Approved Algorithms |SHA-3 Derived Functions |Security Strengths |Testing Implementations
Approved Algorithms
A hash algorithm is used to map a message of arbitrary length to a fixed-length message digest. Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.
FIPS 180-4 specifies seven hash algorithms:
- SHA-1 (Secure Hash Algorithm-1), and the
- SHA-2 family of hash algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
NIST deprecated the use of SHA-1 in 2011 and disallowed its use for digital signatures at the end of 2013, based on both the Wang et. al attack and the potential for brute-force attack. In December 2022, NIST published the plan to transition away from the current limited use of the SHA-1.
FIPS 202 specifies the new SHA-3 family of permutation-based functions based on KECCAK as a result of the “SHA-3” Cryptographic Hash Algorithm Competition. FIPS 202 specifies:
- Four fixed-length hash algorithms: SHA3-224, SHA3-256, SHA3-384, and SHA3-512; and
- Two closely related, “extendable-output” functions (XOFs): SHAKE128 and SHAKE256.
Currently only the four fixed-length SHA-3 algorithms are approved hash algorithms, providing alternatives to the SHA-2 family of hash functions. The XOFs can be specialized to hash functions, subject to additional security considerations.
Back to Top
SHA-3 Derived Functions
NIST SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash
In addition to four fixed-length hash functions, FIPS 202 also defines two eXtendable Output Functions, SHAKE128 and SHAKE256. Unlike the fixed-length hash functions, these SHAKE functions support variable-length outputs, and are named for their expected security strengths.
FIPS 202 also supports a flexible scheme for domain separation between different functions derived from KECCAK, ensuring that different named functions will produce unrelated outputs. NIST extends this flexibility further to allow users to customize their use of the functions by defining a customizable version of SHAKE, called cSHAKE.
Back to Top
Security Strengths of Approved Hash Functions
An approved hash function is expected to have the following three properties:
- Collision resistance: It is computationally infeasible to find two different inputs to the hash function that have the same hash value.
- Preimage resistance: Given a randomly chosen hash value, it is computationally infeasible to find an input message that hashes to this hash value.
- Second preimage resistance: It is computationally infeasible to find a second input that has the same hash value as any other specified input.
The security strengths of NIST approved hash functions are summarized below. L(M) is defined as \([log_2 = {len(M) \over B}]\), where len(M) is the length of message M in bits and B is the block length of the functions in bits, B = 512 for SHA-1, SHA-224, and SHA-256 and B =1024 for SHA-512.
| Collision Resistance
Strength in bits | Preimage Resistance
Strength in bits | Second Preimage Resistance
Strength in bits |
|---|
| SHA-1 | <80 | 160 | 160 – L (M) |
| SHA-224 | 112 | 224 | min(224, 256 – L (M)) |
| SHA-256 | 128 | 256 | 256 – L (M) |
| SHA-384 | 192 | 384 | 384 |
| SHA-512 | 256 | 512 | 512 – L (M) |
| SHA-512/224 | 112 | 224 | 224 |
| SHA-512/256 | 128 | 256 | 256 |
| SHA3-224 | 112 | 224 | 224 |
| SHA3-256 | 128 | 256 | 256 |
| SHA3-384 | 192 | 384 | 384 |
| SHA3-512 | 256 | 512 | 512 |
Back to Top
Testing Hash Function Implementations
Testing requirements and validation lists are available from the Cryptographic Algorithm Validation Program (CAVP).
Implementation-related References
Back to Top
FAQs
There is a simple formula that can help you find the optimal number of hash functions for a given Bloom filter size and expected number of elements. The formula is: k = (m/n) * ln(2) where m is the size of the bit array, n is the expected number of elements, and ln(2) is the natural logarithm of 2.
How do you know if a hash function is good? ›
A good hash function satisfies two basic properties: 1) it should be very fast to compute; 2) it should minimize duplication of output values (collisions).
What are the weaknesses of hash functions? ›
Disadvantages of Hash:
- Hash is inefficient when there are many collisions.
- Hash collisions are practically not be avoided for large set of possible keys.
- Hash does not allow null values.
- Hash tables have a limited capacity and will eventually fill up.
- Hash tables can be complex to implement.
Ideally, hash functions should be irreversible. Meaning that while it is quick and easy to compute the hash if you know the input message for any given hash function, it is very difficult to go through the process in reverse to compute the input message if you only know the hash value.
What is a good enough hash function? ›
A good hash function has the following properties: Given a hash of a message it is computationally infeasible for an attacker to find another message such that their hashes are identical. Given a pair of message, m' and m, it is computationally infeasible to find two such that that h(m) = h(m')
What is the golden ratio of hash functions? ›
Hence, if φ = (sqrt(5)+1)/2 = 1.61803398875 is the Golden Ratio, the hash function calculates the fractional part of n * φ, which has nice scattering properties. To convince yourself, just create a scatter plot of (n, n*c-FLOOR(n*c)) in your favourite spreadsheet, replacing c with φ, e, π, etc.
What makes a bad hash function? ›
A lot of obvious hash function choices are bad. For example, if we're mapping names to phone numbers, then hashing each name to its length would be a very poor function, as would a hash function that used only the first name, or only the last name. We want our hash function to use all of the information in the key.
What is a good hash function complexity? ›
The time and space complexity for a hash map (or hash table) is not necessarily O(n) for all operations. The typical and desired time complexity for basic operations like insertion, lookup, and deletion in a well-designed hash map is O(1) on average.
What are the qualities of a good hash function? ›
Characteristics of a Good Hash Function. There are four main characteristics of a good hash function: 1) The hash value is fully determined by the data being hashed. 2) The hash function uses all the input data. 3) The hash function "uniformly" distributes the data across the entire set of possible hash values.
What is the weakest hash function? ›
The worst hash function is one that returns a constant value. I.e. all objects of that type have the same hash value, resulting in tons of collisions.
Common attacks like brute force attacks can take years or even decades to crack the hash digest, so SHA-2 is considered the most secure hash algorithm.
What are the 3 main properties of hash function? ›
It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security.
What is the most commonly used hash function? ›
There are multiple types of hashing algorithms, but the most common are Message Digest 5 (MD5) and Secure Hashing Algorithm (SHA) 1 and 2. The slightest change in the data will result in a dramatic difference in the resulting hash values.
What is one of the most common uses for the hash function? ›
Data Integrity: Hash functions are used to ensure the integrity of data by generating checksums. Cryptography: In cryptographic applications, hash functions are used to create secure hash algorithms like SHA-256.
What is the most efficient hashing method? ›
To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.
What is the optimal hash size? ›
When choosing an optimal hash size, consider the data type, the row data, and the database size (especially if a table contains many rows). The only way to determine if you have chosen an optimal hash size is to run benchmark tests against your UltraLite client application on the target device.
Why is 31 used in hash functions? ›
There is perhaps a couple of reasons for choosing 31. The main reason is that it is a prime number and prime numbers have better distribution results in hashing algorithms, by other words the hashing outputs have less collisions for different inputs.
What is the recommended hash function? ›
To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.
What is a perfect family of hash functions? ›
An (n, k)-family of perfect hash functions is a family of functions from [n] to [k] such that for every S ⊆ [n], |S| = k, there exists a function in the family that is 1-1 on S. There is an extensive literature dealing with explicit constructions of perfect hash functions.
