Comparison of cryptographic hash functions

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

General information

Basic general information about the cryptographic hash functions: year, designer, references, etc.

Function Year Designer Derived from Reference
BLAKE 2008 Jean-Philippe Aumasson
Luca Henzen
Willi Meier
Raphael C.-W. Phan
ChaCha20 Website
Specification
BLAKE2 2012 Jean-Philippe Aumasson
Samuel Neves
Zooko Wilcox-O'Hearn
Christian Winnerlein
BLAKE Website
Specification
RFC 7693
BLAKE3 2020 Jack O'Connor
Jean-Philippe Aumasson
Samuel Neves
Zooko Wilcox-O'Hearn
BLAKE2 Website
Specification
GOST R 34.11-94 1994 FAPSI and VNIIstandart GOST 28147-89 RFC 5831
HAVAL 1992 Yuliang Zheng
Josef Pieprzyk
Jennifer Seberry
Website
Specification
KangarooTwelve 2016 Guido Bertoni
Joan Daemen
Michaël Peeters
Gilles Van Assche
Keccak Website
Specification
MD2 1989 Ronald Rivest RFC 1319
MD4 1990 RFC 1320
MD5 1992 MD4 RFC 1321
MD6 2008 Website
Specification
RIPEMD 1992 The RIPE Consortium[1] MD4
RIPEMD-128
RIPEMD-256
RIPEMD-160
RIPEMD-320
1996 Hans Dobbertin
Antoon Bosselaers
Bart Preneel
RIPEMD Website
Specification
SHA-0 1993 NSA SHA-0
SHA-1 1995 SHA-0 Specification
SHA-256
SHA-384
SHA-512
2002
SHA-224 2004
SHA-3 (Keccak) 2008 Guido Bertoni
Joan Daemen
Michaël Peeters
Gilles Van Assche
RadioGatún Website
Specification
Streebog 2012 FSB, InfoTeCS JSC RFC 6986
Tiger 1995 Ross Anderson
Eli Biham
Website
Specification
Whirlpool 2004 Vincent Rijmen
Paulo Barreto
Website

Parameters

Algorithm Output size (bits) Internal state size[note 1] Block size Length size Word size Rounds
BLAKE2b 512 512 1024 128[note 2] 64 12
BLAKE2s 256 256 512 64[note 3] 32 10
BLAKE3 Unlimited 256[note 4] 512 64 32 7
GOST 256 256 256 256 32 32
HAVAL 256/224/192/160/128 256 1024 64 32 3/4/5
MD2 128 384 128 32 18
MD4 128 128 512 64 32 3
MD5 128 128 512 64 32 64
PANAMA 256 8736 256 32
RadioGatún Unlimited[note 5] 58 words 19 words[note 6] 1–64[note 7] 18[note 8]
RIPEMD 128 128 512 64 32 48
RIPEMD-128, -256 128/256 128/256 512 64 32 64
RIPEMD-160 160 160 512 64 32 80
RIPEMD-320 320 320 512 64 32 80
SHA-0 160 160 512 64 32 80
SHA-1 160 160 512 64 32 80
SHA-224, -256 224/256 256 512 64 32 64
SHA-384, -512, -512/224, -512/256 384/512/224/256 512 1024 128 64 80
SHA-3 224/256/384/512[note 9] 1600 1600 - 2*bits [note 10] 64 24
SHA3-224 224 1600 1152 64 24
SHA3-256 256 1600 1088 64 24
SHA3-384 384 1600 832 64 24
SHA3-512 512 1600 576 64 24
Tiger(2)-192/160/128 192/160/128 192 512 64 64 24
Whirlpool 512 512 512 256 8 10

Notes

  1. The internal state here means the "internal hash sum" after each compression of a data block. Most hash algorithms also internally use some additional variables such as length of the data compressed so far since that is needed for the length padding in the end. See the Merkle–Damgård construction for details.
  2. The size of BLAKE2b's message length counter is 128-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 128-bit length size would suggest (one byte equaling eight bits). A length size of 131-bit is the comparable length size ().
  3. The size of BLAKE2s's message length counter is 64-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 64-bit length size would suggest (one byte equaling eight bits). A length size of 67-bit is the comparable length size ().
  4. The full BLAKE3 incremental state includes a chaining value stack up to 1728 bytes in size. However, the compression function itself does not access this stack. A smaller stack can also be used if the maximum input length is restricted.
  5. RadioGatún is an Extendable-Output Function which means it has an output of unlimited size. The official test vectors are 256-bit hashes. RadioGatún claims to have the security level of a cryptographic sponge function 19 words in size, which means the 32-bit version has the security of a 304-bit hash when looking at preimage attacks, but the security of a 608-bit hash when looking at collision attacks. The 64-bit version, likewise, has the security of a 608-bit or 1216-bit hash. For the purposes of determining how vulnerable RadioGatún is to length extension attacks, only two words of its 58-word state are output between hash compression operations.
  6. RadioGatún is not a Merkle–Damgård construction and, as such, does not have a block size. Its belt is 39 words in size; its mill, which is the closest thing RadioGatún has to a "block", is 19 words in size.
  7. Only the 32-bit and 64-bit versions of RadioGatún have official test vectors
  8. The 18 blank rounds are only applied once in RadioGatún, between the end of the input mapping stage and before the generation of output bits
  9. Although the underlying algorithm Keccak has arbitrary hash lengths, the NIST specified 224, 256, 384 and 512 bits output as valid modes for SHA-3.
  10. Implementation dependent; as per section 7, second paragraph from the bottom of page 22, of FIPS PUB 202.

Compression function

The following tables compare technical information for compression functions of cryptographic hash functions. The information comes from the specifications, please refer to them for more details.

Function Size (bits)[note 1] Words ×
Passes =
Rounds[note 2]
Operations[note 3] Endian[note 4]
Word Digest Chaining
values
[note 5]
Computation
values[note 6]
Block Length
[note 7]
GOST R 34.11-94 32 ×8 = 256 ×8 = 256 32 4 A B L S Little
HAVAL-3-128 32 ×4 = 128 ×8 = 256 ×32 = 1,024 64 32 × 3 = 96 A B S Little
HAVAL-3-160 ×5 = 160
HAVAL-3-192 ×6 = 192
HAVAL-3-224 ×7 = 224
HAVAL-3-256 ×8 = 256
HAVAL-4-128 ×4 = 128 32 × 4 = 128
HAVAL-4-160 ×5 = 160
HAVAL-4-192 ×6 = 192
HAVAL-4-224 ×7 = 224
HAVAL-4-256 ×8 = 256
HAVAL-5-128 ×4 = 128 32 × 5 = 160
HAVAL-5-160 ×5 = 160
HAVAL-5-192 ×6 = 192
HAVAL-5-224 ×7 = 224
HAVAL-5-256 ×8 = 256
MD2 8 ×16 = 128 ×32 = 256 ×48 = 384 ×16 = 128 None 48 × 18 = 864 B N/A
MD4 32 ×4 = 128 ×16 = 512 64 16 × 3 = 48 A B S Little
MD5 16 × 4 = 64
RIPEMD 32 ×4 = 128 ×8 = 256 ×16 = 512 64 16 × 3 = 48 A B S Little
RIPEMD-128 16 × 4 = 64
RIPEMD-256 ×8 = 256
RIPEMD-160 ×5 = 160 ×10 = 320 16 × 5 = 80
RIPEMD-320 ×10 = 320
SHA-0 32 ×5 = 160 ×16 = 512 64 16 × 5 = 80 A B S Big
SHA-1
SHA-256 ×8 = 256 ×8 = 256 16 × 4 = 64
SHA-224 ×7 = 224
SHA-512 64 ×8 = 512 ×8 = 512 ×16 = 1024 128 16 × 5 = 80
SHA-384 ×6 = 384
Tiger-192 64 ×3 = 192 ×3 = 192 ×8 = 512 64 8 × 3 = 24 A B L S Not Specified
Tiger-160 ×2.5=160
Tiger-128 ×2 = 128
Function Word Digest Chaining
values
Computation
values
Block Length Words ×
Passes =
Rounds
Operations Endian
Size (bits)

Notes

  1. The omitted multiplicands are word sizes.
  2. Some authors interchange passes and rounds.
  3. A: addition, subtraction; B: bitwise operation; L: lookup table; S: shift, rotation.
  4. It refers to byte endianness only. If the operations consist of bitwise operations and lookup tables only, the endianness is irrelevant.
  5. The size of message digest equals to the size of chaining values usually. In truncated versions of certain cryptographic hash functions such as SHA-384, the former is less than the latter.
  6. The size of chaining values equals to the size of computation values usually. In certain cryptographic hash functions such as RIPEMD-160, the former is less than the latter because RIPEMD-160 use two sets of parallel computation values and then combine into a single set of chaining values.
  7. The maximum input size = 2length size − 1 bits. For example, the maximum input size of SHA-1 = 264 − 1 bits.
gollark: How'd they fork it to get a WebAssembly compiler, though?
gollark: So THAT'S why nobody uses other haskell compilers?
gollark: WHY?!
gollark: Dark wizardry!
gollark: You should, you see, use Rust.

See also

References

  1. Dobbertin, Hans; Bosselaers, Antoon; Preneel, Bart (21–23 February 1996). RIPEMD-160: A strengthened version of RIPEMD (PDF). Fast Software Encryption. Third International Workshop. Cambridge, UK. pp. 71–82. doi:10.1007/3-540-60865-6_44.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.