Английская Википедия:Hash function security summary

Материал из Онлайн справочника
Перейти к навигацииПерейти к поиску

Шаблон:Short description This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

Table color key

Шаблон:See also Шаблон:Legend Шаблон:Legend Шаблон:Legend

Common hash functions

Collision resistance

Шаблон:Main

Hash function Security claim Best attack Publish date Comment
MD5 264 218 time 2013-03-25 This attack takes seconds on a regular PC. Two-block collisions in 218, single-block collisions in 241.[1]
SHA-1 280 261.2 2020-01-08 Paper by Gaëtan Leurent and Thomas Peyrin[2]
SHA256 2128 31 of 64 rounds (265.5) 2013-05-28 Two-block collision.[3]
SHA512 2256 24 of 80 rounds (232.5) 2008-11-25 Paper.[4]
SHA-3 Up to 2512 6 of 24 rounds (250) 2017 Paper.[5]
BLAKE2s 2128 2.5 of 10 rounds (2112) 2009-05-26 Paper.[6]
BLAKE2b 2256 2.5 of 12 rounds (2224) 2009-05-26 Paper.[6]

Chosen prefix collision attack

Hash function Security claim Best attack Publish date Comment
MD5 264 239 2009-06-16 This attack takes hours on a regular PC.[7]
SHA-1 280 263.4 2020-01-08 Paper by Gaëtan Leurent and Thomas Peyrin[2]
SHA256 2128
SHA512 2256
SHA-3 Up to 2512
BLAKE2s 2128
BLAKE2b 2256

Preimage resistance

Шаблон:Main

Hash function Security claim Best attack Publish date Comment
MD5 2128 2123.4 2009-04-27 Paper.[8]
SHA-1 2160 45 of 80 rounds 2008-08-17 Paper.[9]
SHA256 2256 43 of 64 rounds (2254.9 time, 26 memory) 2009-12-10 Paper.[10]
SHA512 2512 46 of 80 rounds (2511.5 time, 26 memory) 2008-11-25 Paper,[11] updated version.[10]
SHA-3 Up to 2512
BLAKE2s 2256 2.5 of 10 rounds (2241) 2009-05-26 Paper.[6]
BLAKE2b 2512 2.5 of 12 rounds (2481) 2009-05-26 Paper.[6]

Length extension

Шаблон:Main

  • Vulnerable: MD5, SHA1, SHA256, SHA512
  • Not vulnerable: SHA384, SHA-3, BLAKE2

Less-common hash functions

Collision resistance

Hash function Security claim Best attack Publish date Comment
GOST 2128 2105 2008-08-18 Paper.[12]
HAVAL-128 264 27 2004-08-17 Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[14]
MD2 264 Шаблон:Nowrap 2009 Slightly less computationally expensive than a birthday attack,[15] but for practical purposes, memory requirements make it more expensive.
MD4 264 3 operations 2007-03-22 Finding collisions almost as fast as verifying them.[16]
PANAMA 2128 26 2007-04-04 Paper,[17] improvement of an earlier theoretical attack from 2001.[18]
RIPEMD (original) 264 218 time 2004-08-17 Collisions originally reported in 2004,[13] followed up by cryptanalysis paper in 2005.[19]
RadioGatún Up to 2608[20] 2704 2008-12-04 For a word size w between 1-64 bits, the hash provides a security claim of 29.5w. The attack can find a collision in 211w time.[21]
RIPEMD-160 280 48 of 80 rounds (251 time) 2006 Paper.[22]
SHA-0 280 233.6 time 2008-02-11 Two-block collisions using boomerang attack. Attack takes estimated 1 hour on an average PC.[23]
Streebog 2256 9.5 rounds of 12 (2176 time, 2128 memory) 2013-09-10 Rebound attack.[24]
Whirlpool 2256 4.5 of 10 rounds (2120 time) 2009-02-24 Rebound attack.[25]

Preimage resistance

Hash function Security claim Best attack Publish date Comment
GOST 2256 2192 2008-08-18 Paper.[12]
MD2 2128 273 time, 273 memory 2008 Paper.[26]
MD4 2128 2102 time, 233 memory 2008-02-10 Paper.[27]
RIPEMD (original) 2128 35 of 48 rounds 2011 Paper.[28]
RIPEMD-128 2128 35 of 64 rounds
RIPEMD-160 2160 31 of 80 rounds
Streebog 2512 2266 time, 2259 data 2014-08-29 The paper presents two second-preimage attacks with variable data requirements.[29]
Tiger 2192 2188.8 time, 28 memory 2010-12-06 Paper.[30]

Attacks on hashed passwords

Шаблон:Main Hashes described here are designed for fast computation and have roughly similar speeds.[31] Because most users typically choose short passwords formed in predictable ways, passwords can often be recovered from their hashed value if a fast hash is used. Searches on the order of 100 billion tests per second are possible with high-end graphics processors.[32][33] Special hashes called key derivation functions have been created to slow brute force searches. These include pbkdf2, bcrypt, scrypt, argon2, and balloon.

See also

References

Шаблон:Reflist

External links

Шаблон:Cryptography navbox

Партнерские ресурсы
Криптовалюты
Магазины
Хостинг
Разное

  1. Шаблон:Cite journal
  2. 2,0 2,1 Шаблон:Cite journal
  3. Шаблон:Cite conference
  4. Шаблон:Cite conference
  5. L. Song, G. Liao and J. Guo, Non-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced Keccak, CRYPTO, 2017
  6. 6,0 6,1 6,2 6,3 Шаблон:Cite journal
  7. Шаблон:Cite journal
  8. Шаблон:Cite conference
  9. Шаблон:Cite conference
  10. 10,0 10,1 Шаблон:Cite conference
  11. Шаблон:Cite journal
  12. 12,0 12,1 Шаблон:Cite conference
  13. 13,0 13,1 Шаблон:Cite journal
  14. Шаблон:Cite journal
  15. Шаблон:Cite journal
  16. Шаблон:Cite journal
  17. Шаблон:Cite conference
  18. Шаблон:Cite conference
  19. Шаблон:Cite conference
  20. RadioGatún is a family of 64 different hash functions. The security level and best attack in the chart are for the 64-bit version. The 32-bit version of RadioGatún has a claimed security level of 2304 and the best claimed attack takes 2352 work.
  21. Шаблон:Cite conference
  22. Шаблон:Cite conference
  23. Шаблон:Cite conference
  24. Шаблон:Cite journal
  25. Шаблон:Cite conference
  26. Шаблон:Cite journal
  27. Шаблон:Cite conference
  28. Шаблон:Cite conference
  29. Шаблон:Cite conference
  30. Шаблон:Cite conference
  31. Шаблон:Cite web
  32. Шаблон:Cite web
  33. Шаблон:Cite web
Источник — http://wikihandbk.com/ruwiki/index.php?title=Английская_Википедия:Hash_function_security_summary&oldid=15160114