Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

Victor Duchovni Victor.Duchovni at
Tue Nov 3 11:40:33 EST 2009

On Fri, Oct 30, 2009 at 05:30:03PM +0000, Darren J Moffat wrote:

> 	Basically if I have to truncate to 128 bits is it better to do
> 	it against SHA224 or SHA256 ?

No difference, SHA224 *is* a truncated SHA256 (with a different "random"
IV), so in both cases you are computing SHA256, and either truncating
once or twice.

> Option 3
> --------
> IV		96 bits
> MAC		128 bits
> Checksum	SHA224 or SHA256 truncated to 160 bits
> 	Obviously better than the 1 and 2 but how much better ?
> 	The reason it isn't used just now is because it is slightly
> 	harder to layout given other constrains in where the data lives.

Well, hashes have a birthday paradox, so a 128-bit hash is not
"stupendously" strong against collision attacks. One may be tempted
to trade off IV length for a longer hash, if collision resistance is
important. If you only need pre-image resistance, then you probably don't
need a longer hash (MD5 is still mostly holding up against pre-images).

Figure out whether you need collision resistance, or whether pre-image
resistance is sufficient.

> MAC		32 bits
> Checksum	SHA256 at full 256 bits
> 	I'm pretty sure the size of the MAC is far to small.

Without question.

> Option 5
> --------
> IV		96 bits
> MAC		64 bits
> Checksum	SHA224 at full 224 bits
> 	This feels like the best compromise, but is it ?

The MAC looks too short to me. You don't want MAC collisions, and 64
bits is too close for comfort IMHO.

> Option 6
> --------
> IV		96 bits
> MAC		96 bits
> Checksum	SHA224 or SHA256 truncated to 192 bits

This looks reasonable, if collision resistance is a concern. it is
a "balanced" design, because all the elements are 96-bit strong
(hash 96-bits of collision resistance).

On the other hand, if you only need (which is likely true, but you
need to examine the attack scenarios) pre-image resistance, then
you don't need to reduce the MAC strength to strengthen the hash, and
Option 3 is likely better.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list