Cryptographic Hash Algorithms
There is a long list of cryptographic hash functions, although many have been found to be vulnerable and should not be used. Even if a hash function has never been broken, a successful attack against a weakened variant thereof may undermine the experts' confidence and lead to its abandonment. For instance, in August 2004 weaknesses were found in a number of hash functions that were popular at the time, including SHA-0, RIPEMD, and MD5. This has called into question the long-term security of later algorithms which are derived from these hash functions — in particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions.
As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been broken; an attack against it was used to break SSL in 2008.
The SHA-0 and SHA-1 hash functions were developed by the NSA. In February 2005, a successful attack on SHA-1 was reported, finding collisions in about 269 hashing operations, rather than the 280 expected for a 160-bit hash function. In August 2005, another successful attack on SHA-1 was reported, finding collisions in 263 operations. Theoretical weaknesses of SHA-1 exist as well, suggesting that it may be practical to break within years. New applications can avoid these problems by using more advanced members of the SHA family, such as SHA-2, or using techniques such as randomized hashing that do not require collision resistance.
However, to ensure the long-term robustness of applications that use hash functions, there was a competition to design a replacement for SHA-2, which was given the name SHA-3 and became a FIPS standard in 2012. On October 2, 2012, Keccak was selected as the winner of the NIST hash function competition.
Some of the following algorithms are used often in cryptography; consult the article for each specific algorithm for more information on the status of each algorithm. Note that this list does not include candidates in the current NIST hash function competition. For additional hash functions see the box at the bottom of the page.
| Algorithm | Output size (bits) | Internal state size | Block size | Length size | Word size | Rounds | Best known attacks (complexity:rounds) |
||
|---|---|---|---|---|---|---|---|---|---|
| Collision | Second preimage |
Preimage | |||||||
| GOST | 256 | 256 | 256 | 256 | 32 | 256 | Yes (2105) | Yes (2192) | Yes (2192) |
| HAVAL | 256/224/192/160/128 | 256 | 1,024 | 64 | 32 | 160/128/96 | Yes | No | No |
| MD2 | 128 | 384 | 128 | - | 32 | 864 | Yes (263.3) | No | Yes (273) |
| MD4 | 128 | 128 | 512 | 64 | 32 | 48 | Yes (3) | Yes (264) | Yes (278.4) |
| MD5 | 128 | 128 | 512 | 64 | 32 | 64 | Yes (220.96) | No | Yes (2123.4) |
| PANAMA | 256 | 8,736 | 256 | - | 32 | - | Yes | No | No |
| RadioGatún | Up to 608/1,216 (19 words) | 58 words | 3 words | - | 1–64 | - | With flaws (2352 or 2704) | No | No |
| RIPEMD | 128 | 128 | 512 | 64 | 32 | 48 | Yes (218) | No | No |
| RIPEMD-128/256 | 128/256 | 128/256 | 512 | 64 | 32 | 64 | No | No | No |
| RIPEMD-160 | 160 | 160 | 512 | 64 | 32 | 80 | Yes (251:48) | No | No |
| RIPEMD-320 | 320 | 320 | 512 | 64 | 32 | 80 | No | No | No |
| SHA-0 | 160 | 160 | 512 | 64 | 32 | 80 | Yes (233.6) | No | No |
| SHA-1 | 160 | 160 | 512 | 64 | 32 | 80 | Yes (251) | No | No |
| SHA-256/224 | 256/224 | 256 | 512 | 64 | 32 | 64 | Yes (228.5:24) | No | Yes (2248.4:42) |
| SHA-512/384 | 512/384 | 512 | 1,024 | 128 | 64 | 80 | Yes (232.5:24) | No | Yes (2494.6:42) |
| SHA-3 | ? | ? | ? | ? | 64 | ? | ? | ? | ? |
| Tiger(2)-192/160/128 | 192/160/128 | 192 | 512 | 64 | 64 | 24 | Yes (262:19) | No | Yes (2184.3) |
| WHIRLPOOL | 512 | 512 | 512 | 256 | 8 | 10 | Yes (2120:4.5) | No | No |
Read more about this topic: Cryptographic Hash Function