Possibly new result on truncating hashes

Hal Finney hal at finney.org
Mon Aug 1 16:33:14 EDT 2005


John Kelsey writes:
> The high order bit is that you can't generally guarantee
> that truncating your hash (chopping off some bits) won't
> weaken it.  That is, if you chop SHA256 off to 160 bits as a
> replacement for SHA1 (something I'm working on with Niels
> Ferguson for X9 right now), it's possible that there's no
> attack on SHA256, but there is an attack on SHA160.  

This is a good point, but I think the lesson is that all the bits of a
hash have to be strong, for it to be considered strong.  If you have
a 2^64 attack to find a collision in 160 bits of SHA256, then SHA256
is broken.

It should not be possible to identify any subset of k bits in the output
of a hash function, or more generally any function mapping the hash
output to a k bit result, which can have collisions found in less than
2^(k/2) work.

Whether hash functions like SHA256 can meet this standard is far from
clear, unfortunately.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list