Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Hash Functions

Overview

Approved Algorithms   |  SHA-3 Derived Functions  |  Security Strengths  |  Testing Implementations

Approved Algorithms

A hash algorithm is used to map a message of arbitrary length to a fixed-length message digest. Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.

FIPS 180-4 specifies seven hash algorithms:

  • SHA-1 (Secure Hash Algorithm-1), and the
  • SHA-2 family of hash algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

NIST deprecated the use of SHA-1 in 2011 and disallowed its use for digital signatures at the end of 2013, based on both the Wang et. al attack and the potential for brute-force attack. In December 2022, NIST published the plan to transition away from the current limited use of the SHA-1.

FIPS 202 specifies the new SHA-3 family of permutation-based functions based on KECCAK as a result of the “SHA-3” Cryptographic Hash Algorithm Competition. FIPS 202 specifies:

  • Four fixed-length hash algorithms: SHA3-224, SHA3-256, SHA3-384, and SHA3-512; and
  • Two closely related, “extendable-output” functions (XOFs): SHAKE128 and SHAKE256.

Currently only the four fixed-length SHA-3 algorithms are approved hash algorithms, providing alternatives to the SHA-2 family of hash functions. The XOFs can be specialized to hash functions, subject to additional security considerations.

Back to Top

SHA-3 Derived Functions

NIST SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash

In addition to four fixed-length hash functions, FIPS 202 also defines two eXtendable Output Functions, SHAKE128 and SHAKE256. Unlike the fixed-length hash functions, these SHAKE functions support variable-length outputs, and are named for their expected security strengths.

FIPS 202 also supports a flexible scheme for domain separation between different functions derived from KECCAK, ensuring that different named functions will produce unrelated outputs. NIST extends this flexibility further to allow users to customize their use of the functions by defining a customizable version of SHAKE, called cSHAKE.

Back to Top

Security Strengths of Approved Hash Functions

An approved hash function is expected to have the following three properties:

  • Collision resistance: It is computationally infeasible to find two different inputs to the hash function that have the same hash value.
  • Preimage resistance: Given a randomly chosen hash value, it is computationally infeasible to find an input message that hashes to this hash value.
  • Second preimage resistance: It is computationally infeasible to find a second input that has the same hash value as any other specified input.

The security strengths of NIST approved hash functions are summarized below. L(M) is defined as \([L(M)=log_2 {len(M) \over B}]\), where len(M) is the length of message M in bits and B is the block length of the functions in bits, B = 512 for SHA-1, SHA-224, and SHA-256 and B = 1024 for SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

  Collision Resistance
Strength in bits
Preimage Resistance
Strength in bits
Second Preimage Resistance
Strength in bits
SHA-1 <80 160 160 – L (M)
SHA-224 112 224 min(224, 256 – L (M))
SHA-256 128 256 256 – L (M)
SHA-384 192 384 384
SHA-512 256 512 512 – L (M)
SHA-512/224 112 224 224
SHA-512/256 128 256 256
SHA3-224 112 224 224
SHA3-256 128 256 256
SHA3-384 192 384 384
SHA3-512 256 512 512
The values in this table were derived from Kelsey J. and Schneier B., Second Preimages on n-bit Hash Functions for Much Less than 2n Work, Lecture Notes in Computer Science, Vol. 3494, Springer, 2005. The collision resistance strength in bits is equal to half of the output size of the hash function. The preimage resistance strength in bits is equal to the output size of the hash function. The second preimage resistance strength in bits is equal to the minimum of the output size of the hash function, and the output size of the hash function minus L(M). In cases where one value is always less than the other for all message sizes, the table simply lists that value.

Back to Top

Testing Hash Function Implementations

Testing requirements and validation lists are available from the Cryptographic Algorithm Validation Program (CAVP).

Implementation-related References

Back to Top

Created January 04, 2017, Updated June 16, 2023