Greg Rose (ggr@qualcomm.com)
Tue, 30 Jun 1998 10:25:25 +1000
bram writes:
>On 29 Jun 1998, Perry E. Metzger wrote:
>
>>
>> Re: when to truncate hashes, and when not to.
>>
>> If you are using a hash as a MAC, as in HMAC, truncation makes
>> inversion of the MAC harder, so a (small) amount of truncation is
>> actually a good thing.
>
>It can also leave you more vulnerable to attacks where an enemy
>substitutes phony messages for real ones - it's easier to find
substitutes
>which slip by the MAC.
Both of these postings can leave one with the impression that MACs and
hashes are the same thing... which they are not. The reason that hashes
are roughly double the size of MACs is that they have to resist different
attacks; when the birthday paradox comes into play in an attack, you need
the extra length. Perry sort of said this.
If you do, indeed, want to truncate a hash, it is better to fold in the
excess bits with an XOR instead of just dropping them; while this doesn't
change the brute-force complexity, it defeats some amount of
precomputation, and if the hash has some kinds of faults (eg. COMP128 I
think) it can actually defend against the reversal.
Greg.
Greg Rose INTERNET: ggr@qualcomm.com
QUALCOMM Australia VOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:12 ADT