Comparison of cryptographic hash functions

Tables comparing general and technical information for common hashes

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

General information

Basic general information about the cryptographic hash functions: year, designer, references, etc.

Parameters

Notes

1. The internal state here means the "internal hash sum" after each compression of a data block. Most hash algorithms also internally use some additional variables such as length of the data compressed so far since that is needed for the length padding in the end. See the Merkle–Damgård construction for details.
2. The size of BLAKE2b's message length counter is 128-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 128-bit length size would suggest (one byte equaling eight bits). A length size of 131-bit is the comparable length size ( ${\displaystyle 8\times 2^{128}=2^{131}}$).
3. The size of BLAKE2s's message length counter is 64-bit, but it counts message length in bytes, not in bits like the other hash functions in the comparison. It can hence handle eight times longer messages than a 64-bit length size would suggest (one byte equaling eight bits). A length size of 67-bit is the comparable length size ( ${\displaystyle 8\times 2^{64}=2^{67}}$).
4. The full BLAKE3 incremental state includes a chaining value stack up to 1728 bytes in size. However, the compression function itself does not access this stack. A smaller stack can also be used if the maximum input length is restricted.
5. RadioGatún is an extendable-output function which means it has an output of unlimited size. The official test vectors are 256-bit hashes. RadioGatún claims to have the security level of a cryptographic sponge function 19 words in size, which means the 32-bit version has the security of a 304-bit hash when looking at preimage attacks, but the security of a 608-bit hash when looking at collision attacks. The 64-bit version, likewise, has the security of a 608-bit or 1216-bit hash. For the purposes of determining how vulnerable RadioGatún is to length extension attacks, only two words of its 58-word state are output between hash compression operations.
6. RadioGatún is not a Merkle–Damgård construction and, as such, does not have a block size. Its belt is 39 words in size; its mill, which is the closest thing RadioGatún has to a "block", is 19 words in size.
7. Only the 32-bit and 64-bit versions of RadioGatún have official test vectors
8. The 18 blank rounds are only applied once in RadioGatún, between the end of the input mapping stage and before the generation of output bits
9. Although the underlying algorithm Keccak has arbitrary hash lengths, the NIST specified 224, 256, 384 and 512 bits output as valid modes for SHA-3.
10. Implementation dependent; as per section 7, second paragraph from the bottom of page 22, of FIPS PUB 202.

Compression function

The following tables compare technical information for compression functions of cryptographic hash functions. The information comes from the specifications, please refer to them for more details.

Notes

1. The omitted multiplicands are word sizes.
2. Some authors interchange passes and rounds.
3. A: addition, subtraction; B: bitwise operation; L: lookup table; S: shift, rotation.
4. It refers to byte endianness only. If the operations consist of bitwise operations and lookup tables only, the endianness is irrelevant.
5. The size of message digest equals to the size of chaining values usually. In truncated versions of certain cryptographic hash functions such as SHA-384, the former is less than the latter.
6. The size of chaining values equals to the size of computation values usually. In certain cryptographic hash functions such as RIPEMD-160, the former is less than the latter because RIPEMD-160 use two sets of parallel computation values and then combine into a single set of chaining values.
7. The maximum input size = 2^{length size} − 1 bits. For example, the maximum input size of SHA-1 = 2⁶⁴ − 1 bits.

See also

• List of hash functions
• Hash function security summary
• Word (computer architecture)

References

1. Dobbertin, Hans; Bosselaers, Antoon; Preneel, Bart (21–23 February 1996). RIPEMD-160: A strengthened version of RIPEMD (PDF). Fast Software Encryption. Third International Workshop. Cambridge, UK. pp. 71–82. doi:10.1007/3-540-60865-6_44.

External links

• ECRYPT Benchmarking of Cryptographic Hashes – measurements of hash function speed on various platforms
• The ECRYPT Hash Function Website – A wiki for cryptographic hash functions
• SHA-3 Project – Information about SHA-3 competition