This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.
Table color key
Common hash functions
Collision resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|
| MD5 | 264 | 218 time | 2013-03-25 | This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241. |
| SHA-1 | 280 | 261.2 | 2020-01-08 | Paper by Gaëtan Leurent and Thomas Peyrin |
| SHA256 | 2128 | 31 of 64 rounds (265.5) | 2013-05-28 | Two-block collision. |
| SHA512 | 2256 | 24 of 80 rounds (232.5) | 2008-11-25 | Paper. |
| SHA-3 | Up to 2512 | 6 of 24 rounds (250) | 2017 | Paper. |
| BLAKE2s | 2128 | 2.5 of 10 rounds (2112) | 2009-05-26 | Paper. |
| BLAKE2b | 2256 | 2.5 of 12 rounds (2224) | 2009-05-26 | Paper. |
Chosen prefix collision attack
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|
| MD5 | 264 | 239 | 2009-06-16 | This attack takes hours on a regular PC. |
| SHA-1 | 280 | 263.4 | 2020-01-08 | Paper by Gaëtan Leurent and Thomas Peyrin |
| SHA256 | 2128 | | | |
| SHA512 | 2256 | | | |
| SHA-3 | Up to 2512 | | | |
| BLAKE2s | 2128 | | | |
| BLAKE2b | 2256 | | | |
Preimage resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|
| MD5 | 2128 | 2123.4 | 2009-04-27 | Paper. |
| SHA-1 | 2160 | 45 of 80 rounds | 2008-08-17 | Paper. |
| SHA256 | 2256 | 43 of 64 rounds (2254.9 time, 26 memory) | 2009-12-10 | Paper. |
| SHA512 | 2512 | 46 of 80 rounds (2511.5 time, 26 memory) | 2008-11-25 | Paper, updated version. |
| SHA-3 | Up to 2512 | | | |
| BLAKE2s | 2256 | 2.5 of 10 rounds (2241) | 2009-05-26 | Paper. |
| BLAKE2b | 2512 | 2.5 of 12 rounds (2481) | 2009-05-26 | Paper. |
Length extension
- Vulnerable: MD5, SHA1, SHA256, SHA512
- Not vulnerable: SHA384, SHA-3, BLAKE2
Less-common hash functions
Collision resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|
| GOST | 2128 | 2105 | 2008-08-18 | Paper. |
| HAVAL-128 | 264 | 27 | 2004-08-17 | Collisions originally reported in 2004, followed up by cryptanalysis paper in 2005. |
| MD2 | 264 | 263.3 time, 252 memory | 2009 | Slightly less computationally expensive than a birthday attack, but for practical purposes, memory requirements make it more expensive. |
| MD4 | 264 | 3 operations | 2007-03-22 | Finding collisions almost as fast as verifying them. |
| PANAMA | 2128 | 26 | 2007-04-04 | Paper, improvement of an earlier theoretical attack from 2001. |
| RIPEMD (original) | 264 | 218 time | 2004-08-17 | Collisions originally reported in 2004, followed up by cryptanalysis paper in 2005. |
| RadioGatún | Up to 2608 | 2704 | 2008-12-04 | For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time. |
| RIPEMD-160 | 280 | 48 of 80 rounds (251 time) | 2006 | Paper. |
| SHA-0 | 280 | 233.6 time | 2008-02-11 | Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC. |
| Streebog | 2256 | 9.5 rounds of 12 (2176 time, 2128 memory) | 2013-09-10 | Rebound attack. |
| Whirlpool | 2256 | 4.5 of 10 rounds (2120 time) | 2009-02-24 | Rebound attack. |
Preimage resistance
| Hash function | Security claim | Best attack | Publish date | Comment |
|---|
| GOST | 2256 | 2192 | 2008-08-18 | Paper. |
| MD2 | 2128 | 273 time, 273 memory | 2008 | Paper. |
| MD4 | 2128 | 2102 time, 233 memory | 2008-02-10 | Paper. |
| RIPEMD (original) | 2128 | 35 of 48 rounds | 2011 | Paper. |
| RIPEMD-128 | 2128 | 35 of 64 rounds |
| RIPEMD-160 | 2160 | 31 of 80 rounds |
| Streebog | 2512 | 2266 time, 2259 data | 2014-08-29 | The paper presents two second-preimage attacks with variable data requirements. |
| Tiger | 2192 | 2188.8 time, 28 memory | 2010-12-06 | Paper. |
Attacks on hashed passwords
Hashes described here are designed for fast computation and have roughly similar speeds. Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors. Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.
See also
External links
- 2010 summary of attacks against Tiger, MD4 and SHA-2: Jian Guo; San Ling; Christian Rechberger; Huaxiong Wang (2010-12-06). . Asiacrypt 2010. p. 3.