# Secure Hash Algorithms

In the past, many **cryptographic hash algorithms** were proposed and used by software developers. Some of them was **broken** (like **MD5** and **SHA1**), some are still considered secure (like **SHA-2**, **SHA-3** and **BLAKE2**). Let's review the most widely used cryptographic hash functions (algorithms).

## Secure Hash Functions

**Modern cryptographic hash algorithms** (like **SHA-3** and **BLAKE2**) are considered **secure** enough for most applications.

### SHA-2, SHA-256, SHA-512

**SHA-2** is a family of strong cryptographic hash functions: **SHA-256** (256 bits hash), **SHA-384** (384 bits hash), **SHA-512** (512 bits hash), etc. It is based on the cryptographic concept "**Merkle–Damgård construction**" and is considered **highly secure**. SHA-2 is published as official crypto standard in the United States.

**SHA-2** is widely used by developers and in cryptography and is considered cryptographically strong enough for modern commercial applications.

**SHA-256** is widely used in the **Bitcoin** blockchain, e.g. for identifying the transaction hashes and for the proof-of-work mining performed by the miners.

Examples of SHA2 hashes:

### More Hash Bits == Higher Collision Resistance

By design, **more bits at the hash output** are expected to achieve **stronger security** and higher collision resistance (with some exceptions). As general rule, 128-bit hash functions are weaker than 256-bit hash functions, which are weaker than 512-bit hash functions.

Thus, SHA-512 is stronger than SHA-256, so we can expect that for SHA-512 it is more unlikely to practically find a collision than for SHA-256.

### SHA-3, SHA3-256, SHA3-512, Keccak-256

**SHA-3** (and its variants SHA3-224, SHA3-256, SHA3-384, SHA3-512), is considered **more secure than SHA-2** (SHA-224, SHA-256, SHA-384, SHA-512) for the same hash length. For example, SHA3-256 provides **more cryptographic strength than SHA-256** for the same hash length (256 bits).

The **SHA-3** family of functions are representatives of the "**Keccak**" hashes family, which are based on the cryptographic concept "**sponge construction**". Keccak is the winner of the SHA-3 NIST competition.

Unlike **SHA-2**, the **SHA-3** family of cryptographic hash functions are not vulnerable to the "**length extension attack**".

**SHA-3** is considered **highly secure** and is published as official recommended crypto standard in the United States.

The hash function **Keccak-256**, which is used in the **Ethereum** blockchain, is a variant of SHA3-256 with some constants changed in the code.

The hash functions **SHAKE128(msg, length)** and **SHAKE256(msg, length)** are variants of the **SHA3-256** and **SHA3-512** algorithms, where the output message length can vary.

Examples of SHA3 hashes:

### BLAKE2 / BLAKE2s / BLAKE2b

[**BLAKE**](https://en.wikipedia.org/wiki/BLAKE_%28hash_function) / **BLAKE2** / **BLAKE2s** / **BLAKE2b** is a family of fast, highly secure cryptographic hash functions, providing calculation of 160-bit, 224-bit, 256-bit, 384-bit and 512-bit digest sizes, widely used in modern cryptography. BLAKE is one of the finalists at the SHA-3 NIST competition.

The **BLAKE2** function is an improved version of **BLAKE**.

**BLAKE2s** (typically **256-bit**) is BLAKE2 implementation, performance-optimized for 32-bit microprocessors.

**BLAKE2b** (typically **512-bit**) is BLAKE2 implementation, performance-optimized for 64-bit microprocessors.

The **BLAKE2** hash function has similar security strength like SHA-3, but is less used by developers than SHA2 and SHA3.

Examples of BLAKE hashes:

### RIPEMD-160

**RIPEMD-160** is a secure hash function, widely used in cryptography, e.g. in PGP and Bitcoin.

The **160-bit** variant of **RIPEMD** is widely used in practice, while the other variations like RIPEMD-128, RIPEMD-256 and RIPEMD-320 are not popular and have disputable security strengths.

As recommendation, **prefer using SHA-2 and SHA-3** instead of RIPEMD, because they are more stronger than RIPEMD, due to higher bit length and less chance for collisions.

Examples of RIPEMD hashes:

All of the above popular secure hash functions (SHA-2, SHA-3, BLAKE2, RIPEMD) are not restricted by commercial patents and are **free for public use**.

## Insecure Hash Functions

**Old hash algorithms** like **MD5**, **SHA-0** and **SHA-1** are considered **insecure** and were withdrawn due to **cryptographic weaknesses** (collisions found). **Don't use MD5**, **SHA-0** and **SHA-1**! All these hash functions are proven to be cryptographically **insecure**.

You can find in Internet that **SHA1 collisions** can be practically generated and this results in algorithms for creating **fake digital signatures**, demonstrated by two different signed PDF documents which hold different content, but have the same hash value and the same digital signature. See https://shattered.io.

Avoid using of the following hash algorithms, which are considered **insecure** or have disputable security: **MD2**, **MD4**, **MD5**, **SHA-0**, **SHA-1**, **Panama**, **HAVAL** (disputable security, collisions found for HAVAL-128), **Tiger** (disputable, weaknesses found), **SipHash** (it is not a cryptographic hash function).

### Other Secure Hash Functions

The below functions are popular strong cryptographic hash functions, alternatives to SHA-2, SHA-3 and BLAKE2:

**Whirlpool**is secure cryptographic hash function, which produces 512-bit hashes.**SM3**is the crypto hash function, officialy standartized by the**Chinese government**. It is similar to SHA-256 (based on the Merkle–Damgård construction) and produces 256-bit hashes.

The below functions are less popular alternatives to SHA-2, SHA-3 and BLAKE, finalists at the SHA-3 NIST competition:

**Skein**is secure cryptographic hash function, capable to derive 128, 160, 224, 256, 384, 512 and 1024-bit hashes.**Grøstl**is secure cryptographic hash function, capable to derive 224, 256, 384 and 512-bit hashes.**JH**is secure cryptographic hash function, capable to derive 224, 256, 384 and 512-bit hashes.

### No Collisions for SHA-256, SHA3-256, BLAKE2s and RIPEMD-160 are Known

As of Oct 2018, **no collisions are known** for: **SHA256**, **SHA3-256**, **Keccak-256**, **BLAKE2s**, **RIPEMD160** and few others.

**Brute forcing** to find hash function collision as general costs: 2128 for SHA256 / SHA3-256 and 280 for RIPEMD160.

Respectively, on a powerful enough **quantum computer**, it will cost less time: 2256/3 and 2160/3 respectively. Still (as of September 2018) so powerful quantum computers are not known to exist.

Learn more about cryptographic hash functions, their strength and **attack resistance** at: https://z.cash/technology/history-of-hash-function-attacks.html

Last updated