In the second category are functions which are not based on mathematical problems, but on an ad-hoc constructions, in which the bits of the message are mixed to produce the hash.
For example, RSA public-key cryptography (which relies on the difficulty of integer factorization) is considered secure only with keys that are at least 2048 bits long, whereas keys for the ElGamal cryptosystem (which relies on the difficulty of the discrete logarithm problem) are commonly in the range of 256–512 bits.
If the set of inputs to the hash is relatively small or is ordered by likelihood in some way, then a brute force search may be practical, regardless of theoretical security.
The likelihood of recovering the preimage depends on the input set size and the speed or cost of computing the hash function.
When a person requests access, the password they submit is hashed and compared with the stored value.
[1] Special hashes called key derivation functions have been created to slow searches.
Various bitwise operations (e.g. rotations), modular additions, and compression functions are used in iterative mode to ensure high complexity and pseudo-randomness of the output.
], one of the most popular hash functions, SHA-1, was shown to be less secure than its length suggested: collisions could be found in only 251[2] tests, rather than the brute-force number of 280.
It can be shown that, for any algorithm that can break SWIFFT with probability p within an estimated time t, one can find an algorithm that solves the worst-case scenario of a certain difficult mathematical problem within time t′ depending on t and p.[citation needed] Let hash(m) = xm mod n, where n is a hard-to-factor composite number, and x is some prespecified base value.