Let's shift our gears to the attackers perspective.

Cryptographic hash functions are also subject to brute force attack,

which resistance does not depend on

the specific algorithm but rather depends only on the bit length of the hash value.

For a preimage or weak collision attack given a hash value of H prime,

an adversary wishes to find a value Y,

such that H of Y is equal to the given hash value H prime.

The brute force method is to pick values of Y at random and

try each value until the corresponding output becomes H prime and a collision occurs.

For an N bit hash value,

the level of effort is proportional to two to the Nth power.

Specifically, the adversary would have to try on average half of two to Nth power or two

raised to the power of N minus one values of

Y to find one that generates the given hash value H prime.

As discussed previously, it is easier to break

strong collision resistance in the attackers perspective,

and achieving such property is a stronger notion for the defender's perspective.

For strong collision resistant attack,

an attacker wishes to find two messages or inputs,

X and Y, that yield the same hash function,

so that H of X is equal to H of Y.

This requires much less effort than a preimage or weak collision resistance attack.

As the attacker succeeds,

if she finds any collision,

the attacker effort required is explained by

a mathematical result referred to as the Birthday Paradox.

If strong collision resistance is required,

then the value of two raised to the power of half

of N determines the strength of the hash code against the brute force attack.

For state of the art, 128 bit long hash is considered inappropriate or not secure enough,

as there is a design for collision search machine that can find

collisions in less than a month.

The next step up in the hash length is a 160 bit hash length.

If a hash is treated as a sequence of 32 bits, is used.

However, many cryptographic experts suspect that 160 bits is also too short.

In early 2017, there was also

a demonstrated cryptanalytic attack on

SHA-1 which uses 160 bit long digester output size,

and is designed by the National Security Agency or NSA.

The recent SHA-3 implementation standardized by

NIST in 2015 supports hashed length of 224 bits or greater.

More specifically, SHA-3 hash length can be 224,

256, 384 and 512 bits.