Hash function security summary

Quality 0.50 · 0 views · Updated 2 months ago

Publicly known attacks against cryptographic hash functions

title: "Hash function security summary" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["cryptographic-hash-functions", "broken-hash-functions", "cryptography-lists-and-comparisons"] description: "Publicly known attacks against cryptographic hash functions" topic_path: "technology/cryptography" source: "https://en.wikipedia.org/wiki/Hash_function_security_summary" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Publicly known attacks against cryptographic hash functions ::

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Table color key

Common hash functions

Collision resistance

Main article: Collision attack

::data[format=table]

Hash functionSecurity claimBest attackPublish dateComment
MD5264218 time2013-03-25This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241.
SHA-1280261.22020-01-08Paper by Gaëtan Leurent and Thomas Peyrin
SHA256212831 of 64 rounds (265.5)2013-05-28Two-block collision.
SHA512225624 of 80 rounds (232.5)2008-11-25author1=Somitra Kumar Sanadhya
SHA-3Up to 25126 of 24 rounds (250)2017Paper.
BLAKE2s21282.5 of 10 rounds (2112)2009-05-26author1=LI Ji
BLAKE2b22562.5 of 12 rounds (2224)2009-05-26Paper.
::

Chosen prefix collision attack

::data[format=table]

Hash functionSecurity claimBest attackPublish dateComment
MD52642392009-06-16This attack takes hours on a regular PC.
SHA-1280263.42020-01-08author1=Gaëtan Leurent
SHA2562128
SHA5122256
SHA-3Up to 2512
BLAKE2s2128
BLAKE2b2256
::

Preimage resistance

Main article: Preimage attack

::data[format=table]

Hash functionSecurity claimBest attackPublish dateComment
MD521282123.42009-04-27Paper.
SHA-1216045 of 80 rounds2008-08-17Paper.
SHA256225643 of 64 rounds (2254.9 time, 26 memory)2009-12-10author1=Kazumaro Aoki
SHA512251246 of 80 rounds (2511.5 time, 26 memory)2008-11-25Paper, updated version.
SHA-3Up to 2512
BLAKE2s22562.5 of 10 rounds (2241)2009-05-26Paper.
BLAKE2b25122.5 of 12 rounds (2481)2009-05-26Paper.
::

Length extension

Main article: Length extension attack

  • Vulnerable: MD5, SHA1, SHA256, SHA512
  • Not vulnerable: SHA384, SHA-3, BLAKE2

Less-common hash functions

Collision resistance

::data[format=table]

Hash functionSecurity claimBest attackPublish dateComment
GOST212821052008-08-18author=Florian Mendel
HAVAL-128264272004-08-17author=Xiaoyun Wang
MD2264263.3 time, 252 memory2009Slightly less computationally expensive than a birthday attack, but for practical purposes, memory requirements make it more expensive.
MD42643 operations2007-03-22Finding collisions almost as fast as verifying them.
PANAMA2128262007-04-04Paper, improvement of an earlier theoretical attack from 2001.
RIPEMD (original)264218 time2004-08-17author=Xiaoyun Wang
RadioGatúnUp to 260827042008-12-04For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time.
RIPEMD-16028048 of 80 rounds (251 time)2006Paper.
SHA-0280233.6 time2008-02-11Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.
Streebog22569.5 rounds of 12 (2176 time, 2128 memory)2013-09-10Rebound attack.
Whirlpool22564.5 of 10 rounds (2120 time)2009-02-24Rebound attack.
::

Preimage resistance

::data[format=table]

Hash functionSecurity claimBest attackPublish dateComment
GOST225621922008-08-18Paper.
MD22128273 time, 273 memory2008Paper.
MD421282102 time, 233 memory2008-02-10Paper.
RIPEMD (original)212835 of 48 rounds2011Paper.
RIPEMD-128212835 of 64 rounds
RIPEMD-160216031 of 80 rounds
Streebog25122266 time, 2259 data2014-08-29The paper presents two second-preimage attacks with variable data requirements.
Tiger21922188.8 time, 28 memory2010-12-06Paper.
::

Attacks on hashed passwords

Main article: Password cracking

Hashes described here are designed for fast computation and have roughly similar speeds. Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.{{cite web | url=https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ | title=25-GPU cluster cracks every standard Windows password in | date=2012-12-10 | first=Dan | last=Goodin | publisher=Ars Technica | access-date=2020-11-23}} Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.

References

References

  1. (25 March 2013). "Fast Collision Attack on MD5". IACR Cryptol. ePrint Arch..
  2. Florian Mendel. (2013-05-28). "Improving Local Collisions: New Attacks on Reduced SHA-256".
  3. (2008-11-25). "New Collision Attacks against Up to 24-Step SHA-2".
  4. L. Song, G. Liao and J. Guo, Non-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak, CRYPTO, 2017
  5. (2009-05-26). "Attacks on Round-Reduced BLAKE". IACR Cryptol. ePrint Arch..
  6. (2012-07-12). "Chosen-prefix Collisions for MD5 and Applications". International Journal of Applied Cryptography.
  7. (2020-01-08). "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust". USENIX Association.
  8. (2009-04-27). "Finding Preimages in Full MD5 Faster Than Exhaustive Search".
  9. (2008-08-17). "Preimages for Reduced SHA-0 and SHA-1".
  10. (2009-12-10). "Preimages for Step-Reduced SHA-2".
  11. (2008-11-25). "Preimage Attacks on 41-Step SHA-256 and 46-Step SHA-512". IACR Cryptol. ePrint Arch..
  12. Florian Mendel. (2008-08-18). "Cryptanalysis of the GOST Hash Function".
  13. Xiaoyun Wang. (2004-08-17). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD". Cryptology ePrint Archive.
  14. Xiaoyun Wang. (October 2005). "An attack on hash function HAVAL-128". Science in China Series F: Information Sciences.
  15. (January 2010). "Cryptanalysis of MD2". Journal of Cryptology.
  16. Yu Sasaki. (2007-03-22). "Improved Collision Attacks on MD4 and MD5". IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences.
  17. Joan Daemen. (2007-04-04). "Producing Collisions for Panama, Instantaneously".
  18. Vincent Rijmen. (2001). "Producing Collisions for PANAMA".
  19. Xiaoyun Wang. (2005-05-23). "Cryptanalysis of the Hash Functions MD4 and RIPEMD".
  20. RadioGatún is a family of 64 different hash functions. The security level and best attack in the chart are for the 64-bit version. The 32-bit version of RadioGatún has a claimed security level of 2304 and the best claimed attack takes 2352 work.
  21. (2008-12-04). "Cryptanalysis of RadioGatun".
  22. Florian Mendel. (2006). "On the Collision Resistance of RIPEMD-160".
  23. (2008-02-11). "Collisions on SHA-0 in One Hour".
  24. Zongyue Wang. (2013-09-10). "Cryptanalysis of GOST R hash function". Information Processing Letters.
  25. Florian Mendel. (2009-02-24). "The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl".
  26. Søren S. Thomsen. (2008). "An improved preimage attack on MD2". Cryptology ePrint Archive.
  27. Gaëtan Leurent. (2008-02-10). "MD4 is Not One-Way".
  28. Chiaki Ohtahara. (2011). "Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160".
  29. Jian Guo. (2014-08-29). "The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function".
  30. Jian Guo. (2010-12-06). "Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2".
  31. "ECRYPT Benchmarking of Cryptographic Hashes".
  32. (January 3, 2020). "Mind-blowing GPU performance". Improsec.

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::

cryptographic-hash-functionsbroken-hash-functionscryptography-lists-and-comparisons