[Cryptography] hash size
Derek Atkins
derek at ihtfp.com
Wed Oct 31 16:49:41 EDT 2018
Hi James,
On Wed, October 31, 2018 3:11 pm, jamesd at echeque.com wrote:
> What does a 256 bit hash get you that a 128 bit hash does not get you?
>
> What attacks could be done on a 128 bit has that could not be done on a
> 256 bit hash?
>
> With 128 bits, a birthday attack is just barely possible, in that
> someone could search 2^64 examples, but, supposing you don't care about
> birthday attacks, only about someone finding a pre-image or finding a
> new value that gives the same hash as someone else's hash, what do you
> get?
You are correct, an N-bit hash provides N-bit security against preimage
and second-preimage attacks. It only provides N/2-bit security against
collisions. It's safe to use a 128-bit hash if you are ABSOLUTELY SURE
that you will NEVER have a use case where you could have a collision-based
attack. But finding those rare use-cases are rare. Worse, you'll have to
explain to everyone, over-and-over, why you're not succeptible to
collision attacks. And then after you're done explaining, the next person
will come up and ask again.
Worse, a 256-bit hash is pretty fast, so it's unclear what you're actually
buying yourself with a 128-bit hash.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the cryptography
mailing list