John Kelsey writes: > The high order bit is that you can't generally guarantee > that truncating your hash (chopping off some bits) won't > weaken it. That is, if you chop SHA256 off to 160 bits as a > replacement for SHA1 (something I'm working on with Niels > Ferguson for X9 right now), it's possible that there's no > attack on SHA256, but there is an attack on SHA160.
This is a good point, but I think the lesson is that all the bits of a hash have to be strong, for it to be considered strong. If you have a 2^64 attack to find a collision in 160 bits of SHA256, then SHA256 is broken. It should not be possible to identify any subset of k bits in the output of a hash function, or more generally any function mapping the hash output to a k bit result, which can have collisions found in less than 2^(k/2) work. Whether hash functions like SHA256 can meet this standard is far from clear, unfortunately. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]