Community hub
0 subscribers7 pages, 0 posts
Recent from talks
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to Hash function security summary.
Nothing was collected or created yet.
Hash function security summary
View on Wikipediafrom Wikipedia
This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.
Table color key
[edit] No attack successfully demonstrated — attack only breaks a reduced version of the hash or requires more work than the claimed security level of the hash
Attack demonstrated in theory — attack breaks all rounds and has lower complexity than security claim
Attack demonstrated in practice — complexity is low enough to be actually used
Common hash functions
[edit]Collision resistance
[edit]| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| MD5 | 264 | 218 time | 2013-03-25 | This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241.[1] |
| SHA-1 | 280 | 261.2 | 2020-01-08 | Paper by Gaëtan Leurent and Thomas Peyrin[2] |
| SHA256 | 2128 | 31 of 64 rounds (265.5) | 2013-05-28 | Two-block collision.[3] |
| SHA512 | 2256 | 24 of 80 rounds (232.5) | 2008-11-25 | Paper.[4] |
| SHA-3 | Up to 2512 | 6 of 24 rounds (250) | 2017 | Paper.[5] |
| BLAKE2s | 2128 | 2.5 of 10 rounds (2112) | 2009-05-26 | Paper.[6] |
| BLAKE2b | 2256 | 2.5 of 12 rounds (2224) | 2009-05-26 | Paper.[6] |
Chosen prefix collision attack
[edit]| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| MD5 | 264 | 239 | 2009-06-16 | This attack takes hours on a regular PC.[7] |
| SHA-1 | 280 | 263.4 | 2020-01-08 | Paper by Gaëtan Leurent and Thomas Peyrin[2] |
| SHA256 | 2128 | |||
| SHA512 | 2256 | |||
| SHA-3 | Up to 2512 | |||
| BLAKE2s | 2128 | |||
| BLAKE2b | 2256 |
Preimage resistance
[edit]| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| MD5 | 2128 | 2123.4 | 2009-04-27 | Paper.[8] |
| SHA-1 | 2160 | 45 of 80 rounds | 2008-08-17 | Paper.[9] |
| SHA256 | 2256 | 43 of 64 rounds (2254.9 time, 26 memory) | 2009-12-10 | Paper.[10] |
| SHA512 | 2512 | 46 of 80 rounds (2511.5 time, 26 memory) | 2008-11-25 | Paper,[11] updated version.[10] |
| SHA-3 | Up to 2512 | |||
| BLAKE2s | 2256 | 2.5 of 10 rounds (2241) | 2009-05-26 | Paper.[6] |
| BLAKE2b | 2512 | 2.5 of 12 rounds (2481) | 2009-05-26 | Paper.[6] |
Length extension
[edit]- Vulnerable: MD5, SHA1, SHA256, SHA512
- Not vulnerable: SHA384, SHA-3, BLAKE2
Less-common hash functions
[edit]Collision resistance
[edit]| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| GOST | 2128 | 2105 | 2008-08-18 | Paper.[12] |
| HAVAL-128 | 264 | 27 | 2004-08-17 | Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[14] |
| MD2 | 264 | 263.3 time, 252 memory | 2009 | Slightly less computationally expensive than a birthday attack,[15] but for practical purposes, memory requirements make it more expensive. |
| MD4 | 264 | 3 operations | 2007-03-22 | Finding collisions almost as fast as verifying them.[16] |
| PANAMA | 2128 | 26 | 2007-04-04 | Paper,[17] improvement of an earlier theoretical attack from 2001.[18] |
| RIPEMD (original) | 264 | 218 time | 2004-08-17 | Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[19] |
| RadioGatún | Up to 2608[20] | 2704 | 2008-12-04 | For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time.[21] |
| RIPEMD-160 | 280 | 48 of 80 rounds (251 time) | 2006 | Paper.[22] |
| SHA-0 | 280 | 233.6 time | 2008-02-11 | Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.[23] |
| Streebog | 2256 | 9.5 rounds of 12 (2176 time, 2128 memory) | 2013-09-10 | Rebound attack.[24] |
| Whirlpool | 2256 | 4.5 of 10 rounds (2120 time) | 2009-02-24 | Rebound attack.[25] |
Preimage resistance
[edit]| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| GOST | 2256 | 2192 | 2008-08-18 | Paper.[12] |
| MD2 | 2128 | 273 time, 273 memory | 2008 | Paper.[26] |
| MD4 | 2128 | 2102 time, 233 memory | 2008-02-10 | Paper.[27] |
| RIPEMD (original) | 2128 | 35 of 48 rounds | 2011 | Paper.[28] |
| RIPEMD-128 | 2128 | 35 of 64 rounds | ||
| RIPEMD-160 | 2160 | 31 of 80 rounds | ||
| Streebog | 2512 | 2266 time, 2259 data | 2014-08-29 | The paper presents two second-preimage attacks with variable data requirements.[29] |
| Tiger | 2192 | 2188.8 time, 28 memory | 2010-12-06 | Paper.[30] |
Attacks on hashed passwords
[edit]Hashes described here are designed for fast computation and have roughly similar speeds.[31] Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.[32][33] Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.
See also
[edit]References
[edit]- ^ Tao Xie; Fanbao Liu; Dengguo Feng (25 March 2013). "Fast Collision Attack on MD5". IACR Cryptol. ePrint Arch.
- ^ a b Gaëtan Leurent; Thomas Peyrin (2020-01-08). SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust (PDF). USENIX Security Symposium. SEC'20. Vol. 29. USENIX Association. pp. 1839–1856. ISBN 978-1-939133-17-5.
- ^ Florian Mendel; Tomislav Nad; Martin Schläffer (2013-05-28). Improving Local Collisions: New Attacks on Reduced SHA-256. Eurocrypt 2013.
- ^ Somitra Kumar Sanadhya; Palash Sarkar (2008-11-25). New Collision Attacks against Up to 24-Step SHA-2. Indocrypt 2008. doi:10.1007/978-3-540-89754-5_8.
- ^ L. Song, G. Liao and J. Guo, Non-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak, CRYPTO, 2017
- ^ a b c d LI Ji; XU Liangyu (2009-05-26). "Attacks on Round-Reduced BLAKE". IACR Cryptol. ePrint Arch.
- ^ Marc Stevens; Arjen Lenstra; Benne de Weger (2012-07-12). "Chosen-prefix Collisions for MD5 and Applications" (PDF). International Journal of Applied Cryptography. 2 (4): 322–359. doi:10.1504/IJACT.2012.048084.
- ^ Yu Sasaki; Kazumaro Aoki (2009-04-27). Finding Preimages in Full MD5 Faster Than Exhaustive Search. Eurocrypt 2009. doi:10.1007/978-3-642-01001-9_8.
- ^ Christophe De Cannière; Christian Rechberger (2008-08-17). Preimages for Reduced SHA-0 and SHA-1. Crypto 2008.
- ^ a b Kazumaro Aoki; Jian Guo; Krystian Matusiewicz; Yu Sasaki; Lei Wang (2009-12-10). Preimages for Step-Reduced SHA-2. Asiacrypt 2009. doi:10.1007/978-3-642-10366-7_34.
- ^ Yu Sasaki; Lei Wang; Kazumaro Aoki (2008-11-25). "Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512". IACR Cryptol. ePrint Arch.
- ^ a b Florian Mendel; Norbert Pramstaller; Christian Rechberger; Marcin Kontak; Janusz Szmidt (2008-08-18). Cryptanalysis of the GOST Hash Function. Crypto 2008.
- ^ a b Xiaoyun Wang; Dengguo Feng; Xuejia Lai; Hongbo Yu (2004-08-17). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD". Cryptology ePrint Archive.
- ^ Xiaoyun Wang; Dengguo Feng; Xiuyuan Yu (October 2005). "An attack on hash function HAVAL-128" (PDF). Science in China Series F: Information Sciences. 48 (5): 545–556. CiteSeerX 10.1.1.506.9546. doi:10.1360/122004-107. Archived from the original (PDF) on 2017-08-09. Retrieved 2014-10-23.
- ^ Lars R. Knudsen; John Erik Mathiassen; Frédéric Muller; Søren S. Thomsen (January 2010). "Cryptanalysis of MD2". Journal of Cryptology. 23 (1): 72–90. doi:10.1007/s00145-009-9054-1. S2CID 2443076.
- ^ Yu Sasaki; Yusuke Naito; Noboru Kunihiro; Kazuo Ohta (2007-03-22). "Improved Collision Attacks on MD4 and MD5". IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. E90-A (1): 36–47. Bibcode:2007IEITF..90...36S. doi:10.1093/ietfec/e90-a.1.36.
- ^ Joan Daemen; Gilles Van Assche (2007-04-04). Producing Collisions for Panama, Instantaneously. FSE 2007.
- ^ Vincent Rijmen; Bart Van Rompay; Bart Preneel; Joos Vandewalle (2001). Producing Collisions for PANAMA. FSE 2001.
- ^ Xiaoyun Wang; Xuejia Lai; Dengguo Feng; Hui Chen; Xiuyuan Yu (2005-05-23). Cryptanalysis of the Hash Functions MD4 and RIPEMD. Eurocrypt 2005. doi:10.1007/11426639_1.
- ^ RadioGatún is a family of 64 different hash functions. The security level and best attack in the chart are for the 64-bit version. The 32-bit version of RadioGatún has a claimed security level of 2304 and the best claimed attack takes 2352 work.
- ^ Thomas Fuhr; Thomas Peyrin (2008-12-04). Cryptanalysis of RadioGatun. FSE 2009.
- ^ Florian Mendel; Norbert Pramstaller; Christian Rechberger; Vincent Rijmen (2006). On the Collision Resistance of RIPEMD-160. ISC 2006.
- ^ Stéphane Manuel; Thomas Peyrin (2008-02-11). Collisions on SHA-0 in One Hour. FSE 2008. doi:10.1007/978-3-540-71039-4_2.
- ^ Zongyue Wang; Hongbo Yu; Xiaoyun Wang (2013-09-10). "Cryptanalysis of GOST R hash function". Information Processing Letters. 114 (12): 655–662. doi:10.1016/j.ipl.2014.07.007.
- ^ Florian Mendel; Christian Rechberger; Martin Schläffer; Søren S. Thomsen (2009-02-24). The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl (PDF). FSE 2009.
- ^ Søren S. Thomsen (2008). "An improved preimage attack on MD2". Cryptology ePrint Archive.
- ^ Gaëtan Leurent (2008-02-10). MD4 is Not One-Way (PDF). FSE 2008.
- ^ Chiaki Ohtahara; Yu Sasaki; Takeshi Shimoyama (2011). Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160. ISC 2011. doi:10.1007/978-3-642-21518-6_13.
- ^ Jian Guo; Jérémy Jean; Gaëtan Leurent; Thomas Peyrin; Lei Wang (2014-08-29). The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function. SAC 2014.
- ^ Jian Guo; San Ling; Christian Rechberger; Huaxiong Wang (2010-12-06). Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2. Asiacrypt 2010. pp. 12–17.
- ^ "ECRYPT Benchmarking of Cryptographic Hashes". Retrieved November 23, 2020.
- ^ "Mind-blowing GPU performance". Improsec. January 3, 2020.
- ^ Goodin, Dan (2012-12-10). "25-GPU cluster cracks every standard Windows password in <6 hours". Ars Technica. Retrieved 2020-11-23.
External links
[edit]- 2010 summary of attacks against Tiger, MD4 and SHA-2: Jian Guo; San Ling; Christian Rechberger; Huaxiong Wang (2010-12-06). Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2. Asiacrypt 2010. p. 3.
| |||||||||||||||||||||||||||||
Hash function security summary
View on Grokipediafrom Grokipedia
A cryptographic hash function is a mathematical algorithm that transforms an input of arbitrary length into a fixed-size output, called a hash value or digest, which serves as a unique digital fingerprint for verifying data integrity and authenticity in information security applications.[1] The security of these functions is fundamentally assessed through three core properties: preimage resistance, where it is computationally infeasible to reverse the hash to find the original input from a given output; second-preimage resistance, where finding a different input that produces the same output as a given input is infeasible; and collision resistance, where discovering any two distinct inputs that yield the same output is computationally infeasible.[1][2]
These properties ensure that hash functions resist common attacks, such as brute-force inversion or deliberate forgery, making them essential for protocols like digital signatures, message authentication codes (MACs), and key derivation.[3] For instance, preimage resistance protects against attempts to forge inputs for known hashes, as used in password verification systems, while collision resistance safeguards against creating fraudulent data that matches legitimate hashes, critical in certificate authorities.[4] Second-preimage resistance complements this by preventing targeted substitutions, such as altering a specific document without detection.[2] The implications of these properties are interconnected: collision resistance implies second-preimage resistance, but not necessarily preimage resistance, highlighting the need for functions robust across all three for high-security use cases.[4]
In practice, the U.S. National Institute of Standards and Technology (NIST) approves hash functions based on their demonstrated security strengths, measured in bits (e.g., 128-bit collision resistance for SHA-256).[3] Approved algorithms include the SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512) from FIPS 180-4 and the SHA-3 family (SHA3-224, SHA3-256, SHA3-384, SHA3-512) from FIPS 202, with SHA-1, which was progressively deprecated starting in 2011 due to theoretical weaknesses and fully broken by practical collision attacks in 2017, with NIST requiring phase-out by December 31, 2030 as announced in 2022.[3][2][5] These standards specify that approved functions provide at least 112 bits of security for the shortest variants, scaling up to 256 bits or more, ensuring resistance against quantum-assisted threats where applicable.[3] Additionally, extendable-output functions (XOFs) like SHAKE128 and SHAKE256 offer flexible digest lengths while maintaining similar security guarantees.[3] Historical vulnerabilities, such as collisions in MD5 (1996 theoretical, 2004 practical) and SHA-1, underscore the importance of ongoing cryptanalysis and transitions to stronger primitives like SHA-3, selected in 2012 via NIST's competition to replace aging standards.[3] Overall, hash function security evolves with computational advances, emphasizing the need for functions with output sizes of at least 256 bits to achieve 128-bit security levels against modern adversaries.[4]
MD5 is fully broken for collisions, rendering it unsuitable for any security purpose, while SHA-1's practical collisions and chosen-prefix attacks compromise its use in protocols like digital signatures and certificates. In contrast, the SHA-2 variants (SHA-224, SHA-256, SHA-384, SHA-512) maintain full claimed security against known attacks as of 2025 and are recommended by NIST for general cryptographic applications, with phase-out of SHA-1 mandated by 2030.[26]
SHA-3, standardized by NIST in 2015 as a sponge-based construction, remains unbroken in its full form with no practical attacks on its core security properties, though reduced-round analyses highlight differential paths up to 5 of 24 rounds.[27] BLAKE2, a high-speed variant of the SHA-3 finalist BLAKE, provides robust security without known structural weaknesses, achieving indifferentiability from a random oracle and suitability for software implementations. GOST R 34.11-2012, the Russian federal standard also known as Streebog, demonstrates resistance to known cryptanalytic techniques, including algebraic attacks, and is used in official protocols without reported full breaks.[32]
Legacy functions like MD2 and MD4 are severely compromised, with MD2 vulnerable to collisions in negligible time relative to its 128-bit output and MD4 allowing near-deterministic collisions, rendering both unsuitable for any security application.[33] HAVAL, a variable-pass design from 1992, suffers from efficient collisions on its common 3-pass variant and weakened resistance in higher passes, contributing to its obsolescence.[31]
As of November 2025, no novel practical attacks have emerged on these full functions beyond established reduced-round or theoretical bounds. Sponge constructions like SHA-3 offer enhanced quantum resistance, with proofs of quantum indifferentiability ensuring security against Grover's and other quantum algorithms up to the capacity limit. For forward-looking deployments, SHA-3 is recommended over legacy options due to its post-quantum margins and standardization.[27]
Fundamental Security Properties
Preimage Resistance
Preimage resistance, a core security property of cryptographic hash functions, ensures that given a hash output , it is computationally infeasible for an adversary to find any input message such that . This property, also referred to as one-wayness, underpins the irreversibility of the hashing process and is essential for preventing inversion attacks.[6][7] The theoretical security level of preimage resistance is quantified by the expected work factor required to succeed, which for a brute-force attack on an -bit hash output is operations. This complexity arises because an attacker must effectively search the entire input space to reverse the hash, assuming the function behaves like a random oracle. In practice, this makes preimage attacks impractical for sufficiently large , such as 256 bits in modern standards.[8] Preimage resistance differs from other hash properties like collision resistance, as it specifically targets the reversal of a single given output rather than finding pairs of inputs that map to the same output. In the Merkle-Damgård construction, collision resistance of the compression function implies collision resistance for the full hash function, which in turn implies second-preimage resistance, but not necessarily preimage resistance.[7][9] The notion was first formalized in the late 1970s by Ralph Merkle, who introduced one-way hash functions as a cryptographic primitive in his doctoral thesis, emphasizing their role in secure protocols. This idea was extended in the 1980s through the independent works of Merkle and Ivan Damgård, establishing design principles for iterative hash constructions that inherit one-wayness from underlying components.[10][11] In digital signatures, preimage resistance is vital, as it guarantees that an attacker cannot construct a fraudulent message from a legitimately signed hash value, thereby preserving the integrity and authenticity of signed documents. Without this property, signature schemes relying on hashed messages would be vulnerable to forgery.[4]Second Preimage Resistance
Second preimage resistance, also known as weak collision resistance, is a core security property of cryptographic hash functions. It requires that, given a message and its hash value , it is computationally infeasible for an adversary to find a distinct message such that .[12] This property targets the difficulty of generating a specific alternative input that collides with the hash of a known input, distinguishing it from preimage resistance, which concerns finding any input mapping to a given output without reference to a particular input. The theoretical security level of second preimage resistance aligns with the output size of the hash function. For an -bit hash output, a brute-force search to find a second preimage requires approximately hash computations, as the attacker must evaluate hashes until matching the target value.[13] This complexity assumes no structural weaknesses, making it comparable to preimage resistance in generic attacks but more targeted in practice. Although weaker than collision resistance—since collision resistance implies second preimage resistance but not vice versa—this property remains essential for protocols relying on hash-based integrity verification, where swapping one verified input for another must be prevented.[9] For instance, in software distribution and integrity checks, it ensures that a legitimate file cannot be replaced by a malicious variant sharing the same hash, thwarting tampering attempts during validation.[14] Many second preimage attacks exploit vulnerabilities in the compression function underlying common hash constructions, such as those in the Merkle-Damgård paradigm, allowing attackers to manipulate intermediate states more efficiently than brute force.[15]Collision Resistance
Collision resistance is a fundamental security property of cryptographic hash functions, defined as the computational infeasibility of finding two distinct inputs such that .[16] This property ensures that the hash function behaves like a random oracle in mapping inputs to outputs, making it extremely difficult for an adversary to deliberately produce colliding messages without exhaustive search. Unlike preimage resistance, which targets reversing a specific output, collision resistance focuses on discovering any pair of inputs that share the same hash value, regardless of the target.[17] The theoretical complexity of breaking collision resistance is significantly reduced by the birthday attack, which exploits the birthday paradox to find collisions with effort approximately for an -bit hash output, rather than the full expected for brute force.[17] This attack involves generating roughly random inputs and storing their hashes until a match occurs, leveraging the probabilistic nature of hash outputs. The probability of at least one collision among samples from a hash function with possible outputs is approximated by: This formula highlights how collisions become likely when approaches , underscoring the need for sufficiently large output sizes in hash function design to withstand such generic attacks.[17] Collision resistance is crucial because, in the ideal case, it implies second preimage resistance: if finding any collision is hard, then finding a second input colliding with a specific one is at least as difficult.[17] This property is essential for applications like digital certificates, where colliding certificates could allow fraudulent substitutions without detection, and blockchain systems, where it ensures the integrity of chained blocks by preventing alterations that preserve hash linkages.[18][19] The first practical concerns about collision resistance emerged in the 1990s with MD4, when attacks demonstrated vulnerabilities in its design, prompting advancements in hash function construction.[20]Summary Tables
Color Key
The color key provides a visual legend for interpreting the status tables that follow, using standardized color coding to indicate the severity of known cryptanalytic attacks against specific security properties of hash functions. Green signifies that no attacks better than the generic security bounds are known, meaning the hash function remains secure against the property in question with current computational resources. Yellow denotes theoretical weaknesses, such as attacks with complexity exceeding practical feasibility or partial breaks that do not fully compromise the property. Red indicates practical attacks that are feasible with contemporary hardware and resources, rendering the hash function unsuitable for security-critical applications relying on that property.[21] This coding system is applied to individual cells within the tables, where rows represent attack types (e.g., collision resistance) and columns correspond to specific hash functions, allowing for a matrix-style overview of vulnerabilities. For instance, a red cell in the collision resistance row for MD5 highlights the real-world exploitability demonstrated by the first practical collision attack constructed in 2004, which requires only about 2^{39} operations—far below the generic birthday bound of 2^{64}. The rationale for this color key lies in its ability to enable rapid visual assessment of a hash function's suitability for cryptographic use, prioritizing those with predominantly green entries for new protocols while flagging deprecated ones with red or yellow markings. As of November 2025, the color assignments in the tables reflect the state of known attacks, incorporating recent reduced-round analyses up to 2025, with no major new practical breaks reported on full rounds of widely used standards like SHA-2 or SHA-3.[21]Status of Common Hash Functions
The security status of common hash functions, including MD5, SHA-1, and the SHA-2 family, is assessed based on their resistance to core attacks such as finding collisions, preimages, and second preimages. Claimed security levels derive from the output size and generic attack bounds (collision resistance at n/2 bits, preimage and second preimage at n bits for an n-bit output), while best-known attacks reflect cryptanalytic advances that reduce effective security. The table below presents these for widely used functions, with complexities expressed in equivalent hash computations; values below the claimed level indicate partial or full breaks.| Property | MD5 (128-bit) | SHA-1 (160-bit) | SHA-224 (224-bit) | SHA-256 (256-bit) | SHA-384 (384-bit) | SHA-512 (512-bit) |
|---|---|---|---|---|---|---|
| Collision Resistance | Claimed: 64 bits Best attack: ~2^{21} (practical since 2004; further optimized to 2^{18.8} in 2006) | Claimed: 80 bits Best attack: 2^{63} (practical collision, 2017); chosen-prefix variant at 2^{61.2} (practical, 2020)[22] | Claimed: 112 bits Best attack: Generic (2^{112})[23] | Claimed: 128 bits Best attack: Generic (2^{128}); reduced-round (31/64 steps) at 2^{49.8} (2024, not full)[23] | Claimed: 192 bits Best attack: Generic (2^{192})[23] | Claimed: 256 bits Best attack: Generic (2^{256})[23] |
| Preimage Resistance | Claimed: 128 bits Best attack: 2^{123.4} (2013)[24] | Claimed: 160 bits Best attack: Generic (2^{160}); reduced-round (48/80 steps) at 2^{146} (2009, not full)[23] | Claimed: 224 bits Best attack: Generic (2^{224})[23] | Claimed: 256 bits Best attack: Generic (2^{256}); reduced-round (52/64 steps) at 2^{254.4} (2011, not full)[23] | Claimed: 384 bits Best attack: Generic (2^{384})[23] | Claimed: 512 bits Best attack: Generic (2^{512}); reduced-round (57/80 steps) at 2^{509} (2011, not full)[23] |
| Second Preimage Resistance | Claimed: 128 bits Best attack: Generic (2^{128}) | Claimed: 160 bits Best attack: Generic (2^{160}); reduced-round (34 steps) at 2^{100} (2010, not full)[23][25] | Claimed: ≥224 bits (message-dependent) Best attack: Generic (≥224 bits)[23] | Claimed: ≥256 bits (message-dependent) Best attack: Generic (≥256 bits)[23] | Claimed: 384 bits Best attack: Generic (2^{384})[23] | Claimed: ≥512 bits (message-dependent) Best attack: Generic (≥512 bits)[23] |
Status of Less Common Hash Functions
Less common hash functions encompass specialized designs for particular applications or older constructions that have been largely supplanted but remain in legacy systems. This section summarizes their security status using the color key for visual indicators of resistance levels (secure, vulnerable, broken). The following table presents key security properties, focusing on claimed strengths versus best-known attacks as of 2025, with no new practical breaks on full versions reported beyond prior analyses.[27]| Property | SHA-3 (Keccak) | BLAKE2 | GOST R 34.11-2012 (Streebog) | MD2 | MD4 | HAVAL (128-bit, 3-pass) |
|---|---|---|---|---|---|---|
| Preimage Resistance | Claimed: 2^{256} (SHA-3-256); Best attack: ~2^{254} bit operations on 5 reduced rounds (2025)[28] | Claimed: 2^{256} (BLAKE2b); No attacks better than generic 2^{128} | Claimed: 2^{256}; No significant attacks, resistant to algebraic methods up to full rounds | Claimed: 2^{128}; Best attack: 2^{104} preimages[29] | Claimed: 2^{128}; Best attack: 2^{92} preimages[30] | Claimed: 2^{128}; Best attack: 2^{112} on full 4/5 passes[31] |
| Second Preimage Resistance | Claimed: 2^{256}; Best attack: Generic (2^{256}) | Claimed: 2^{256}; Indifferentiable from random oracle, no structural flaws | Claimed: 2^{256}; No known breaks, meets standard requirements[32] | Vulnerable: 2^{73} message blocks[33] | Vulnerable: 2^{78}[30] | Vulnerable: 2^{104} on 3 passes[34] |
| Collision Resistance | Claimed: 2^{128}; Best attack: None on full; 2^{185} on 5 reduced rounds (2023)[35] | Claimed: 2^{128}; No collisions beyond birthday bound 2^{128}[36] | Claimed: 2^{128}; Resistant, no practical collisions found[32] | Broken: Practical collisions in 2^{18} time[33] | Broken: Deterministic collisions (2^2 probability) | Broken: 2^{16} on 3 passes; 2^{32} on 4 passes[31] |