|Hash function||MiB/sec||cycles/hash||Quality problems|
|crc32||392.09||135.20||insecure, 8589.93x collisions, distrib|
|md5_32a||352.25||674.76||8589.93x collisions, distrib|
|sha1_32a||373.41||1492.19||collisions, 36.6% distrib|
|hasshe2||3139.96||70.18||insecure, 100% bias, collisions, distrib|
|crc32_hw||6331.24||29.89||insecure, 100% bias, collisions, distrib, machine-specific (x86 SSE4.2)|
|crc32_hw1||23011.78||35.72||insecure, 100% bias, collisions, distrib, machine-specific (x86 SSE4.2)|
|crc64_hw||8423.86||29.36||insecure, 100% bias, collisions, distrib, machine-specific (x86_64 SSE4.2)|
|FNV1a||790.45||69.32||zeros, 100% bias, collisions, distrib|
|FNV1a_YT||8949.71||27.97||100% bias, collisions, distrib|
|FNV64||791.85||69.31||100% bias, collisions, distrib|
|bernstein||791.84||67.09||100% bias, collisions, distrib|
|sdbm||790.50||66.69||100% bias, collisions, distrib|
|x17||527.91||96.67||99.98% bias, collisions, distrib|
|JenkinsOOAT||452.49||141.18||53.5% bias, collisions, distrib|
|JenkinsOOAT_pl||452.49||118.65||1.5-11.5% bias, 7.2x collisions|
|MicroOAAT||972.14||59.82||100% bias, distrib|
|jodyhash32||1428.46||44.25||bias, collisions, distr|
|jodyhash64||2843.60||39.53||bias, collisions, distr|
|lookup3||1744.87||47.23||28% bias, collisions, 30% distr|
|superfast||1570.59||57.55||91% bias, 5273.01x collisions, 37% distr|
|MurmurOAAT||451.66||114.34||collisions, 99.998% distr|
|Crap8||3149.87||34.14||2.42% bias, collisions, 2% distrib|
|Murmur2||3139.49||40.63||1.7% bias, 81x coll, 1.7% distrib|
|Murmur2B||4867.23||46.49||1.8% bias, collisions, 3.4% distrib|
|Murmur2C||3919.19||46.27||91% bias, collisions, distr|
|MUM||6564.38||39.85||machine-specific (32/64 differs)|
|City64||9200.87||55.70||2 minor collisions|
|FarmHash32||24831.45||24.99||machine-specific (x86_64 SSE4/AVX)|
|farmhash32_c||24647.21||25.36||machine-specific (x86_64 SSE4/AVX)|
|xxHash32||5414.57||46.85||collisions with 4bit diff|
|metrohash64crc_1||14007.26||55.84||cyclic collisions 8 byte, machine-specific (x86_64 SSE4.2)|
|metrohash64crc_2||13932.90||55.90||cyclic collisions 8 byte, machine-specific (x86_64 SSE4.2)|
|metrohash128crc_1||13993.55||86.92||machine-specific (x86_64 SSE4.2)|
|metrohash128crc_2||13929.50||86.90||machine-specific (x86_64 SSE4.2)|
|falkhash||19984.13||173.46||machine-specific (x86_64 AES-NI)|
|t1ha_crc||13775.04||35.87||machine-specific (x86 SSE4.2)|
|t1ha_aes||19927.77||36.02||machine-specific (x86 AES-NI)|
So the fastest hash functions on x86_64 without quality problems are:
- falkhash (macho64 and elf64 nasm only, with HW AES extension)
- Metro (but not 64crc yet, WIP)
- FarmHash (not portable, too machine specific: 64 vs 32bit, old gcc, ...)
- City (deprecated)
- mum (machine specific, mum: different results on 32/64-bit archs)
Hash functions for symbol tables or hash tables typically use 32 bit hashes, for databases, file systems and file checksums typically 64 or 128bit, for crypto now starting with 256 bit.
Typical median key size in perl5 is 20, the most common 4. Similar for all other dynamic languages. See github.com/rurban/perl-hash-stats
When used in a hash table the instruction cache will usually beat the
CPU and throughput measured here. In my tests the smallest
beats the fastest
crc32_hw1 with Perl 5 hash tables.
Even if those worse hash functions will lead to more collisions, the
overall speed advantage beats the slightly worse quality.
See e.g. A Seven-Dimensional Analysis of Hashing Methods and its Implications on Query Processing
for a concise overview of the best hash table strategies, confirming that the
simpliest Mult hashing (bernstein, FNV*, x17, sdbm) always beat "better" hash
functions (Tabulation, Murmur, Farm, ...) when used in a hash table.
The fast hash functions tested here are recommendable as fast for file
digests and maybe bigger databases, but not for 32bit hash tables. The
"Quality problems" lead to less uniform distribution, i.e. more collisions
and worse performance, but are rarely related to real security attacks, just
the 2nd sanity test against
\0 invariance is security relevant.
- http://www.strchr.com/hash_functions lists other benchmarks and quality of most simple and fast hash functions.
- http://bench.cr.yp.to/primitives-hash.html lists the benchmarks of all currently tested secure hashes.
- The Hash Function Lounge overviews the known weaknesses and attacks.
Some popular SSE-improved FNV1 (sanmayce) variants, fletcher (ZFS), ... and slower cryptographic hashes or more secure hashes are still missing. BLAKE2, SHA-2, SHA-3 (Keccak), Grøstl, JH, Skein, ...
Such an attack avoidance cannot be the problem of the hash function, but the hash table collision resolution scheme. You can attack every single hash function, even the best and most secure if you detect the seed, e.g. from language (mis-)features, side-channel attacks, collision timings and independly the sort-order, so you need to protect your collision handling scheme from the worst-case O(n), i.e. separate chaining with linked lists. Linked lists chaining allows high load factors, but is very cache-unfriendly. The only recommendable linked list scheme is inlining the key or hash into the array. Nowadays everybody uses fast open addressing, even if the load factor needs to be ~50%, unless you use Cuckoo Hashing.
I.e. the usage of SipHash for their hash table in Python 3.4, ruby, rust, systemd, OpenDNS, Haskell and OpenBSD is pure security theatre. SipHash is not secure enough for security purposes and not fast enough for general usage. Brute-force generation of ~32k collisions need 2-4m for all these hashes. siphash being the slowest needs max 4m, other typically max 2m30s, with <10s for practical 16k collision attacks with all hash functions. Using Murmur is usually slower than a simple Mult, even in the worst case. Provable secure is only uniform hashing, i.e. 2-5 independent Mult or Tabulation, or using a guaranteed logarithmic collision scheme (a tree) or a linear collision scheme, such as Robin Hood or Cockoo hashing with collision counting.
One more note regarding security: Nowadays even SHA1 can be solved in a solver, like Z3 (or faster ones) for practical hash table collision attacks (i.e. 14-20 bits). So all hash functions with less than 256 bits tested here cannot be considered "secure" at all.
The '\0' vulnerability attack with binary keys is tested in the 2nd Sanity test.