Comparison of cryptographic hash functions

Last updated

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

Contents

General information

Basic general information about the cryptographic hash functions: year, designer, references, etc.

FunctionYearDesignerDerived fromReference
BLAKE 2008Jean-Philippe Aumasson
Luca Henzen
Willi Meier
Raphael C.-W. Phan		 ChaCha20 Website
Specification
BLAKE2 2012Jean-Philippe Aumasson
Samuel Neves
Zooko Wilcox-O'Hearn
Christian Winnerlein		 BLAKE Website
Specification
RFC   7693
BLAKE3 2020Jack O'Connor
Jean-Philippe Aumasson
Samuel Neves
Zooko Wilcox-O'Hearn 		BLAKE2 Website
Specification
GOST R 34.11-94 1994 FAPSI and VNIIstandart GOST 28147-89 RFC   5831
HAVAL 1992 Yuliang Zheng
Josef Pieprzyk
Jennifer Seberry 		Website
Specification
KangarooTwelve 2016Guido Bertoni
Joan Daemen
Michaël Peeters
Gilles Van Assche 		Keccak Website
Specification
MD2 1989 Ronald Rivest RFC   1319
MD4 1990 RFC   1320
MD5 1992 MD4 RFC   1321
MD6 2008 Website
Specification
RIPEMD 1992The RIPE Consortium [1] MD4
RIPEMD-128
RIPEMD-256
RIPEMD-160
RIPEMD-320 		1996 Hans Dobbertin
Antoon Bosselaers
Bart Preneel 		RIPEMD Website
Specification
SHA-0 1993 NSA SHA-0
SHA-1 1995 SHA-0 Specification
SHA-256
SHA-384
SHA-512 		2002
SHA-224 2004
SHA-3 (Keccak)2008Guido Bertoni
Joan Daemen
Michaël Peeters
Gilles Van Assche 		RadioGatún Website
Specification
Streebog 2012 FSB, InfoTeCS JSC RFC   6986
Tiger 1995 Ross Anderson
Eli Biham 		Website
Specification
Whirlpool 2004 Vincent Rijmen
Paulo Barreto 		Website

Parameters

AlgorithmOutput size (bits)Internal state size [note 1] Block sizeLength sizeWord size Rounds
BLAKE2b 5125121024128 [note 2] 6412
BLAKE2s 25625651264 [note 3] 3210
BLAKE3 Unlimited256 [note 4] 51264327
GOST 2562562562563232
HAVAL 256/224/192/160/128256102464323/4/5
MD2 1283841283218
MD4 12812851264323
MD5 128128512643264
PANAMA 256873625632
RadioGatún Unlimited [note 5] 58 words19 words [note 6] 1–64 [note 7] 18 [note 8]
RIPEMD 128128512643248
RIPEMD-128, -256128/256128/256512643264
RIPEMD-160160160512643280
RIPEMD-320320320512643280
SHA-0 160160512643280
SHA-1 160160512643280
SHA-224, -256 224/256256512643264
SHA-384, -512, -512/224, -512/256 384/512/224/25651210241286480
SHA-3 224/256/384/512 [note 9] 16001600 - 2*bits [note 10] 6424
SHA3 -224224160011526424
SHA3 -256256160010886424
SHA3 -38438416008326424
SHA3 -51251216005766424
Tiger(2)-192/160/128 192/160/128192512646424
Whirlpool 512512512256810

Notes

  1. The internal state here means the "internal hash sum" after each compression of a data block. Most hash algorithms also internally use some additional variables such as length of the data compressed so far since that is needed for the length padding in the end. See the Merkle–Damgård construction for details.
  2. The size of BLAKE2b's message length counter is 128-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 128-bit length size would suggest (one byte equaling eight bits). A length size of 131-bit is the comparable length size ().
  3. The size of BLAKE2s's message length counter is 64-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 64-bit length size would suggest (one byte equaling eight bits). A length size of 67-bit is the comparable length size ().
  4. The full BLAKE3 incremental state includes a chaining value stack up to 1728 bytes in size. However, the compression function itself does not access this stack. A smaller stack can also be used if the maximum input length is restricted.
  5. RadioGatún is an extendable-output function which means it has an output of unlimited size. The official test vectors are 256-bit hashes. RadioGatún claims to have the security level of a cryptographic sponge function 19 words in size, which means the 32-bit version has the security of a 304-bit hash when looking at preimage attacks, but the security of a 608-bit hash when looking at collision attacks. The 64-bit version, likewise, has the security of a 608-bit or 1216-bit hash. For the purposes of determining how vulnerable RadioGatún is to length extension attacks, only two words of its 58-word state are output between hash compression operations.
  6. RadioGatún is not a Merkle–Damgård construction and, as such, does not have a block size. Its belt is 39 words in size; its mill, which is the closest thing RadioGatún has to a "block", is 19 words in size.
  7. Only the 32-bit and 64-bit versions of RadioGatún have official test vectors
  8. The 18 blank rounds are only applied once in RadioGatún, between the end of the input mapping stage and before the generation of output bits
  9. Although the underlying algorithm Keccak has arbitrary hash lengths, the NIST specified 224, 256, 384 and 512 bits output as valid modes for SHA-3.
  10. Implementation dependent; as per section 7, second paragraph from the bottom of page 22, of FIPS PUB 202.

Compression function

The following tables compare technical information for compression functions of cryptographic hash functions. The information comes from the specifications, please refer to them for more details.

FunctionSize (bits) [note 1] Words ×
Passes =
Rounds [note 2] 		Operations [note 3] Endian [note 4]
Word Digest Chaining
values [note 5] 		Computation
values [note 6] 		Block Length
[note 7]
GOST R 34.11-94 32×8 = 256×8 = 256324A B L SLittle
HAVAL-3-128 32×4 = 128×8 = 256×32 = 1,0246432 × 3 = 96A B SLittle
HAVAL-3-160 ×5 = 160
HAVAL-3-192 ×6 = 192
HAVAL-3-224 ×7 = 224
HAVAL-3-256 ×8 = 256
HAVAL-4-128 ×4 = 12832 × 4 = 128
HAVAL-4-160 ×5 = 160
HAVAL-4-192 ×6 = 192
HAVAL-4-224 ×7 = 224
HAVAL-4-256 ×8 = 256
HAVAL-5-128 ×4 = 12832 × 5 = 160
HAVAL-5-160 ×5 = 160
HAVAL-5-192 ×6 = 192
HAVAL-5-224 ×7 = 224
HAVAL-5-256 ×8 = 256
MD2 8×16 = 128×32 = 256×48 = 384×16 = 128None48 × 18 = 864BN/A
MD4 32×4 = 128×16 = 5126416 × 3 = 48A B SLittle
MD5 16 × 4 = 64
RIPEMD 32×4 = 128×8 = 256×16 = 5126416 × 3 = 48A B SLittle
RIPEMD-128 16 × 4 = 64
RIPEMD-256 ×8 = 256
RIPEMD-160 ×5 = 160×10 = 32016 × 5 = 80
RIPEMD-320 ×10 = 320
SHA-0 32×5 = 160×16 = 5126416 × 5 = 80A B SBig
SHA-1
SHA-256 ×8 = 256×8 = 25616 × 4 = 64
SHA-224 ×7 = 224
SHA-512 64×8 = 512×8 = 512×16 = 102412816 × 5 = 80
SHA-384 ×6 = 384
Tiger-192 64×3 = 192×3 = 192×8 = 512648 × 3 = 24A B L SNot Specified
Tiger-160 ×2.5=160
Tiger-128 ×2 = 128
Function Word Digest Chaining
values 		Computation
values		 Block Length Words ×
Passes =
Rounds		Operations Endian
Size (bits)

Notes

  1. The omitted multiplicands are word sizes.
  2. Some authors interchange passes and rounds.
  3. A: addition, subtraction; B: bitwise operation; L: lookup table; S: shift, rotation.
  4. It refers to byte endianness only. If the operations consist of bitwise operations and lookup tables only, the endianness is irrelevant.
  5. The size of message digest equals to the size of chaining values usually. In truncated versions of certain cryptographic hash functions such as SHA-384, the former is less than the latter.
  6. The size of chaining values equals to the size of computation values usually. In certain cryptographic hash functions such as RIPEMD-160, the former is less than the latter because RIPEMD-160 use two sets of parallel computation values and then combine into a single set of chaining values.
  7. The maximum input size = 2length size − 1 bits. For example, the maximum input size of SHA-1 = 264 − 1 bits.

See also

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321.

<span class="mw-page-title-main">RIPEMD</span> Cryptographic hash function

RIPEMD is a family of cryptographic hash functions developed in 1992 and 1996. There are five functions in the family: RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320, of which RIPEMD-160 is the most common.

In cryptography, SHA-1 is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, Tiger is a cryptographic hash function designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. The size of a Tiger hash value is 192 bits. Truncated versions can be used for compatibility with protocols assuming a particular hash size. Unlike the SHA-2 family, no distinguishing initialization values are defined; they are simply prefixes of the full Tiger/192 hash value.

In computer science and cryptography, Whirlpool is a cryptographic hash function. It was designed by Vincent Rijmen and Paulo S. L. M. Barreto, who first described it in 2000.

<span class="mw-page-title-main">MD4</span> Cryptographic hash function

The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" stands for "Message Digest".

SHA-2 is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

<span class="mw-page-title-main">One-way compression function</span> Cryptographic primitive

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

<span class="mw-page-title-main">Merkle–Damgård construction</span> Method of building collision-resistant cryptographic hash functions

In cryptography, the Merkle–Damgård construction or Merkle–Damgård hash function is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. This construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2.

<span class="mw-page-title-main">RadioGatún</span> Cryptographic hash primitive

RadioGatún is a cryptographic hash primitive created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in Santa Barbara, California, on August 24–25, 2006, as part of the NIST hash function competition. The same team that developed RadioGatún went on to make considerable revisions to this cryptographic primitive, leading to the Keccak SHA-3 algorithm.

SHA-3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

The following outline is provided as an overview of and topical guide to cryptography:

In cryptography, the fast syndrome-based hash functions (FSB) are a family of cryptographic hash functions introduced in 2003 by Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier. Unlike most other cryptographic hash functions in use today, FSB can to a certain extent be proven to be secure. More exactly, it can be proven that breaking FSB is at least as difficult as solving a certain NP-complete problem known as regular syndrome decoding so FSB is provably secure. Though it is not known whether NP-complete problems are solvable in polynomial time, it is often assumed that they are not.

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1message2) for an attacker-controlled message2, without needing to know the content of message1. This is problematic when the hash is used as a message authentication code with construction Hash(secretmessage), and message and the length of secret is known, because an attacker can include extra information at the end of the message and produce a valid hash without knowing the secret. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible, nor is the SHA-3 algorithm. HMAC also uses a different construction and so is not vulnerable to length extension attacks.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

References

  1. Dobbertin, Hans; Bosselaers, Antoon; Preneel, Bart (21–23 February 1996). RIPEMD-160: A strengthened version of RIPEMD (PDF). Fast Software Encryption. Third International Workshop. Cambridge, UK. pp. 71–82. doi: 10.1007/3-540-60865-6_44 .
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.