an unreasonably expensive operation for just a single collision.
