[18030] in cryptography@c2.net mail archive
Re: Possibly new result on truncating hashes
daemon@ATHENA.MIT.EDU ("Hal Finney")
Tue Aug 2 10:04:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: kelsey.j@ix.netcom.com
Cc: cryptography@metzdowd.com
Date: Mon, 1 Aug 2005 13:33:14 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
John Kelsey writes:
> The high order bit is that you can't generally guarantee
> that truncating your hash (chopping off some bits) won't
> weaken it. That is, if you chop SHA256 off to 160 bits as a
> replacement for SHA1 (something I'm working on with Niels
> Ferguson for X9 right now), it's possible that there's no
> attack on SHA256, but there is an attack on SHA160.
This is a good point, but I think the lesson is that all the bits of a
hash have to be strong, for it to be considered strong. If you have
a 2^64 attack to find a collision in 160 bits of SHA256, then SHA256
is broken.
It should not be possible to identify any subset of k bits in the output
of a hash function, or more generally any function mapping the hash
output to a k bit result, which can have collisions found in less than
2^(k/2) work.
Whether hash functions like SHA256 can meet this standard is far from
clear, unfortunately.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
