A hash function H maps an arbitrary-length string to a fixed-length hash value (often called the digest).

For application purposes, a hash function should satisfy the following properties:

**Collision resistance**: It should be difficult to find a pair of distinct messages x_1 ≠ x_2 such that H(x_1) = H(x_2).**Pre-image resistance**: Given a hash value y, it should be difficult to find any message x such that H(x) = y.**Second pre-image resistance**: Given an input x_1, it should be infeasible to find a different input x_2 such that H(x_1) = H(x_2).

On top of that, it is desirable that hash functions **behave like random oracles** while being **deterministic** and **efficiently computable**.

## Constructions

**Merkle-Damgård**

The Merkle-Damgård construction relies on a compression function iterated as many times as there are message blocks.

The advantage of such a construction is that studying the security of the entire hash function is reduced to studying the security of the compression function.

**Sponge**

The sponge construction is parameterized by two integers: the rate r and the capacity c so that r + c is equal to the width of the permutation.

A sponge is decomposed into two phases: absorption and squeezing. During absorption, the first r bits of the state are XOR-ed to a block of the padded message so that each time a block of message is added, the permutation is applied to the full state. Then, squeezing consists of extracting blocks of messages by applying the permutation each time a block of message is produced.

For a well-chosen permutation, the capacity must give the security level of the hash function.

## STAP Lounge

The STAP Wiki currently collects information about the following list of STAP hash functions:

◊

**Designers:****Article:**

Description, relations, special features

Sbox, round function, pics

**Designers:****Article:**

Description, relations, special features

Sbox, round function, pics