Hash function security summary
Publicly known attacks against cryptographic hash functions From Wikipedia, the free encyclopedia
This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.
Table color key
No attack successfully demonstrated — attack only breaks a reduced version of the hash or requires more work than the claimed security level of the hash
Attack demonstrated in theory — attack breaks all rounds and has lower complexity than security claim
Attack demonstrated in practice — complexity is low enough to be actually used
Common hash functions
Collision resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| MD5 | 264 | 218 time | 2013-03-25 | This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241.[1] |
| SHA-1 | 280 | 261.2 | 2020-01-08 | Paper by Gaëtan Leurent and Thomas Peyrin[2] |
| SHA256 | 2128 | 31 of 64 rounds (265.5) | 2013-05-28 | Two-block collision.[3] |
| SHA512 | 2256 | 24 of 80 rounds (232.5) | 2008-11-25 | Paper.[4] |
| SHA-3 | Up to 2512 | 6 of 24 rounds (250) | 2017 | Paper.[5] |
| BLAKE2s | 2128 | 2.5 of 10 rounds (2112) | 2009-05-26 | Paper.[6] |
| BLAKE2b | 2256 | 2.5 of 12 rounds (2224) | 2009-05-26 | Paper.[6] |
Chosen prefix collision attack
Preimage resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| MD5 | 2128 | 2123.4 | 2009-04-27 | Paper.[8] |
| SHA-1 | 2160 | 45 of 80 rounds | 2008-08-17 | Paper.[9] |
| SHA256 | 2256 | 43 of 64 rounds (2254.9 time, 26 memory) | 2009-12-10 | Paper.[10] |
| SHA512 | 2512 | 46 of 80 rounds (2511.5 time, 26 memory) | 2008-11-25 | Paper,[11] updated version.[10] |
| SHA-3 | Up to 2512 | |||
| BLAKE2s | 2256 | 2.5 of 10 rounds (2241) | 2009-05-26 | Paper.[6] |
| BLAKE2b | 2512 | 2.5 of 12 rounds (2481) | 2009-05-26 | Paper.[6] |
Length extension
- Vulnerable: MD5, SHA1, SHA256, SHA512
- Not vulnerable: SHA384, SHA-3, BLAKE2
Less-common hash functions
Collision resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| GOST | 2128 | 2105 | 2008-08-18 | Paper.[12] |
| HAVAL-128 | 264 | 27 | 2004-08-17 | Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[14] |
| MD2 | 264 | 263.3 time, 252 memory | 2009 | Slightly less computationally expensive than a birthday attack,[15] but for practical purposes, memory requirements make it more expensive. |
| MD4 | 264 | 3 operations | 2007-03-22 | Finding collisions almost as fast as verifying them.[16] |
| PANAMA | 2128 | 26 | 2007-04-04 | Paper,[17] improvement of an earlier theoretical attack from 2001.[18] |
| RIPEMD (original) | 264 | 218 time | 2004-08-17 | Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[19] |
| RadioGatún | Up to 2608[20] | 2704 | 2008-12-04 | For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time.[21] |
| RIPEMD-160 | 280 | 48 of 80 rounds (251 time) | 2006 | Paper.[22] |
| SHA-0 | 280 | 233.6 time | 2008-02-11 | Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.[23] |
| Streebog | 2256 | 9.5 rounds of 12 (2176 time, 2128 memory) | 2013-09-10 | Rebound attack.[24] |
| Whirlpool | 2256 | 4.5 of 10 rounds (2120 time) | 2009-02-24 | Rebound attack.[25] |
Preimage resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|---|---|---|---|
| GOST | 2256 | 2192 | 2008-08-18 | Paper.[12] |
| MD2 | 2128 | 273 time, 273 memory | 2008 | Paper.[26] |
| MD4 | 2128 | 2102 time, 233 memory | 2008-02-10 | Paper.[27] |
| RIPEMD (original) | 2128 | 35 of 48 rounds | 2011 | Paper.[28] |
| RIPEMD-128 | 2128 | 35 of 64 rounds | ||
| RIPEMD-160 | 2160 | 31 of 80 rounds | ||
| Streebog | 2512 | 2266 time, 2259 data | 2014-08-29 | The paper presents two second-preimage attacks with variable data requirements.[29] |
| Tiger | 2192 | 2188.8 time, 28 memory | 2010-12-06 | Paper.[30] |
Attacks on hashed passwords
Hashes described here are designed for fast computation and have roughly similar speeds.[31] Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.[32][33] Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.
See also
References
External links
Wikiwand - on
Seamless Wikipedia browsing. On steroids.