Template:Comparison of SHA functions

Comparison of SHA functions
view
talk
edit
Algorithm and variant		Output size (bits)	Internal state size (bits)	Block size (bits)	Rounds	Operations	Security against collision attacks (bits)	Security against length extension attacks (bits)	Performance on Skylake (median cpb)^[1]		First published
Algorithm and variant		Output size (bits)	Internal state size (bits)	Block size (bits)	Rounds	Operations	Security against collision attacks (bits)	Security against length extension attacks (bits)	Long messages	8 bytes	First published
MD5 (as reference)		128	128 (4 × 32)	512	64	And, Xor, Rot, Add (mod 2³²), Or	≤ 18 (collisions found)^[2]	0	4.99	55.00	1992
SHA-0		160	160 (5 × 32)	512	80	And, Xor, Rot, Add (mod 2³²), Or	< 34 (collisions found)	0	≈ SHA-1	≈ SHA-1	1993
SHA-1		160	160 (5 × 32)	512	80	And, Xor, Rot, Add (mod 2³²), Or	< 63 (collisions found)^[3]	0	3.47	52.00	1995
SHA-2	SHA-224 SHA-256	224 256	256 (8 × 32)	512	64	And, Xor, Rot, Add (mod 2³²), Or, Shr	112 128	32 0	7.62 7.63	84.50 85.25	2004 2001
	SHA-384	384	512 (8 × 64)	1024	80	And, Xor, Rot, Add (mod 2⁶⁴), Or, Shr	192	128 (≤ 384)	5.12	135.75	2001
	SHA-512	512	512 (8 × 64)	1024	80	And, Xor, Rot, Add (mod 2⁶⁴), Or, Shr	256	0^[4]	5.06	135.50	2001
	SHA-512/224 SHA-512/256	224 256	512 (8 × 64)	1024	80	And, Xor, Rot, Add (mod 2⁶⁴), Or, Shr	112 128	288 256	≈ SHA-384	≈ SHA-384	2012
SHA-3	SHA3-224 SHA3-256 SHA3-384 SHA3-512	224 256 384 512	1600 (5 × 5 × 64)	1152 1088 832 576	24^[5]	And, Xor, Rot, Not	112 128 192 256	448 512 768 1024	8.12 8.59 11.06 15.88	154.25 155.50 164.00 164.00	2015
SHA-3	SHAKE128 SHAKE256	d (arbitrary) d (arbitrary)	1600 (5 × 5 × 64)	1344 1088	24^[5]	And, Xor, Rot, Not	min(d/2, 128) min(d/2, 256)	256 512	7.08 8.59	155.25 155.50	2015

References

^ "Measurements table". bench.cr.yp.to.
^ Tao, Xie; Liu, Fanbao; Feng, Dengguo (2013). Fast Collision Attack on MD5 (PDF). Cryptology ePrint Archive (Technical report). IACR.
^ Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik. The first collision for full SHA-1 (PDF) (Technical report). Google Research. {{cite tech report}}: External link in |lay-url= (help); Unknown parameter |lay-date= ignored (help); Unknown parameter |lay-source= ignored (help); Unknown parameter |lay-url= ignored (help)
^ Without truncation, the full internal state of the hash function is known, regardless of collision resistance. If the output is truncated, the removed part of the state must be searched for and found before the hash function can be resumed, allowing the attack to proceed.
^ "The Keccak sponge function family". Retrieved 2016-01-27.

[1] "Measurements table". bench.cr.yp.to.

[2] Tao, Xie; Liu, Fanbao; Feng, Dengguo (2013). Fast Collision Attack on MD5 (PDF). Cryptology ePrint Archive (Technical report). IACR.

[3] Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik. The first collision for full SHA-1 (PDF) (Technical report). Google Research. {{cite tech report}}: External link in |lay-url= (help); Unknown parameter |lay-date= ignored (help); Unknown parameter |lay-source= ignored (help); Unknown parameter |lay-url= ignored (help)

[4] Without truncation, the full internal state of the hash function is known, regardless of collision resistance. If the output is truncated, the removed part of the state must be searched for and found before the hash function can be resumed, allowing the attack to proceed.

[5] "The Keccak sponge function family". Retrieved 2016-01-27.

[1]

[2]

[3]

[4]

[5]