[Cryptography] hash size

Derek Atkins derek at ihtfp.com
Wed Oct 31 16:49:41 EDT 2018

Hi James,

On Wed, October 31, 2018 3:11 pm, jamesd at echeque.com wrote:
> What does a 256 bit hash get you that a 128 bit hash does not get you?
> What attacks could be done on a 128 bit has that could not be done on a
> 256 bit hash?
> With 128 bits, a birthday attack is just barely possible, in that
> someone could search 2^64 examples, but, supposing you don't care about
> birthday attacks, only about someone finding a pre-image or finding a
> new value that gives the same hash as someone else's hash, what do you
> get?

You are correct, an N-bit hash provides N-bit security against preimage
and second-preimage attacks.   It only provides N/2-bit security against
collisions.  It's safe to use a 128-bit hash if you are ABSOLUTELY SURE
that you will NEVER have a use case where you could have a collision-based
attack.  But finding those rare use-cases are rare.  Worse, you'll have to
explain to everyone, over-and-over, why you're not succeptible to
collision attacks.  And then after you're done explaining, the next person
will come up and ask again.

Worse, a 256-bit hash is pretty fast, so it's unclear what you're actually
buying yourself with a 128-bit hash.


       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the cryptography mailing list