Re: truncated hashes

bram (bram@gawth.com)
Mon, 29 Jun 1998 17:12:56 -0700 (PDT)

• Next message: Greg Rose: "Re: truncated hashes"
• Previous message: Perry E. Metzger: "truncated hashes"
• Next in thread: Greg Rose: "Re: truncated hashes"
• Reply: Greg Rose: "Re: truncated hashes"
• Reply: Perry E. Metzger: "Re: truncated hashes"

On 29 Jun 1998, Perry E. Metzger wrote:

>
> Re: when to truncate hashes, and when not to.
>
> If you are using a hash as a MAC, as in HMAC, truncation makes
> inversion of the MAC harder, so a (small) amount of truncation is
> actually a good thing.

It can also leave you more vulnerable to attacks where an enemy
substitutes phony messages for real ones - it's easier to find substitutes
which slip by the MAC.

If anybody has any references about what might be a reasonable number of
bits to drop for SHA-1 and RIPEMD-160 used as a MAC, I'd like to see them.
Until I see an actual paper recommending a concrete number though, I'll
just stick to zero.

-Bram

• Next message: Greg Rose: "Re: truncated hashes"
• Previous message: Perry E. Metzger: "truncated hashes"
• Next in thread: Greg Rose: "Re: truncated hashes"
• Reply: Greg Rose: "Re: truncated hashes"
• Reply: Perry E. Metzger: "Re: truncated hashes"