Hash function security summary

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Table color key

No known successful attacks — attack only breaks part of the hash

Theoretical break — attack breaks all rounds and has lower complexity than security claim

Attack demonstrated in practice

Common hash functions

Collision resistance

Main article: Collision attack

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2¹⁸ time	2013-03-25	This attack takes seconds on a regular PC. Two-block collisions in 2¹⁸, single-block collisions in 2⁴¹.^[1]
SHA-1	2⁸⁰	2^60.3 ... 2^65.3	2012-06-19	Paper.^[2] Attack is feasible with large amounts of computation power.^[3]
SHA256	2¹²⁸	31 of 64 rounds (2^65.5)	2013-05-28	Two-block collision.^[4]
SHA512	2²⁵⁶	24 of 80 rounds (2^32.5)	2008-11-25	Paper.^[5]

Chosen prefix collision attack

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2⁶⁴	2³⁹	2009-06-16	This attack takes hours on a regular PC.^[6]
SHA-1	2⁸⁰	2^77.1	2012-06-19	Paper.^[2]
SHA256	2¹²⁸
SHA512	2²⁵⁶

Preimage resistance

Main article: Preimage attack

Hash function	Security claim	Best attack	Publish date	Comment
MD5	2¹²⁸	2^123.4	2009-04-27	Paper.^[7]
SHA-1	2¹⁶⁰	45 of 80 rounds	2008-08-17	Paper.^[8]
SHA256	2²⁵⁶	43 of 64 rounds (2^254.9 time, 2⁶ memory)	2009-12-10	Paper.^[9]
SHA512	2⁵¹²	46 of 80 rounds (2^511.5 time, 2⁶ memory)	2008-11-25	Paper,^[10] updated version.^[9]

Less common hash functions

Collision resistance

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2¹²⁸	2¹⁰⁵	2008-08-18	Paper.^[11]
HAVAL-128	2⁶⁴	2⁷	2004-08-17	Collisions originally reported in 2004,^[12] followed up by cryptanalysis paper in 2005.^[13]
MD2	2⁶⁴	2^63.3 time, 2⁵² memory	2009	Slightly less computationally expensive than a birthday attack,^[14] but for practical purposes, memory requirements make it more expensive.
MD4	2⁶⁴	3 operations	2007-03-22	Finding collisions almost as fast as verifying them.^[15]
PANAMA	2¹²⁸	2⁶	2007-04-04	Paper,^[16] improvement of an earlier theoretical attack from 2001.^[17]
RIPEMD (original)	2⁶⁴	2¹⁸ time	2004-08-17	Collisions originally reported in 2004,^[12] followed up by cryptanalysis paper in 2005.^[18]
RadioGatún	2⁶⁰⁸ *	2⁷⁰⁴	2008-12-04	For a word size w between 1-64 bits, the hash provides a collision security claim of 2^8.5w. For any value, the attack can find a collision in 2^11w time.^[19]
RIPEMD-160	2⁸⁰	48 of 80 rounds (2⁵¹ time)	2006	Paper.^[20]
SHA-0	2⁸⁰	2^33.6 time	2008-02-11	Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.^[21]
Whirlpool	2²⁵⁶	4.5 of 10 rounds (2¹²⁰ time)	2009-02-24	Rebound attack.^[22]

Preimage resistance

Hash function	Security claim	Best attack	Publish date	Comment
GOST	2²⁵⁶	2¹⁹²	2008-08-18	Paper.^[11]
MD2	2¹²⁸	2⁷³ time, 2⁷³ memory	2008	Paper.^[23]
MD4	2¹²⁸	2¹⁰² time, 2³³ memory	2008-02-10	Paper.^[24]
RIPEMD (original)	2¹²⁸	35 of 48 rounds	2011	Paper.^[25]
RIPEMD-128	2¹²⁸	35 of 64 rounds
RIPEMD-160	2¹⁶⁰	31 or 80 rounds
Tiger	2¹⁹²	2^188.8 time, 2⁸ memory	2010-12-06	Paper.^[26]

References

↑ Tao Xie, Fanbao Liu, Dengguo Feng (25 March 2013). "Fast Collision Attack on MD5".
↑ 2.0 2.1 Marc Stevens (2012-06-19). "Attacks on Hash Functions and Applications". PhD thesis.
↑ Bruce Schneier (2012-10-05). "When Will We See Collisions for SHA-1?".
↑ Florian Mendel, Tomislav Nad, Martin Schläffer (2013-05-28). "Improving Local Collisions: New Attacks on Reduced SHA-256".
↑ Somitra Kumar Sanadhya, Palash Sarkar (2008-11-25). "New Collision Attacks against Up to 24-Step SHA-2".
↑ Marc Stevens, Arjen Lenstra, Benne de Weger (2009-06-16). "Chosen-prefix Collisions for MD5 and Applications".
↑ Yu Sasaki, Kazumaro Aoki (2009-04-27). "Finding Preimages in Full MD5 Faster Than Exhaustive Search".
↑ Christophe De Cannière, Christian Rechberger (2008-08-17). "Preimages for Reduced SHA-0 and SHA-1".
↑ 9.0 9.1 Kazumaro Aoki, Jian Guo, Krystian Matusiewicz, Yu Sasaki, Lei Wang (2009-12-10). "Preimages for Step-Reduced SHA-2".
↑ Yu Sasaki, Lei Wang, and Kazumaro Aoki (2008-11-25). "Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512".
↑ 11.0 11.1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, Marcin Kontak, Janusz Szmidt (2008-08-18). "Cryptanalysis of the GOST Hash Function".
↑ 12.0 12.1 Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo Yu (2004-08-17). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD".
↑ Xiaoyun Wang, Dengguo Feng, Xiuyuan Yu (October 2005). "An attack on hash function HAVAL-128". Science in China Series F: Information Sciences 48 (5): 545–556.
↑ Lars R. Knudsen, John Erik Mathiassen, Frédéric Muller, Søren S. Thomsen (January 2010). "Cryptanalysis of MD2". Journal of Cryptology 23 (1): pages 72–90.
↑ Yu Sasaki, et al. (2007-03-22). "Improved Collision Attacks on MD4 and MD5".
↑ Joan Daemen, Gilles Van Assche (2007-04-04). "Producing Collisions for Panama, Instantaneously".
↑ Vincent Rijmen, Bart Van Rompay, Bart Preneel, Joos Vandewalle. "Producing Collisions for PANAMA".
↑ Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, Xiuyuan Yu (2005-05-23). "Cryptanalysis of the Hash Functions MD4 and RIPEMD".
↑ Thomas Fuhr, Thomas Peyrin (2008-12-04). "Cryptanalysis of RadioGatun".
↑ Florian Mendel, Norbert Pramstaller, Christian Rechberger, Vincent Rijmen (2006). "On the Collision Resistance of RIPEMD-160".
↑ Stéphane Manuel, Thomas Peyrin (2008-02-11). "Collisions on SHA-0 in One Hour".
↑ Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen (2009-02-24). "The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl".
↑ Søren S. Thomsen (2008). "An improved preimage attack on MD2".
↑ Gaëtan Leurent (2008-02-10). "MD4 is Not One-Way". FSE 2008.
↑ Chiaki Ohtahara, Yu Sasaki, Takeshi Shimoyama (2011). "Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160".
↑ Jian Guo, San Ling, Christian Rechberger, Huaxiong Wang (2010-12-06). "Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2". p. 12-17.

External links

2010 summary of attacks against Tiger, MD4 and SHA-2: Jian Guo, San Ling, Christian Rechberger, Huaxiong Wang (2010-12-06). "Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2". p. 3.

Hash functions & message authentication codes

Security summary

Common functions	MD5 SHA-1 SHA-2 SHA-3/Keccak

SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)

Other functions	FSB ECOH GOST HAS-160 HAVAL LM hash MDC-2 MD2 MD4 MD6 N-Hash RadioGatún RIPEMD SipHash Snefru SWIFFT Tiger VSH WHIRLPOOL crypt(3) (DES)

MAC algorithms	DAA CBC-MAC HMAC OMAC/CMAC PMAC VMAC UMAC Poly1305-AES

Authenticated encryption modes	CCM CWC EAX GCM IAPM OCB

Attacks	Collision attack Preimage attack Birthday attack Brute force attack Rainbow table Distinguishing attack Side-channel attack Length extension attack

Design	Avalanche effect Hash collision Merkle–Damgård construction

Standardization	CRYPTREC NESSIE NIST hash function competition

Utilization	Salt Key stretching

Cryptography

History of cryptography Cryptanalysis Cryptography portal Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

Hash function security summary

Table color key

Common hash functions

Collision resistance

Chosen prefix collision attack

Preimage resistance

Less common hash functions

Collision resistance

Preimage resistance

See also

References

External links