Template:Comparison of SHA functions
Appearance
Algorithm and variant | Output size (bits) |
Internal state size (bits) |
Block size (bits) |
Rounds | Operations | Security against collision attacks (bits) |
Security against length extension attacks (bits) |
Performance on Skylake (median cpb)[1] | First published | ||
---|---|---|---|---|---|---|---|---|---|---|---|
Long messages | 8 bytes | ||||||||||
MD5 (as reference) | 128 | 128 (4 × 32) |
512 | 64 | And, Xor, Or, Rot, Add (mod 232) | ≤ 18 (collisions found)[2] |
0 | 4.99 | 55.00 | 1992 | |
SHA-0 | 160 | 160 (5 × 32) |
512 | 80 | And, Xor, Or, Rot, Add (mod 232) | < 34 (collisions found) |
0 | ≈ SHA-1 | ≈ SHA-1 | 1993 | |
SHA-1 | < 63 (collisions found)[3] |
3.47 | 52.00 | 1995 | |||||||
SHA-2 | SHA-224 SHA-256 |
224 256 |
256 (8 × 32) |
512 | 64 | And, Xor, Or, Rot, Shr, Add (mod 232) |
112 128 |
32 0 |
7.62 7.63 |
84.50 85.25 |
2004 2001 |
SHA-384 | 384 | 512 (8 × 64) |
1024 | 80 | And, Xor, Or, Rot, Shr, Add (mod 264) |
192 | 128 (≤ 384) | 5.12 | 135.75 | 2001 | |
SHA-512 | 512 | 256 | 0[4] | 5.06 | 135.50 | 2001 | |||||
SHA-512/224 SHA-512/256 |
224 256 |
112 128 |
288 256 |
≈ SHA-384 | ≈ SHA-384 | 2012 | |||||
SHA-3 | SHA3-224 SHA3-256 SHA3-384 SHA3-512 |
224 256 384 512 |
1600 (5 × 5 × 64) |
1152 1088 832 576 |
24[5] | And, Xor, Rot, Not | 112 128 192 256 |
448 512 768 1024 |
8.12 8.59 11.06 15.88 |
154.25 155.50 164.00 164.00 |
2015 |
SHAKE128 SHAKE256 |
d (arbitrary) d (arbitrary) |
1344 1088 |
min(d/2, 128) min(d/2, 256) |
256 512 |
7.08 8.59 |
155.25 155.50 |
References
- ^ "Measurements table". bench.cr.yp.to.
- ^ Tao, Xie; Liu, Fanbao; Feng, Dengguo (2013). Fast Collision Attack on MD5 (PDF). Cryptology ePrint Archive (Technical report). IACR.
- ^ Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik. The first collision for full SHA-1 (PDF) (Technical report). Google Research.
- Marc Stevens; Elie Bursztein; Pierre Karpman; Ange Albertini; Yarik Markov; Alex Petit Bianco; Clement Baisse (February 23, 2017). "Announcing the first SHA1 collision". Google Security Blog.
- ^ Without truncation, the full internal state of the hash function is known, regardless of collision resistance. If the output is truncated, the removed part of the state must be searched for and found before the hash function can be resumed, allowing the attack to proceed.
- ^ "The Keccak sponge function family". Retrieved 2016-01-27.