Hash function security summary

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2¹⁸ time	2013-03-25	This attack takes seconds on a regular PC. Two-block collisions in 2¹⁸, single-block collisions in 2⁴¹.^[1]
SHA-1	2⁸⁰	2^61.2	2020-01-08	Paper by Gaëtan Leurent and Thomas Peyrin^[2]
SHA256	2¹²⁸	31 of 64 rounds (2^65.5)	2013-05-28	Two-block collision.^[3]
SHA512	2²⁵⁶	24 of 80 rounds (2^32.5)	2008-11-25	Paper.^[4]
SHA-3	Up to 2⁵¹²	6 of 24 rounds (2⁵⁰)	2017	Paper.^[5]
BLAKE2s	2¹²⁸	2.5 of 10 rounds (2¹¹²)	2009-05-26	Paper.^[6]
BLAKE2b	2²⁵⁶	2.5 of 12 rounds (2²²⁴)	2009-05-26	Paper.^[6]

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2³⁹	2009-06-16	This attack takes hours on a regular PC.^[7]
SHA-1	2⁸⁰	2^63.4	2020-01-08	Paper by Gaëtan Leurent and Thomas Peyrin^[2]
SHA256	2¹²⁸
SHA512	2²⁵⁶
SHA-3	Up to 2⁵¹²
BLAKE2s	2¹²⁸
BLAKE2b	2²⁵⁶

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2¹²⁸	2^123.4	2009-04-27	Paper.^[8]
SHA-1	2¹⁶⁰	45 of 80 rounds	2008-08-17	Paper.^[9]
SHA256	2²⁵⁶	43 of 64 rounds (2^254.9 time, 2⁶ memory)	2009-12-10	Paper.^[10]
SHA512	2⁵¹²	46 of 80 rounds (2^511.5 time, 2⁶ memory)	2008-11-25	Paper,^[11] updated version.^[10]
SHA-3	Up to 2⁵¹²
BLAKE2s	2²⁵⁶	2.5 of 10 rounds (2²⁴¹)	2009-05-26	Paper.^[6]
BLAKE2b	2⁵¹²	2.5 of 12 rounds (2⁴⁸¹)	2009-05-26	Paper.^[6]

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2¹²⁸	2¹⁰⁵	2008-08-18	Paper.^[12]
HAVAL-128	2⁶⁴	2⁷	2004-08-17	Collisions originally reported in 2004,^[13] followed up by cryptanalysis paper in 2005.^[14]
MD2	2⁶⁴	2^63.3 time, 2⁵² memory	2009	Slightly less computationally expensive than a birthday attack,^[15] but for practical purposes, memory requirements make it more expensive.
MD4	2⁶⁴	3 operations	2007-03-22	Finding collisions almost as fast as verifying them.^[16]
PANAMA	2¹²⁸	2⁶	2007-04-04	Paper,^[17] improvement of an earlier theoretical attack from 2001.^[18]
RIPEMD (original)	2⁶⁴	2¹⁸ time	2004-08-17	Collisions originally reported in 2004,^[13] followed up by cryptanalysis paper in 2005.^[19]
RadioGatún	Up to 2⁶⁰⁸^[20]	2⁷⁰⁴	2008-12-04	For a word size w between 1-64 bits, the hash provides a security claim of 2^9.5w. The attack can find a collision in 2^11w time.^[21]
RIPEMD-160	2⁸⁰	48 of 80 rounds (2⁵¹ time)	2006	Paper.^[22]
SHA-0	2⁸⁰	2^33.6 time	2008-02-11	Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.^[23]
Streebog	2²⁵⁶	9.5 rounds of 12 (2¹⁷⁶ time, 2¹²⁸ memory)	2013-09-10	Rebound attack.^[24]
Whirlpool	2²⁵⁶	4.5 of 10 rounds (2¹²⁰ time)	2009-02-24	Rebound attack.^[25]

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2²⁵⁶	2¹⁹²	2008-08-18	Paper.^[12]
MD2	2¹²⁸	2⁷³ time, 2⁷³ memory	2008	Paper.^[26]
MD4	2¹²⁸	2¹⁰² time, 2³³ memory	2008-02-10	Paper.^[27]
RIPEMD (original)	2¹²⁸	35 of 48 rounds	2011	Paper.^[28]
RIPEMD-128	2¹²⁸	35 of 64 rounds
RIPEMD-160	2¹⁶⁰	31 of 80 rounds
Streebog	2⁵¹²	2²⁶⁶ time, 2²⁵⁹ data	2014-08-29	The paper presents two second-preimage attacks with variable data requirements.^[29]
Tiger	2¹⁹²	2^188.8 time, 2⁸ memory	2010-12-06	Paper.^[30]

Table color key