[Cryptography] hash size

Phillip Hallam-Baker phill at hallambaker.com
Thu Nov 1 09:21:09 EDT 2018

On Wed, Oct 31, 2018 at 4:37 PM <jamesd at echeque.com> wrote:

> What does a 256 bit hash get you that a 128 bit hash does not get you?
> What attacks could be done on a 128 bit has that could not be done on a
> 256 bit hash?
> With 128 bits, a birthday attack is just barely possible, in that
> someone could search 2^64 examples, but, supposing you don't care about
> birthday attacks, only about someone finding a pre-image or finding a
> new value that gives the same hash as someone else's hash, what do you get?

This is something I have spent quite a bit of time thinking about in the
design of the Mesh.

The only digest algorithms I use in the Mesh are SHA-2-512 and SHA-3-512,
truncating to whatever number of bits I need to achieve the necessary work
factor. The Mesh uses UDF fingerprints which are presented for human
readability in Base 32 with as many digits as are needed to provide the
desired precision:

   Text Presentation (100 bit)  SCFIN-CQGDR-KG47R-7OVPZ

   Text Presentation (125 bit)  SCFIN-CQGDR-KG47R-7OVPT-TCHZ5

   Text Presentation (150 bit)  SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY4I

   Text Presentation (250 bit)  SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY5S-

The scheme also allows for compression. If the first 25 bits are all zero,
there is an efficient way to express this that saves five characters.

How many bits do you need though? It really depends on the work factor you
require to prevent an attack against a particular use.

When people are exchanging credentials peer to peer, then 100 bit work
factor is probably acceptable (today at least). But 125 bit is obviously

The truncation mechanism is deliberately designed to allow users to
truncate the UDF by truncating the string. This allows for fingerprint
strengthening. if a short UDF is matched against a long one, the longer
representation is stored for future comparison. This allows use of a
shorter representation for user interface tasks without compromising future

25 characters (125-8 bits) are acceptable for a business card. 50
characters (250-8 bits) probably aren't.

The other use I make of digests is to create strong internet names (SINs).
This is a DNS name that contains a UDF fingerprint of a security policy
statement that controls the interpretation of the name. So if SCFIN-- is
the fingerprint of the ICANN root cert (it isn't), we can create an
absolute SIN that says 'validate this against DNSSEC'

alice at example.com.mm--SCFIN-CQGDR-KG47R-7OVPT-TCHZ7-UXY4I

Or if we want to have our own root, we can do that instead, which means
that we can create DNS names that are absolute and independent of any
Trusted Third Party. (NB, I no longer work for a CA).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181101/8315ecea/attachment.html>

More information about the cryptography mailing list