[Cryptography] please dont weaken pre-image resistance of SHA3 (Re: NIST about to weaken SHA3?)
John Kelsey
crypto.jmk at gmail.com
Tue Oct 15 17:47:27 EDT 2013
On Oct 15, 2013, at 2:22 PM, Adam Back <adam at cypherspace.org> wrote:
> Are you including truncation in that? (The question was would SHA3-512
> STILL have 256-bit preimage security if it was truncated to 256-bit ie
> motivated by a workaround to get a 256-bit output with conventional 256-bit
> preimage resistance).
Yes. The 2^{c/2} preimage attack on Keccak/SHA3 is a meet in the middle attack on the internal hash state, and it has nothing to do with the output size.
More broadly, anything you can do to a SHA3 version with much less than 2^{c/2} work, you could also do to *any* hash function with the same output size.
> Adam
--John
More information about the cryptography
mailing list