Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto
Victor Duchovni
Victor.Duchovni at morganstanley.com
Tue Nov 3 11:40:33 EST 2009
On Fri, Oct 30, 2009 at 05:30:03PM +0000, Darren J Moffat wrote:
> Basically if I have to truncate to 128 bits is it better to do
> it against SHA224 or SHA256 ?
No difference, SHA224 *is* a truncated SHA256 (with a different "random"
IV), so in both cases you are computing SHA256, and either truncating
once or twice.
> Option 3
> --------
> IV 96 bits
> MAC 128 bits
> Checksum SHA224 or SHA256 truncated to 160 bits
>
> Obviously better than the 1 and 2 but how much better ?
> The reason it isn't used just now is because it is slightly
> harder to layout given other constrains in where the data lives.
Well, hashes have a birthday paradox, so a 128-bit hash is not
"stupendously" strong against collision attacks. One may be tempted
to trade off IV length for a longer hash, if collision resistance is
important. If you only need pre-image resistance, then you probably don't
need a longer hash (MD5 is still mostly holding up against pre-images).
Figure out whether you need collision resistance, or whether pre-image
resistance is sufficient.
> MAC 32 bits
> Checksum SHA256 at full 256 bits
>
> I'm pretty sure the size of the MAC is far to small.
Without question.
> Option 5
> --------
> IV 96 bits
> MAC 64 bits
> Checksum SHA224 at full 224 bits
>
> This feels like the best compromise, but is it ?
The MAC looks too short to me. You don't want MAC collisions, and 64
bits is too close for comfort IMHO.
> Option 6
> --------
> IV 96 bits
> MAC 96 bits
> Checksum SHA224 or SHA256 truncated to 192 bits
This looks reasonable, if collision resistance is a concern. it is
a "balanced" design, because all the elements are 96-bit strong
(hash 96-bits of collision resistance).
On the other hand, if you only need (which is likely true, but you
need to examine the attack scenarios) pre-image resistance, then
you don't need to reduce the MAC strength to strengthen the hash, and
Option 3 is likely better.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list