John Kelsey writes:
The high order bit is that you can't generally guarantee
that truncating your hash (chopping off some bits) won't
weaken it. That is, if you chop SHA256 off to 160 bits as a
replacement for SHA1 (something I'm working on with Niels
Ferguson for X9 right now), it's

- Original Message -
From: John Kelsey [EMAIL PROTECTED]
Subject: Possibly new result on truncating hashes
How could this work? Suppose we have an algorithm like the
Wang attacks on MD5, SHA0, or SHA1 for finding a single
collision pair. The algorithm returns a single collision
pair

John Kelsey wrote:
Unfortunately, we can't make this argument, because this
postulated collision algorithm can't be used to find a
collision in the whole SHA256 more efficiently than brute force.
Let's do the counting argument: Each time we call the
160-bit collision algorithm, we

Joseph Ashwood writes:
From: John Kelsey [EMAIL PROTECTED]
Now, this is an attack on SHA256 truncated to 160 bits.
Does it lead to an attack on SHA256 as a whole?
Actually it does. Such an attack would reduce the difficulty of producing a
collision in SHA-256 to 2^(64+(96/2)) or 2^112.

Guys,
I have what seems like a new and interesting result, which I
haven't seen before, but which may or may not be new.
The high order bit is that you can't generally guarantee
that truncating your hash (chopping off some bits) won't
weaken it. That is, if you chop SHA256 off to 160 bits as