Editing Cryptographic hash function (section)

== Hash functions based on block ciphers ==
There are several methods to use a [[block cipher]] to build a cryptographic hash function, specifically a [[one-way compression function]].

The methods resemble the [[block cipher modes of operation]] usually used for encryption. Many well-known hash functions, including [[MD4]], [[MD5]], [[SHA-1]] and [[SHA-2]], are built from block-cipher-like components designed for the purpose, with feedback to ensure that the resulting function is not invertible. [[NIST hash function competition|SHA-3]] finalists included functions with block-cipher-like components (e.g., [[Skein hash function|Skein]], [[BLAKE (hash function)|BLAKE]]) though the function finally selected, [[Keccak]], was built on a [[sponge function|cryptographic sponge]] instead.

A standard block cipher such as [[Advanced Encryption Standard|AES]] can be used in place of these custom block ciphers; that might be useful when an [[embedded system]] needs to implement both encryption and hashing with minimal code size or hardware area. However, that approach can have costs in efficiency and security. The ciphers in hash functions are built for hashing: they use large keys and blocks, can efficiently change keys every block, and have been designed and vetted for resistance to [[related-key attack]]s. General-purpose ciphers tend to have different design goals. In particular, AES has key and block sizes that make it nontrivial to use to generate long hash values; AES encryption becomes less efficient when the key changes each block; and related-key attacks make it potentially less secure for use in a hash function than for encryption.