├── LICENSE ├── README.rst ├── history-of-hash-function-attacks.rst └── valerieaurora.org-hash-crop-2.png /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | .. -*- coding: utf-8-with-signature-unix; fill-column: 73; -*- 2 | .. -*- indent-tabs-mode: nil -*- 3 | 4 | INCOMPLETE! This draft may contain errors and omissions that the final 5 | version will not. Do not read this and believe anything it says. —Zooko 6 | 7 | hash-function-survey 8 | ==================== 9 | 10 | a web page / paper 11 | -------------------------------------------------------------------------------- /history-of-hash-function-attacks.rst: -------------------------------------------------------------------------------- 1 | .. -*- coding: utf-8-with-signature-unix; fill-column: 73; indent-tabs-mode: nil -*- 2 | 3 | ============================================================ 4 | lessons from the history of attacks on secure hash functions 5 | ============================================================ 6 | 7 | by Zooko Wilcox, `Zcash`_ and `LeastAuthority`_, 2017-02-24 8 | 9 | .. _`Zcash`: https://z.cash 10 | .. _`LeastAuthority`: https://LeastAuthority.com 11 | 12 | *This document is a work-in-progress. Please contact the author if you see errors or omissions.* 13 | 14 | Summary 15 | ======= 16 | 17 | Most of the secure hash functions ever designed have turned out to be 18 | vulnerable to collision attacks. This includes the widely-used secure 19 | hash functions MD5 and SHA-1. 20 | 21 | What about pre-image and second-pre-image attacks? Have practical hash 22 | functions historically been vulnerable to those? 23 | 24 | I summarize here the history of attacks on secure hash functions in order 25 | to yield an answer to that. 26 | 27 | The main result is that there is a big gap between the history of 28 | collision attacks and pre-image attacks. Almost *all* older secure hash 29 | functions have fallen to collision attacks. Almost *none* have ever 30 | fallen to pre-image attacks. 31 | 32 | Secondarily, almost no *new* secure hash functions (designed after 33 | approximately the year 2000) have so far succumbed to collision attacks, 34 | either. 35 | 36 | Preliminaries 37 | ============= 38 | 39 | The input to a secure hash function is called the *pre-image* and the 40 | output is called the *image*. 41 | 42 | A hash function *collision* is two different inputs (pre-images) which 43 | result in the same output. A hash function is *collision-resistant* if an 44 | adversary can't find any collision. 45 | 46 | A hash function is *pre-image resistant* if, given an output (image), an 47 | adversary can't find any input (pre-image) which results in that output. 48 | 49 | A hash function is *second-pre-image resistant* if, given *one* 50 | pre-image, an adversary can't find any *other* pre-image which results in 51 | the same image. 52 | 53 | When collision attacks don't matter 54 | =================================== 55 | 56 | There are cases where collision-resistance doesn't matter at all and what 57 | you care about is second-pre-image resistance. 58 | 59 | For such uses it would be harmless to be able to generate collisions, but 60 | harmful to be able to generate pre-images or second-pre-images. For this 61 | purpose the relevant question is not whether hash function designs have 62 | historically been revealed to be vulnerable to collisions but instead 63 | whether they've been revealed to be vulnerable to (second-)pre-images. 64 | 65 | hash-based digital signatures 66 | ----------------------------- 67 | 68 | An example of this is the construction of hash-based digital 69 | signatures. Hash-based digital signatures are secure (resistant to 70 | forgery) as long as the hash function they are built on has 71 | second-pre-image resistance, e.g. SPHINCS_. 72 | 73 | Such a hash-based digital signature would fail if its underlying hash 74 | function failed at second-pre-image resistance, but this is the *only* 75 | way that it could be broken—any attack which was able to forge digital 76 | signatures against such a scheme would *have* to violate the 77 | second-pre-image resistance of the underlying hash function. 78 | 79 | One reason that hash-based digital signatures might be useful is that if 80 | an attacker has a sufficiently large quantum computer, they could forge 81 | digital signatures that rely on factorization or discrete log, such as 82 | RSA, DSA, ECDSA, or Ed25519. There is no reason to think that such a 83 | quantum computer would enable them to break secure hash functions, 84 | however. 85 | 86 | Another reason is that even if the attacker does *not* have a 87 | sufficiently large quantum computer, but has a mathematical breakthrough 88 | that allows them to exploit the asymmetric crypto technique (such as 89 | factoring, discrete log, code-based crypto, etc.), then they would be 90 | able exploit asymmetric-crypto-based digital signatures, but not 91 | hash-based digital signatures. 92 | 93 | What about in the other direction, though? Can't we imagine an attacker 94 | who can break hash-based signatures but can't break 95 | asymmetric-crypto-based signatures? No—there cannot be such an 96 | attacker. Any attacker who can break hash-based signatures can also break 97 | asymmetric-crypto-based signatures, because the latter rely on hash 98 | functions in addition to relying on their asymmetric crypto primitives. 99 | 100 | .. role:: y 101 | .. role:: r 102 | .. role:: g 103 | .. role:: c 104 | .. role:: o 105 | 106 | *color key: is relying on this safe?* 107 | 108 | :r:`unsafe` 109 | You can be exploited if you rely on this. 110 | 111 | :g:`safe` 112 | There is no reason to believe that relying on this will make you 113 | vulnerable to exploitation. 114 | 115 | *Figure 0: safety of digital signature algorithms* 116 | 117 | +--------------------------------------------+-----------+------------------+--------------------------------+-----------------+----------------+ 118 | | digital signature type | today | quantum computer | asymmetric crypto breakthrough | hash collisions | hash preimages | 119 | +============================================+===========+==================+================================+=================+================+ 120 | | preimage-resistant-hash-based (`SPHINCS`_) | :g:`safe` | :g:`safe` | :g:`safe` | :g:`safe` | :r:`unsafe` | 121 | +--------------------------------------------+-----------+------------------+--------------------------------+-----------------+----------------+ 122 | | all other post-quantum | :g:`safe` | :g:`safe` | :r:`unsafe` | :r:`unsafe` | :r:`unsafe` | 123 | | (McEliece, NTRUsign, | | | | | | 124 | | LWE, Ring-LWE, | | | | | | 125 | | Lattice-based signatures, | | | | | | 126 | | code-based signatures, | | | | | | 127 | | Rainbow, | | | | | | 128 | | multivariate-quadratic, | | | | | | 129 | | etc.) | | | | | | 130 | +--------------------------------------------+-----------+------------------+--------------------------------+-----------------+----------------+ 131 | | all others (RSA, DSA, | :g:`safe` | :r:`unsafe` | :r:`unsafe` | :r:`unsafe` | :r:`unsafe` | 132 | | ECDSA, Ed25519, etc.) | | | | | | 133 | +--------------------------------------------+-----------+------------------+--------------------------------+-----------------+----------------+ 134 | 135 | When collision attacks *do* matter 136 | ================================== 137 | 138 | Be careful about this! The ability to generate collisions can be 139 | surprisingly harmful to many systems. This is one of those subtleties of 140 | cryptographic engineering which frequently trip up engineers who are not 141 | cryptography experts. The famous “Internet Root Cert” attack [18]_ is an 142 | example of engineers working at VeriSign incorrectly thinking that their 143 | system was not threatened by collisions (in the absence of 144 | second-pre-images). 145 | 146 | `git`, which uses SHA-1, is like VeriSign's MD5 certificates in this 147 | way—it is *believed* by its developers [50]_ that a mere collision attack 148 | (not second-pre-image) against SHA-1 wouldn't make git users vulnerable 149 | to malicious action, but no-one has written a security proof showing that 150 | git is safe against this attack. 151 | 152 | In contrast to VeriSign and git, the cryptographic constructions 153 | mentioned above come with proofs showing that the security of the 154 | construction is guaranteed, assuming the security of some underlying 155 | component. For example, the hash-based digital signature SPHINCS_ comes 156 | with a proof that *any possible* attack which couldn't generate 157 | second-pre-images against the hash function couldn't forge signatures. 158 | 159 | Results 160 | ======= 161 | 162 | Here are the results of my search for all state-of-the-art attacks on 163 | widely-studied hash functions. 164 | 165 | *The bottom line is that no widely-studied hash function has ever 166 | succumbed to a (second-)pre-image attack except for one.* 167 | 168 | That single exception is the second-oldest secure hash function ever 169 | designed, *Snefru*, which was designed in 1989 and 1990, and which turned 170 | out to be vulnerable to differential cryptanalysis. Differential 171 | cryptanalysis was discovered (by the open research community) in 1990. 172 | 173 | No other widely-studied hash function has been shown to be vulnerable to 174 | a practical (second-)pre-image attack. Furthermore, no other 175 | widely-studied hash function has been shown to be vulnerable to a 176 | (second-)pre-image attack that is more efficient than brute force, even 177 | if we were to count attacks too expensive for anyone to actually 178 | implement! 179 | 180 | The history of (second-)pre-image attacks is therefore quite different 181 | from the history of collision attacks. Most hash functions have been 182 | proven vulnerable to collision attacks more efficient than brute force, 183 | and even to collision attacks that could be implemented in practice. 184 | 185 | History of attacks on hash functions 186 | ==================================== 187 | 188 | This is a timeline of the publication of hash functions and of 189 | publication of weaknesses in hash functions. 190 | 191 | I omit attacks on reduced-round or otherwise weakened variants of hash 192 | functions (there are a lot of those). I omit attacks that have 193 | unrealistic requirements, like attacks that require 2¹²⁸ precomputation 194 | or require the messages to be 2⁵⁶ blocks long (there are a lot of those, 195 | too). 196 | 197 | *color key: is relying on this safe?* 198 | 199 | :r:`no` 200 | You can be exploited if you rely on this. 201 | 202 | :y:`maybe` 203 | There are known attacks but they are probably too expensive to 204 | actually implement. If the attacks have been secretly improved, or if 205 | the attacker has more efficient computational resources than we think, 206 | then maybe you can be exploited if you rely on this. 207 | 208 | :o:`maybe` 209 | There are no known attacks that are cheaper than brute force, but the 210 | hash output size is small enough that brute force might be feasible, 211 | so maybe you can be exploited if you rely on this. 212 | 213 | :g:`yes` 214 | There is no known attack cheaper than brute force, and to pay for a 215 | brute force attack is far, far beyond the bounds of possibility for 216 | the forseeable future. There is no reason to believe that relying on 217 | this will make you vulnerable to exploitation. 218 | 219 | 220 | .. csv-table:: Figure 1: Chronological view of collision attacks 221 | :widths: 12,5,5,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8 222 | :header: hash,bits ,cpb , '89 , '90 , '91 , '92 , '93 , '94 , '95 , '96 , '97 , '98 , '99 , '00 , '01 ,'02 , '03 , '04 , '05 , '06 , '07 , '08 , '09 , '10 , '11 , '12 , '13 , '14 , '15 , '16 , '17 223 | 224 | MD2 , :o:` ` 128, 638, :y:` ` [21]_, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` `, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` `, :r:` ` [*]_, :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 225 | Snefru-2 , :o:` ` 128, \?, , :y:` ` [3]_ , :r:` ` [19]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 226 | MD4 , :o:` ` 128, 4.0, , :y:` ` [22]_, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :r:` ` [20]_, :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 227 | RIPEMD , :o:` ` 128, \?, , :y:` ` [23]_, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` `, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :r:` ` [7]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 228 | MD5 , :o:` ` 128, 5.1, , , , :y:` ` [24]_, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` `, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :r:` ` [7]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 229 | HAVAL-256-3 , 256, \?, , , , :g:` ` [25]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :r:` ` [11]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 230 | SHA-0 , :o:` ` 160, \?, , , , , :g:` ` [26]_, :g:` ` , :y:` ` [*]_ , :y:` ` , :y:` ` , :y:` ` , :y:` `, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :r:` ` [27]_, :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 231 | GOST , 256, \?, , , , , , :g:` ` [28]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :y:` ` [14]_, :y:` `, :y:` ` , :y:` `, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` , :y:` ` 232 | SHA-1 , :o:` ` 160, 18, , , , , , , :g:` ` [29]_, :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :r:` ` [15]_, :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` [51]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` [53]_ 233 | RIPEMD-160 , :o:` ` 160, 17, , , , , , , , :g:` ` [30]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :o:` ` [*]_, :o:` `, :o:` ` , :o:` ` , :o:` ` , :o:` ` , :o:` ` , :o:` ` 234 | Tiger , 192, 6.2, , , , , , , , :g:` ` [31]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 235 | Panama , 512, 2.5, , , , , , , , , , :g:` ` [33]_, :g:` `, :g:` ` , :g:` ` , :y:` ` [34]_, :y:` ` , :y:` ` , :y:` ` , :y:` ` , :r:` ` [35]_, :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` 236 | Whirlpool , 512, 50, , , , , , , , , , , , :g:` ` [32]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 237 | SHA-256 , 256, 19, , , , , , , , , , , , , :g:` ` [37]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 238 | RadioGatún , 256, \?, , , , , , , , , , , , , , , , , , :g:` ` [38]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 239 | Skein , 256, 8.7, , , , , , , , , , , , , , , , , , , , :g:` ` [39]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 240 | Blake , 256, 17, , , , , , , , , , , , , , , , , , , , :g:` ` [40]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 241 | Grøstl , 256, 24, , , , , , , , , , , , , , , , , , , , :g:` ` [41]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 242 | Keccak (SHA-3), 256, 16, , , , , , , , , , , , , , , , , , , , :g:` ` [42]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 243 | JH , 256, 20, , , , , , , , , , , , , , , , , , , , :g:` ` [43]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 244 | BLAKE2 , 256, 5.7, , , , , , , , , , , , , , , , , , , , , , , , :g:` ` [44]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` 245 | 246 | .. csv-table:: Figure 2: Chronological view of (second-)pre-image attacks 247 | :widths: 12,5,5,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8 248 | :header: hash ,bits ,cpb , '89 , '90 , '91 , '92 , '93 , '94 , '95 , '96 , '97 , '98 , '99 , '00 , '01 ,'02 , '03 , '04 , '05 , '06 , '07 , '08 , '09 , '10 , '11 , '12 , '13 , '14, '15, '16, '17 249 | 250 | MD2 , :c:` ` 128, 638, :g:` ` [21]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 251 | Snefru-2 , :c:` ` 128, \?, , :g:` ` [3]_ , :r:` ` [19]_, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` ` , :r:` `, :r:` `, :r:` `, :r:` `, :r:` ` 252 | MD4 , :c:` ` 128, 4.0, , :g:` ` [22]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 253 | RIPEMD , :c:` ` 128, \?, , :g:` ` [23]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 254 | MD5 , :c:` ` 128, 5.1, , , , :g:` ` [24]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 255 | HAVAL-256-3 , 256, \?, , , , :g:` ` [25]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 256 | SHA-0 , :c:` ` 160, \?, , , , , :g:` ` [26]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 257 | GOST , 256, \?, , , , , , :g:` ` [28]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 258 | SHA-1 , :c:` ` 160, 18, , , , , , , :g:` ` [29]_, :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 259 | RIPEMD-160 , :c:` ` 160, 17, , , , , , , , :g:` ` [30]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 260 | Tiger , 192, 6.2, , , , , , , , :g:` ` [31]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 261 | Panama , 512, 2.5, , , , , , , , , , :g:` ` [33]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 262 | Whirlpool , 512, 50, , , , , , , , , , , , :g:` ` [32]_, :g:` `, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 263 | SHA-256 , 256, 19, , , , , , , , , , , , , , :g:` ` [37]_, :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 264 | RadioGatún , 256, \?, , , , , , , , , , , , , , , , , , :g:` ` [38]_, :g:` ` , :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 265 | Skein , 256, 8.7, , , , , , , , , , , , , , , , , , , , :g:` ` [39]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 266 | Blake , 256, 17, , , , , , , , , , , , , , , , , , , , :g:` ` [40]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 267 | Grøstl , 256, 24, , , , , , , , , , , , , , , , , , , , :g:` ` [41]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 268 | Keccak (SHA-3), 256, 16, , , , , , , , , , , , , , , , , , , , :g:` ` [42]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 269 | JH , 256, 20, , , , , , , , , , , , , , , , , , , , :g:` ` [43]_, :g:` `, :g:` ` , :g:` `, :g:` ` , :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 270 | BLAKE2 , 256, 5.7, , , , , , , , , , , , , , , , , , , , , , , , :g:` ` [44]_, :g:` `, :g:` `, :g:` `, :g:` `, :g:` ` 271 | 272 | I label an attack as cheaper than brute force only if the attack comp 273 | times the attack mem is less than the cost of brute force search (see 274 | [1]_). 275 | 276 | If you are aware of any other papers which fit these criteria, or if you spot 277 | an error in this document, please write to me: zooko@z.cash . 278 | 279 | *Figure 3: Survey of the best known attacks on secure hash functions* 280 | 281 | +----------------------+------+------+-----+-----------------------------------+---------------------------------+ 282 | | hash | year | bits | cpb | collision attacks | (second-)preimage attacks | 283 | | | | | +------------+------+-----+---------+------------+------+-----+-------+ 284 | | | | | | safe? | comp | mem | ref | safe? | comp | mem | ref | 285 | +======================+======+======+=====+============+======+=====+=========+============+======+=====+=======+ 286 | | MD2 | 1989 | 128 | 638 | :r:`no` | 2⁶⁴ | 2⁰ | `[†]`_ | :g:`yes` | 2⁷² | 2⁷² | [2]_ | 287 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 288 | | Snefru -2 [3]_ | 1990 | 128 | \? | :r:`no` | 2¹³ | 2⁰ | [4]_ | :r:`no` | 2²⁵ | 2⁰ | [4]_ | 289 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 290 | | MD4 | 1990 | 128 | 4.0 | :r:`no` | 2² | 2⁰ | [6]_ | :g:`yes` | 2⁹⁵ | 2³⁸ | [5]_ | 291 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 292 | | RIPEMD | 1990 | 128 | \? | :r:`no` | 2¹⁸ | 2⁰ | [36]_ | :g:`yes` | | | | 293 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 294 | | MD5 | 1992 | 128 | 5.1 | :r:`no` | 2²⁴ | 2⁰ | [9]_ | :g:`yes` | 2¹²³ | 2⁴⁸ | [8]_ | 295 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 296 | | HAVAL-256-3 [25]_ | 1992 | 256 | \? | :r:`no` | 2²⁹ | 2⁰ | [11]_ | :g:`yes` | 2²²⁵ | 2⁶⁸ | [10]_ | 297 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 298 | | SHA-0 | 1993 | 160 | \? | :r:`no` | 2³⁴ | 2⁰ | [13]_ | :g:`yes` | 2¹⁸⁹ | 2⁸ | | 299 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 300 | | GOST | 1994 | 256 | \? | :y:`maybe` | 2¹⁰⁵ | 2⁰ | [14]_ | :g:`yes` | 2¹⁹² | 2⁷⁰ | [14]_ | 301 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 302 | | SHA-1 | 1995 | 160 | 18 | :r:`no` | 2⁶³ | 2⁰ | [53]_ | :g:`yes` | | | | 303 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 304 | | RIPEMD-160 [30]_ | 1996 | 160 | 17 | :o:`maybe` | 2⁸⁰ | 2⁰ | `[§]`_ | :g:`yes` | | | | 305 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 306 | | Tiger [31]_ | 1996 | 192 | 6.2 | :g:`yes` | | | | :g:`yes` | 2¹⁸⁹ | 2⁸ | [16]_ | 307 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 308 | | Panama [33]_ | 1998 | 512 | 2.5 | :r:`no` | 2⁶ | 2⁰ | [17]_ | :g:`yes` | | | | 309 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 310 | | Whirlpool [32]_ | 2000 | 512 | 50 | :g:`yes` | | | | :g:`yes` | | | | 311 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 312 | | SHA-256 [37]_ [52]_ | 2001 | 256 | 19 | :g:`yes` | | | | :g:`yes` | | | | 313 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 314 | | RadioGatún [38]_ | 2006 | 256 | \? | :g:`yes` | | | | :g:`yes` | | | | 315 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 316 | | Skein [39]_ | 2008 | 256 | 8.7 | :g:`yes` | | | | :g:`yes` | | | | 317 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 318 | | Blake [40]_ | 2008 | 256 | 17 | :g:`yes` | | | | :g:`yes` | | | | 319 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 320 | | Grøstl [41]_ | 2008 | 256 | 24 | :g:`yes` | | | | :g:`yes` | | | | 321 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 322 | | Keccak (SHA-3) [42]_ | 2008 | 256 | 16 | :g:`yes` | | | | :g:`yes` | | | | 323 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 324 | | JH [43]_ | 2008 | 256 | 20 | :g:`yes` | | | | :g:`yes` | | | | 325 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 326 | | BLAKE2 [44]_ | 2012 | 256 | 5.7 | :g:`yes` | | | | :g:`yes` | | | | 327 | +----------------------+------+------+-----+------------+------+-----+---------+------------+------+-----+-------+ 328 | 329 | *legend:*: 330 | * *bit*: the number of bits of output 331 | * *cpb*: cycles per byte [*] 332 | * *comp*: approximate computation required for the attack 333 | * *mem*: approximate memory required for the attack 334 | 335 | .. [*] Cycles per byte were taken from on ebash's amd64-pluton1mn_, 336 | 4096-byte blocks, median measurement, except for Tiger, which was 337 | is not measured on that machine and was instead taken from ebash's 338 | amd64-h9ivy_, and Panama, which is not measured on ebash. For 339 | Panama, I measured it on my laptop (an Intel(R) Core(TM) i5-3427U, 340 | which is similar to the ebash amd64-h9ivy_ machine) with Crypto++ 341 | v5.6.2's implementation of Panama. I also measured MD5, SHA-1, 342 | SHA-256, SHA-512, SHA-3-256, SHA-3-512, Tiger, Whirlpool, and 343 | RIPEMD-160 on my machine and confirmed that their measurements on 344 | my machine were similar to the measurements posted from 345 | amd64-h9ivy_. 346 | 347 | .. | Snefru-3 [3]_ | | | | :r:`no` | 2²⁹ | 2⁰ | | :r:`no` | 2⁵⁶ | 2⁰ | | 348 | .. +----------------+ | +-----+------------+------+-----+ +------+-----+------+-----+ + 349 | .. | Snefru-4 [3]_ | | | | :r:`no` | ≥2⁴⁵ | 2⁰ | | :y:`maybe` | ≥2⁸⁸ | 2⁰ | | 350 | .. +----------------+------+----------+-----+------------+------+-----+-------+------------+------+-----+-------+ 351 | .. +----------------+ | +-----+------------+------+-----+-------+------+-----+------+-----+-------+ 352 | .. | HAVAL-256-4 | | | | :r:`no` | 2³⁶ | 2⁰ | [12]_ | :g:`yes` | 2²⁵⁴ | 2⁶⁸ | | 353 | .. +----------------+ | +-----+------------+------+-----+-------+------+-----+------+-----+-------+ 354 | .. | HAVAL-256-5 | | | | :y:`maybe` | 2¹²³ | 2⁰ | | :g:`yes` | 2²⁵⁵ | 2⁶⁸ | | 355 | 356 | 357 | .. _[†]: 358 | 359 | .. [*] For MD2, I marked it as "maybe" safe in the collisions column up 360 | until 2010 and then marked is as "no". This is even though there 361 | are no known collision attacks on them better than brute 362 | force. This is because MD2's 128-bit output means the brute force 363 | attack takes only 2⁶⁴ comp and negligible memory to find a 364 | collision. To do that much comp has become feasible over the last 365 | few years. For example, in 2014 the Bitcoin mining network is 366 | doing it approximately every 10 minutes [45]_, [46]_! 367 | 368 | .. [*] SHA-0 was considered unsafe beginning in 1995, not because of any 369 | published attack on it, nor because the 2⁸⁰ work factor for the 370 | brute force collision attack was feasible, but because the NSA had 371 | asserted that something was wrong with SHA-0 when they published 372 | SHA-1. 373 | 374 | .. _[§]: 375 | 376 | .. [*] RIPEMD-160's 160-bit output means it takes only 2⁸⁰ comp and 377 | negligible memory to find a collision. In my estimation this was 378 | safe until recently and is now “maybe” safe. See also [47]_ and 379 | Table 5.1 of [49]_. 380 | 381 | .. XXX Hm, actually maybe 2⁸⁰ is now unsafe! https://twitter.com/josephbonneau/status/436362370785751040 382 | 383 | Discussion 384 | ========== 385 | 386 | The main result of this investigation is that there is a big gap between 387 | the historical successes of collision attacks and the almost 388 | non-existence successes of pre-image attacks. This is evidence that a 389 | cryptosystem which is invulnerable to collision-attacks (even if still 390 | vulnerable to pre-image attacks) is much stronger than one which is 391 | vulnerable to collision-attacks. 392 | 393 | Another interesting pattern that I perceive in these results is that 394 | *maybe* sometime between 1996 (Tiger) and 2000 (Whirlpool), humanity 395 | learned how to make collision-resistant hash functions, and none of the 396 | prominent secure hash functions designed since that era have succumbed to 397 | collision attacks. 398 | 399 | Or maybe this is just a 15-year-long hiatus, and in the future we'll 400 | discover how to perform collision attacks against the "modern" secure 401 | hash functions. Looking in the rearview mirror can't answer that for us. 402 | 403 | Acknowledgments 404 | =============== 405 | 406 | Thanks to Daira Hopwood, Andreas Hülsing, and Samuel Neves for comments on this note. 407 | 408 | 409 | .. _SPHINCS: https://sphincs.cr.yp.to/ Bernstein-2014 “SPHINCS: practical stateless hash-based signatures” 410 | .. [1] http://cr.yp.to/papers.html#bruteforce Bernstein-2005 411 | .. [2] http://www.springerlink.com/content/qn746388035614r1/ Knudsen-2007 412 | .. [3] http://www.springerlink.com/content/t10683l407363633/ Merkle-1990 413 | .. [4] http://www.springerlink.com/content/208q118x13181g32/ Biham-2008 414 | .. [5] http://eprint.iacr.org/2010/583 Zhong-2010 415 | .. [6] http://www.springerlink.com/content/v6526284mu858v37/ Naito-2006 416 | .. [7] http://eprint.iacr.org/2004/199 Wang-2004 “Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD” 417 | .. [8] http://www.springerlink.com/content/d7pm142n58853467/ Sasaki-2009 418 | .. [9] http://marc-stevens.nl/research/papers/MTh%20Marc%20Stevens%20-%20On%20Collisions%20for%20MD5.pdf Stevens-2007 419 | .. [10] http://www.springerlink.com/content/d382324nl16251pp/ Sasaki-2008 420 | .. [11] http://academic.research.microsoft.com/Publication/676305/cryptanalysis-of-3pass-haval Van-Rompay-2003 421 | .. [12] http://www.springerlink.com/content/0n9018738x721090/ Yu-2006 422 | .. [13] http://www.springerlink.com/content/3810jp9730369045/ Manuel-2008 423 | .. [14] http://www.cosic.esat.kuleuven.be/publications/article-2091.pdf Mendel-2008 424 | .. [15] http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf Wang-2005b “Finding Collisions in the Full SHA-1” 425 | .. [16] http://eprint.iacr.org/2010/016 Guo-2010 426 | .. [17] http://radiogatun.noekeon.org/panama/PanamaAttack.pdf Daemen-2007 “Producing Collisions for Panama, Instantaneously” 427 | .. [18] http://www.win.tue.nl/hashclash/rogue-ca/ Sotirov-2009 428 | .. [19] http://link.springer.com/chapter/10.1007%2F3-540-46766-1_11 Biham-1991 429 | .. [20] http://repo.zenk-security.com/Cryptographie%20.%20Algorithmes%20.%20Steganographie/Cryptanalysis%20of%20MD4.pdf .. Dobbertin-1995 430 | .. [21] https://tools.ietf.org/html/rfc1115 431 | .. [22] https://tools.ietf.org/html/rfc1186 432 | .. [23] http://books.google.com/books?id=9Zi0__jNRvEC&lpg=PA1&ots=NJoLlc8QRz&dq=%E2%80%9CIntegrity%20Primitives%20for%20Secure%20Information%20Systems.%20Final%20Report%20of%20RACE%20Integrity%20Primitives%20Evaluation%20(RIPE-RACE%201040)%2C%E2%80%9D&lr&pg=PA71#v=onepage&q=ripemd&f=false 433 | .. [24] https://tools.ietf.org/html/rfc1321 434 | .. [25] http://labs.calyptix.com/files/haval-paper.pdf Zheng-1992 “HAVAL – a one-way hashing algorithm with variable length of output” 435 | .. [26] "FIPS PUB 180 / Federal Information Processing Standards Publication 180 / 1993 MAY 11" 436 | .. [27] http://link.springer.com/chapter/10.1007%2F11426639_3 Biham-2005 “Collisions of SHA-0 and Reduced SHA-1” 437 | .. [28] "GOST 34.11-94, Information Technology Cryptographic Data Security Hashing Function (1994) (in Russian)" 438 | .. [29] http://itl.nist.gov/fipspubs/fip180-1.htm SHA-1 439 | .. [30] http://link.springer.com/chapter/10.1007%2F3-540-60865-6_44 “RIPEMD-160: A Strengthened Version of RIPEMD” 440 | .. [31] http://link.springer.com/chapter/10.1007/3-540-60865-6_46 Anderson-1996 “Tiger: A fast new hash function” 441 | .. [32] http://cryptospecs.googlecode.com/svn/trunk/hash/specs/whirlpool.pdf Barreto-2000 “The WHIRLPOOL Hashing Function” 442 | .. [33] http://link.springer.com/chapter/10.1007/3-540-69710-1_5 Daemen-1998 “Fast Hashing and Stream Encryption with Panama” 443 | .. [34] http://www.cosic.esat.kuleuven.be/publications/article-81.pdf Rijmen-2002 “Producing Collisions for PANAMA” 444 | .. [35] http://radiogatun.noekeon.org/panama/ Daemen-2007 “Producing Collisions for Panama, Instantaneously” 445 | .. [36] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.106.4759 Wang-2005a “Cryptanalysis of the hash functions MD4 and RIPEMD” 446 | .. [37] http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf “FIPS Publication 180-2” 447 | .. [38] http://radiogatun.noekeon.org/ Bertoni-2006 “The RadioGatún Hash Function Family” 448 | .. [39] http://www.skein-hash.info/sites/default/files/skein1.3.pdf Ferguson-2008 “The Skein Hash Function Family” 449 | .. [40] https://131002.net/blake/ Aumasson-2008 “SHA-3 proposal BLAKE” 450 | .. [41] http://www.groestl.info/ Gauravaram-2008 “Grøstl – a SHA-3 candidate” 451 | .. [42] http://keccak.noekeon.org/ Bertoni-2008 “The Keccak sponge function family” 452 | .. [43] http://www3.ntu.edu.sg/home/wuhj/research/jh/ Wu-2008 “The Hash Function JH” 453 | .. [44] https://blake2.net/ Aumasson-2012 “BLAKE2: simpler, smaller, fast as MD5” 454 | .. [45] https://en.bitcoin.it/wiki/Difficulty 455 | .. [46] http://bitcoin.sipa.be/ 456 | .. [47] http://www.keylength.com/en/3/ 457 | .. [49] http://www.ecrypt.eu.org/documents/D.SPA.20.pdf Smart-2012 “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)” 458 | .. [50] http://www.mail-archive.com/cryptography@metzdowd.com/msg10800.html Linus Torvalds email 459 | .. [51] http://oai.cwi.nl/oai/asset/21208/21208B.pdf Stevens-2013 “New collision attacks on SHA-1 based on optimal joint local-collision analysis” 460 | .. [52] https://www.google.com/patents/US6829355 SHA-2 patent filed 2001 461 | .. [53] http://shattered.io/static/shattered.pdf Stevens-2017 “The first collision for full SHA-1” 462 | 463 | 464 | .. .. _Leurent-2008: http://www.di.ens.fr/~leurent/files/MD4_FSE08.pdf 465 | .. .. _SHA-3-Zoo: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo 466 | .. _amd64-h9ivy: http://bench.cr.yp.to/results-hash.html#amd64-h9ivy 467 | .. _amd64-pluton1mn: http://bench.cr.yp.to/results-hash.html#amd64-pluton1mn 468 | 469 | 470 | 471 | :Author: Zooko Wilcox-O'Hearn 472 | :Contact: zooko@z.cash 473 | :Affiliation: Zcash 474 | :Revision: 2017-02-24 475 | :Date: 2017-02-24 476 | :License: `Creative Commons Attribution 4.0 International License`_ 477 | 478 | .. _Creative Commons Attribution 4.0 International License: http://creativecommons.org/licenses/by/4.0/deed.en_US 479 | 480 | 481 | .. raw:: html 482 | 483 | 484 | 501 | 502 | 505 | 508 | 511 | 514 | 517 | -------------------------------------------------------------------------------- /valerieaurora.org-hash-crop-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zooko/hash-function-survey/116a3aa4d27d81f86e96475e441c91ea4bfcfe2c/valerieaurora.org-hash-crop-2.png --------------------------------------------------------------------------------