Secure Hash Algorithm | |
---|---|
Concepts | |
hash functions · SHA · DSA | |
Main standards | |
SHA-0 · SHA-1 · SHA-2 · SHA-3
|
|
General | |
---|---|
Designers | National Security Agency |
First published | 2001 |
Series | (SHA-0), SHA-1, SHA-2, SHA-3 |
Certification | FIPS PUB 180-4, CRYPTREC, NESSIE |
Detail | |
Digest sizes | 224, 256, 384, or 512 bits |
Structure | Merkle–Damgård construction with Davies–Meyer compression function |
Rounds | 64 or 80 |
Best public cryptanalysis | |
A 2011 attack breaks preimage resistance for 57 out of 80 rounds of SHA-512, and 52 out of 64 rounds for SHA-256. Pseudo-collision attack against up to 46 rounds of SHA-256. |
A 2011 attack breaks preimage resistance for 57 out of 80 rounds of SHA-512, and 52 out of 64 rounds for SHA-256.
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the National Security Agency (NSA). Cryptographic hash functions are mathematical operations run on digital data; by comparing the computed "hash" (the output from execution of the algorithm) to a known and expected hash value, a person can determine the data's integrity. For example, computing the hash of a downloaded file and comparing the result to a previously published hash result can show whether the download has been modified or tampered with. A key aspect of cryptographic hash functions is their collision resistance: nobody should be able to find two different input values that result in the same hash output.
SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
SHA-256 and SHA-512 are novel hash functions computed with 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are simply truncated versions of the first two, computed with different initial values. SHA-512/224 and SHA-512/256 are also truncated versions of SHA-512, but the initial values are generated using the method described in Federal Information Processing Standards (FIPS) PUB 180-4. SHA-2 was published in 2001 by the National Institute of Standards and Technology (NIST) a U.S. federal standard (FIPS). The SHA-2 family of algorithms are patented in US patent 6829355. The United States has released the patent under a royalty-free license.
In 2005, an algorithm emerged for finding SHA-1 collisions in about 2,000 times fewer steps than was previously thought possible. In 2017, an example of a SHA-1 collision was published. The security margin left by SHA-1 is weaker than intended, and its use is therefore no longer recommended for applications that depend on collision resistance, such as digital signatures. Although SHA-2 bears some similarity to the SHA-1 algorithm, these attacks have not been successfully extended to SHA-2.