Hash function security summary explained

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Table color key

See also: Security level.

Common hash functions

Collision resistance

See main article: Collision attack.

Hash functionSecurity claimBest attackPublish dateComment
MD5264218 time2013-03-25This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241.[1]
SHA-1280261.22020-01-08Paper by Gaëtan Leurent and Thomas Peyrin[2]
SHA256212831 of 64 rounds (265.5)2013-05-28Two-block collision.[3]
SHA512225624 of 80 rounds (232.5)2008-11-25Paper.[4]
SHA-3Up to 25126 of 24 rounds (250)2017Paper.[5]
BLAKE2s21282.5 of 10 rounds (2112)2009-05-26Paper.[6]
BLAKE2b22562.5 of 12 rounds (2224)2009-05-26Paper.

Chosen prefix collision attack

Hash functionSecurity claimBest attackPublish dateComment
MD52642392009-06-16This attack takes hours on a regular PC.[7]
SHA-1280263.42020-01-08Paper by Gaëtan Leurent and Thomas Peyrin[8]
SHA2562128
SHA5122256
SHA-3Up to 2512
BLAKE2s2128
BLAKE2b2256

Preimage resistance

See main article: Preimage attack.

Hash functionSecurity claimBest attackPublish dateComment
MD521282123.42009-04-27Paper.[9]
SHA-1216045 of 80 rounds2008-08-17Paper.[10]
SHA256225643 of 64 rounds (2254.9 time, 26 memory)2009-12-10Paper.[11]
SHA512251246 of 80 rounds (2511.5 time, 26 memory)2008-11-25Paper,[12] updated version.
SHA-3Up to 2512
BLAKE2s22562.5 of 10 rounds (2241)2009-05-26Paper.
BLAKE2b25122.5 of 12 rounds (2481)2009-05-26Paper.

Length extension

See main article: Length extension attack.

Less-common hash functions

Collision resistance

Hash functionSecurity claimBest attackPublish dateComment
GOST212821052008-08-18Paper.[13]
HAVAL-128264272004-08-17Collisions originally reported in 2004,[14] followed up by cryptanalysis paper in 2005.[15]
MD22642009Slightly less computationally expensive than a birthday attack,[16] but for practical purposes, memory requirements make it more expensive.
MD42643 operations2007-03-22Finding collisions almost as fast as verifying them.[17]
PANAMA2128262007-04-04Paper,[18] improvement of an earlier theoretical attack from 2001.[19]
RIPEMD (original)264218 time2004-08-17Collisions originally reported in 2004, followed up by cryptanalysis paper in 2005.[20]
RadioGatúnUp to 2608[21] 27042008-12-04For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time.[22]
RIPEMD-16028048 of 80 rounds (251 time)2006Paper.[23]
SHA-0280233.6 time2008-02-11Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.[24]
Streebog22569.5 rounds of 12 (2176 time, 2128 memory)2013-09-10Rebound attack.[25]
Whirlpool22564.5 of 10 rounds (2120 time)2009-02-24Rebound attack.[26]

Preimage resistance

Hash functionSecurity claimBest attackPublish dateComment
GOST225621922008-08-18Paper.
MD22128273 time, 273 memory2008Paper.[27]
MD421282102 time, 233 memory2008-02-10Paper.[28]
RIPEMD (original)212835 of 48 rounds2011Paper.[29]
RIPEMD-128212835 of 64 rounds
RIPEMD-160216031 of 80 rounds
Streebog25122266 time, 2259 data2014-08-29The paper presents two second-preimage attacks with variable data requirements.[30]
Tiger21922188.8 time, 28 memory2010-12-06Paper.[31]

Attacks on hashed passwords

See main article: Password cracking. Hashes described here are designed for fast computation and have roughly similar speeds.[32] Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.[33] [34] Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.

See also

External links

Notes and References

  1. Tao Xie . Fanbao Liu . Dengguo Feng . 25 March 2013 . Fast Collision Attack on MD5 .
  2. Gaëtan Leurent . Thomas Peyrin . 2020-01-08 . SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust .
  3. Florian Mendel . Tomislav Nad . Martin Schläffer . 2013-05-28 . Improving Local Collisions: New Attacks on Reduced SHA-256 . Eurocrypt 2013 .
  4. Somitra Kumar Sanadhya . Palash Sarkar . 2008-11-25 . New Collision Attacks against Up to 24-Step SHA-2 . Indocrypt 2008 . 10.1007/978-3-540-89754-5_8 .
  5. L. Song, G. Liao and J. Guo, Non-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak, CRYPTO, 2017
  6. LI Ji . XU Liangyu . 2009-05-26 . Attacks on Round-Reduced BLAKE .
  7. Marc Stevens . Arjen Lenstra . Benne de Weger . 2009-06-16 . Chosen-prefix Collisions for MD5 and Applications .
  8. Gaëtan Leurent . Thomas Peyrin . 2020-01-08 . SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust .
  9. Yu Sasaki . Kazumaro Aoki . 2009-04-27 . Finding Preimages in Full MD5 Faster Than Exhaustive Search . Eurocrypt 2009 . 10.1007/978-3-642-01001-9_8 . free .
  10. Christophe De Cannière . Christian Rechberger . 2008-08-17 . Preimages for Reduced SHA-0 and SHA-1 . Crypto 2008 .
  11. Kazumaro Aoki . Jian Guo . Krystian Matusiewicz . Yu Sasaki . Lei Wang . 2009-12-10 . Preimages for Step-Reduced SHA-2 . Asiacrypt 2009 . 10.1007/978-3-642-10366-7_34 . free .
  12. Yu Sasaki . Lei Wang . Kazumaro Aoki . 2008-11-25 . Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512 .
  13. Florian Mendel . Norbert Pramstaller . Christian Rechberger . Marcin Kontak . Janusz Szmidt . 2008-08-18 . Cryptanalysis of the GOST Hash Function . Crypto 2008 .
  14. Xiaoyun Wang . Dengguo Feng . Xuejia Lai . Hongbo Yu . 2004-08-17 . Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD . Cryptology ePrint Archive .
  15. Xiaoyun Wang . Dengguo Feng . Xiuyuan Yu . October 2005 . An attack on hash function HAVAL-128 . Science in China Series F: Information Sciences . 48 . 5 . 545–556 . 10.1360/122004-107 . 10.1.1.506.9546 . 2014-10-23 . https://web.archive.org/web/20170809100011/http://infosec.sdu.edu.cn/uploadfile/papers/An%20attack%20on%20hash%20function%20HAVAL-128.pdf . 2017-08-09 .
  16. Lars R. Knudsen . John Erik Mathiassen . Frédéric Muller . Søren S. Thomsen . January 2010 . Cryptanalysis of MD2 . Journal of Cryptology . 23 . 1 . 72–90 . 10.1007/s00145-009-9054-1. 2443076 . free .
  17. Yu Sasaki . Yusuke Naito . Noboru Kunihiro . Kazuo Ohta . 2007-03-22 . Improved Collision Attacks on MD4 and MD5 . IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences . E90-A . 1 . 36–47 . 10.1093/ietfec/e90-a.1.36 . 2007IEITF..90...36S .
  18. Joan Daemen . Gilles Van Assche . 2007-04-04 . Producing Collisions for Panama, Instantaneously . FSE 2007 .
  19. Vincent Rijmen . Bart Van Rompay . Bart Preneel . Joos Vandewalle . 2001 . Producing Collisions for PANAMA . FSE 2001 .
  20. Xiaoyun Wang . Xuejia Lai . Dengguo Feng . Hui Chen . Xiuyuan Yu . 2005-05-23 . Cryptanalysis of the Hash Functions MD4 and RIPEMD . Eurocrypt 2005 . 10.1007/11426639_1 . free .
  21. RadioGatún is a family of 64 different hash functions. The security level and best attack in the chart are for the 64-bit version. The 32-bit version of RadioGatún has a claimed security level of 2304 and the best claimed attack takes 2352 work.
  22. Thomas Fuhr . Thomas Peyrin . 2008-12-04 . Cryptanalysis of RadioGatun . FSE 2009 .
  23. Florian Mendel . Norbert Pramstaller . Christian Rechberger . Vincent Rijmen . 2006 . On the Collision Resistance of RIPEMD-160 . ISC 2006 .
  24. Stéphane Manuel . Thomas Peyrin . 2008-02-11 . Collisions on SHA-0 in One Hour . FSE 2008 . 10.1007/978-3-540-71039-4_2 . free .
  25. Zongyue Wang . Hongbo Yu . Xiaoyun Wang . 2013-09-10 . Cryptanalysis of GOST R hash function . Information Processing Letters . 114 . 12 . 655–662 . 10.1016/j.ipl.2014.07.007.
  26. Florian Mendel . Christian Rechberger . Martin Schläffer . Søren S. Thomsen . 2009-02-24 . The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl . FSE 2009 .
  27. Søren S. Thomsen . 2008 . An improved preimage attack on MD2 . Cryptology ePrint Archive .
  28. Gaëtan Leurent . 2008-02-10 . MD4 is Not One-Way . FSE 2008 .
  29. Chiaki Ohtahara . Yu Sasaki . Takeshi Shimoyama . 2011 . Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160 . ISC 2011 . 10.1007/978-3-642-21518-6_13 .
  30. Jian Guo . Jérémy Jean . Gaëtan Leurent . Thomas Peyrin . Lei Wang . 2014-08-29 . The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function . SAC 2014 .
  31. Jian Guo . San Ling . Christian Rechberger . Huaxiong Wang . 2010-12-06 . Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 . Asiacrypt 2010 . 12–17 .
  32. Web site: ECRYPT Benchmarking of Cryptographic Hashes. November 23, 2020.
  33. Web site: Mind-blowing GPU performance. Improsec. January 3, 2020.
  34. Web site: 25-GPU cluster cracks every standard Windows password in <6 hours. 2012-12-10. Dan. Goodin. Ars Technica. 2020-11-23.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Hash function security summary".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.