Perry E. Metzger (perry@piermont.com)
Tue, 30 Jun 1998 11:20:35 -0400
Bill Sommerfeld writes:
> It depends on whether you're using the hash as a hash, or as a
> building block in a MAC. In the former case, truncation reduces
> security.
>
> In the latter case (which, if I'm not mistaken, is what Perry was
> referring to), truncation may *increase* security against key-recovery
> attacks, because for any given (<message>,<MAC>) pair, it increases
> the number of possible keys which could have generated the given MAC
> from the message.
Yup. Exactly. There is a tradeoff, however -- if you truncate the MAC
too far, suddenly the MAC is now useless.
There is some discussion about this issue in Hugo's papers about HMAC,
as well as in other parts of the literature.
(BTW, when you say "using the hash as a hash", I know what you mean,
but for the benefit of others, what you are really saying is "using
the hash as a cryptographic message digest for use in a public key
signature algorithm or in a similar application". In such
applications, one's concern is birthday attacks, and shrinking the hash
rapidly causes Very Bad Mojo.)
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:15 ADT