Re: TEA (was Re: filesystem encryption)

Perry E. Metzger (perry@piermont.com)
Tue, 30 Jun 1998 11:20:35 -0400

• Next message: Perry E. Metzger: "Re: Cryptoanalysis"
• Previous message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Alex Alten: "Re: TEA (was Re: filesystem encryption)"

Bill Sommerfeld writes:
> It depends on whether you're using the hash as a hash, or as a
> building block in a MAC. In the former case, truncation reduces
> security.
>
> In the latter case (which, if I'm not mistaken, is what Perry was
> referring to), truncation may *increase* security against key-recovery
> attacks, because for any given (<message>,<MAC>) pair, it increases
> the number of possible keys which could have generated the given MAC
> from the message.

Yup. Exactly. There is a tradeoff, however -- if you truncate the MAC
too far, suddenly the MAC is now useless.

There is some discussion about this issue in Hugo's papers about HMAC,
as well as in other parts of the literature.

(BTW, when you say "using the hash as a hash", I know what you mean,
but for the benefit of others, what you are really saying is "using
the hash as a cryptographic message digest for use in a public key
signature algorithm or in a similar application". In such
applications, one's concern is birthday attacks, and shrinking the hash
rapidly causes Very Bad Mojo.)

Perry

• Next message: Perry E. Metzger: "Re: Cryptoanalysis"
• Previous message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Alex Alten: "Re: TEA (was Re: filesystem encryption)"