[Cryptography] hash size

Ray Dillinger bear at sonic.net
Wed Oct 31 17:10:06 EDT 2018

On 10/31/2018 12:11 PM, jamesd at echeque.com wrote:

> What attacks could be done on a 128 bit has that could not be done on a
> 256 bit hash?
> With 128 bits, a birthday attack is just barely possible, in that
> someone could search 2^64 examples, but, supposing you don't care about
> birthday attacks, only about someone finding a pre-image or finding a
> new value that gives the same hash as someone else's hash, what do you get?

"Just barely possible?"  Unless it's a hash that's specifically made to
be inefficient to compute, then searching 2^64 examples is something
that can be done in a couple of days on a single server rack.

The point of a hash is to be efficient to compute and check but hard to
reverse.  Inefficient computing, obviously, doesn't get you both things.
 It only gets you "hard to reverse."  An efficient hash - one that
doesn't impose a burden on the servers or checkers - needs output bits,
not inefficiency.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181031/db510b5b/attachment.sig>

More information about the cryptography mailing list