Re: truncated hashes

Adam Shostack (adam@homeport.org)
Tue, 30 Jun 1998 08:18:19 -0400 (EDT)

• Next message: Robert Hettinga: "Final Call: Symposium on Digital Bearer Transaction Settlement"
• Previous message: William H. Geiger III: "Re: unsubacribe"
• In reply to: Bill Stewart: "Re: unsubacribe"
• Next in thread: Perry E. Metzger: "Re: truncated hashes"

Greg Rose wrote:
| If you do, indeed, want to truncate a hash, it is better to fold in the
| excess bits with an XOR instead of just dropping them; while this doesn't
| change the brute-force complexity, it defeats some amount of
| precomputation, and if the hash has some kinds of faults (eg. COMP128 I
| think) it can actually defend against the reversal.

        Folding in the final bits also prevents people from
optimmizing out any part of the final round, which is sometimes a
useful optimization of an attack.

        As Perry points out, this is really only useful in the case of
very low security applications, where a break is expected in other
ways. I've used folded hashes for licensing applications, where the
expected break is not in the hash, but changing around the if
statements around the licensing. Using a shorter hash makes it easier
to do tech support, since you're reading off smaller strings of data.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: Robert Hettinga: "Final Call: Symposium on Digital Bearer Transaction Settlement"
• Previous message: William H. Geiger III: "Re: unsubacribe"
• In reply to: Bill Stewart: "Re: unsubacribe"
• Next in thread: Perry E. Metzger: "Re: truncated hashes"