[spf:guess] Re: DSA and SHA-256 (It works! Or does it?! :))

Bernd Eckenfels lists at lina.inka.de
Wed Jan 13 23:36:44 CET 2010

On Thu, Jan 14, 2010 at 10:58:50AM +1300, Sam Vilain wrote:
> Because SHA-256 has fewer rounds than SHA-1, from my very naïve grasp of
> the subject, it seems like it could be easier to find a collision by
> throwing those bits away, than by using SHA-1.  Taking the approach of
> not shortening the hash output, but taking it modulus a very large prime
> would seem to lose that information rather than folding it back into the
> output via the 'mod q' at the end, where all the extra high bits will
> have a very profound and non-linear impact on the output values.

I think the idea in cutting a hash is, that if the hash is strong, each bit
is equally influenced, and there is no need to fold it (especilly when the
folding is not something strong like XOR-ing). If the hash is not strong and
does violate the principle that each changed input bit does not influence
50% of the hash bits, then it is too weak and the folding cannot strengthen
the result.

I am kind of trusting NIST they thought about it.


More information about the Gnupg-devel mailing list