### Re: Possibly new result on truncating hashes

John Kelsey writes: The high order bit is that you can't generally guarantee that truncating your hash (chopping off some bits) won't weaken it. That is, if you chop SHA256 off to 160 bits as a replacement for SHA1 (something I'm working on with Niels Ferguson for X9 right now), it's

### Re: Possibly new result on truncating hashes

- Original Message - From: John Kelsey [EMAIL PROTECTED] Subject: Possibly new result on truncating hashes How could this work? Suppose we have an algorithm like the Wang attacks on MD5, SHA0, or SHA1 for finding a single collision pair. The algorithm returns a single collision pair

### AW: Possibly new result on truncating hashes

John Kelsey wrote: Unfortunately, we can't make this argument, because this postulated collision algorithm can't be used to find a collision in the whole SHA256 more efficiently than brute force. Let's do the counting argument: Each time we call the 160-bit collision algorithm, we

### Re: Possibly new result on truncating hashes

Joseph Ashwood writes: From: John Kelsey [EMAIL PROTECTED] Now, this is an attack on SHA256 truncated to 160 bits. Does it lead to an attack on SHA256 as a whole? Actually it does. Such an attack would reduce the difficulty of producing a collision in SHA-256 to 2^(64+(96/2)) or 2^112.

### Possibly new result on truncating hashes

Guys, I have what seems like a new and interesting result, which I haven't seen before, but which may or may not be new. The high order bit is that you can't generally guarantee that truncating your hash (chopping off some bits) won't weaken it. That is, if you chop SHA256 off to 160 bits as