David Gwynne:
> secondly, im always wary of truncating hash output in case it throws away > some of the guarantees it's supposed to provide. if you cut sha512 output > down to an 8th of its size, is it 8 times easier to calculate a collision, or > more than 8 times easier? sha384 being a truncation of sha512 kind of argues > against this though. NIST FIPS 180-4 (the SHA-2 standard) says: Some application may require a hash function with a message digest length different than those provided by the hash functions in this Standard. In such cases, a truncated message digest may be used, whereby a hash function with a larger message digest length is applied to the data to be hashed, and the resulting message digest is truncated by selecting an appropriate number of the leftmost bits. [...] (For some reason though the same standard specifies "SHA-512/t" hash functions, which are SHA-512 truncated to t bits, to use different initial hash values. Maybe some mathematical rigor thing to distinguish truncation by the user from truncation inside the function?) -- Christian "naddy" Weisgerber na...@mips.inka.de
