<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 31, 2018 at 4:37 PM <<a href="mailto:jamesd@echeque.com">jamesd@echeque.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What does a 256 bit hash get you that a 128 bit hash does not get you?<br>
<br>
What attacks could be done on a 128 bit has that could not be done on a <br>
256 bit hash?<br>
<br>
With 128 bits, a birthday attack is just barely possible, in that <br>
someone could search 2^64 examples, but, supposing you don't care about <br>
birthday attacks, only about someone finding a pre-image or finding a <br>
new value that gives the same hash as someone else's hash, what do you get?<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">This is something I have spent quite a bit of time thinking about in the design of the Mesh.</div><br></div><div><div class="gmail_default" style="font-size:small">The only digest algorithms I use in the Mesh are SHA-2-512 and SHA-3-512, truncating to whatever number of bits I need to achieve the necessary work factor. The Mesh uses UDF fingerprints which are presented for human readability in Base 32 with as many digits as are needed to provide the desired precision:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><pre class="gmail-newpage" style="font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"> Text Presentation (100 bit) SCFIN-CQGDR-KG47R-7OVPZ
Text Presentation (125 bit) SCFIN-CQGDR-KG47R-7OVPT-TCHZ5
Text Presentation (150 bit) SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY4I
Text Presentation (250 bit) SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY5S-
CFSMN-YBKBP-FELHX-I56EH</pre></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The scheme also allows for compression. If the first 25 bits are all zero, there is an efficient way to express this that saves five characters.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">How many bits do you need though? It really depends on the work factor you require to prevent an attack against a particular use.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">When people are exchanging credentials peer to peer, then 100 bit work factor is probably acceptable (today at least). But 125 bit is obviously better. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The truncation mechanism is deliberately designed to allow users to truncate the UDF by truncating the string. This allows for fingerprint strengthening. if a short UDF is matched against a long one, the longer representation is stored for future comparison. This allows use of a shorter representation for user interface tasks without compromising future use.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">25 characters (125-8 bits) are acceptable for a business card. 50 characters (250-8 bits) probably aren't.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The other use I make of digests is to create strong internet names (SINs). This is a DNS name that contains a UDF fingerprint of a security policy statement that controls the interpretation of the name. So if SCFIN-- is the fingerprint of the ICANN root cert (it isn't), we can create an absolute SIN that says 'validate this against DNSSEC'</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="">alice@example.com.mm--<span style="color:rgb(0,0,0)">SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY4I</span></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Or if we want to have our own root, we can do that instead, which means that we can create DNS names that are absolute and independent of any Trusted Third Party. (NB, I no longer work for a CA).</div><br></div><div><br></div><div> </div></div></div>