This page uses content from Wikipedia and is licensed under CC BY-SA.

The **Secure Hash Algorithms** are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS), including:

**SHA-0**: A retronym applied to the original version of the 160-bit hash function published in 1993 under the name "SHA". It was withdrawn shortly after publication due to an undisclosed "significant flaw" and replaced by the slightly revised version SHA-1.**SHA-1**: A 160-bit hash function which resembles the earlier MD5 algorithm. This was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.**SHA-2**: A family of two similar hash functions, with different block sizes, known as*SHA-256*and*SHA-512*. They differ in the word size; SHA-256 uses 32-bit words where SHA-512 uses 64-bit words. There are also truncated versions of each standard, known as*SHA-224*,*SHA-384*,*SHA-512/224*and*SHA-512/256*. These were also designed by the NSA.**SHA-3**: A hash function formerly called*Keccak*, chosen in 2012 after a public competition among non-NSA designers. It supports the same hash lengths as SHA-2, and its internal structure differs significantly from the rest of the SHA family.

The corresponding standards are FIPS PUB 180 (original SHA), FIPS PUB 180-1 (SHA-1), FIPS PUB 180-2 (SHA-1, SHA-256, SHA-384, and SHA-512). NIST has updated Draft FIPS Publication 202, SHA-3 Standard separate from the Secure Hash Standard (SHS).

In the table below, *internal state* means the "internal hash sum" after each compression of a data block.

Algorithm and variant | Output size (bits) |
Internal state size (bits) |
Block size (bits) |
Max message size (bits) |
Rounds | Operations | Security bits (Info) |
Capacity against length extension attacks |
Performance on Skylake (median cpb)^{[1]} |
First Published | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|

long messages | 8 bytes | |||||||||||

MD5 (as reference) |
128 | 128 (4 × 32) |
512 | Unlimited^{[2]} |
64 | And, Xor, Rot, Add (mod 2^{32}), Or |
<64 (collisions found) |
0 | 4.99 | 55.00 | 1992 | |

SHA-0 |
160 | 160 (5 × 32) |
512 | 2^{64} − 1 |
80 | And, Xor, Rot, Add (mod 2^{32}), Or |
<34 (collisions found) |
0 | ≈ SHA-1 | ≈ SHA-1 | 1993 | |

SHA-1 |
<63 (collisions found ^{[3]}) |
3.47 | 52.00 | 1995 | ||||||||

SHA-2 |
SHA-224SHA-256 |
224 256 |
256 (8 × 32) |
512 | 2^{64} − 1 |
64 | And, Xor, Rot, Add (mod 2^{32}), Or, Shr |
112 128 |
32 0 |
7.62 7.63 |
84.50 85.25 |
2004 2001 |

SHA-384SHA-512 |
384 512 |
512 (8 × 64) |
1024 | 2^{128} − 1 |
80 | And, Xor, Rot, Add (mod 2^{64}), Or, Shr |
192 256 |
128 (≤ 384) 0 |
5.12 5.06 |
135.75 135.50 |
||

SHA-512/224SHA-512/256 |
224 256 |
112 128 |
288 256 |
≈ SHA-384 | ≈ SHA-384 | |||||||

SHA-3 |
SHA3-224SHA3-256SHA3-384SHA3-512 |
224 256 384 512 |
1600 (5 × 5 × 64) |
1152 1088 832 576 |
Unlimited^{[4]} |
24^{[5]} |
And, Xor, Rot, Not | 112 128 192 256 |
448 512 768 1024 |
8.12 8.59 11.06 15.88 |
154.25 155.50 164.00 164.00 |
2015 |

SHAKE128SHAKE256 |
d (arbitrary)d (arbitrary) |
1344 1088 |
min(d/2, 128)min( d/2, 256) |
256 512 |
7.08 8.59 |
155.25 155.50 |

All SHA-family algorithms, the FIPS-approved security functions, are subject to official validation at the CMVP, a joint program (Cryptographic Module Validation Program) run by the American's National Institute of Standards and Technology (NIST) and the Canadian's Communications Security Establishment (CSE).

**^**[bench.cr.yp.to]**^**"The MD5 Message-Digest Algorithm". Retrieved 2016-04-18.In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used.

**^**"Announcing the first SHA1 collision". Retrieved 2017-02-23.**^**"The Sponge Functions Corner". Retrieved 2016-01-27.**^**"The Keccak sponge function family". Retrieved 2016-01-27.