Security of truncated hash functions

David Shaw dshaw at
Wed Aug 2 18:13:49 CEST 2006

On Sat, Jul 29, 2006 at 07:26:18PM +0930, Alphax wrote:
> Qed wrote:
> > Suppose you need a 160 bit digest.
> > You can choose RIPEMD160/SHA1 or a truncated version of a bigger one
> > (e.g.: SHA2 family).
> > Which solution would be safer?
> > Is a digest algo designed for a given length stronger than a truncated
> > longer one?
> > 
> Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll
> assume that you're asking about using the "DSA2" option to use truncated
> hashes with DSA keys that have q=160.
> Now, I could be completely wrong, but "common sense" seems to suggest
> that there's no reason why it's any safer; in fact, you may be worse off.

Note, though, that NIST explicitly allows (i.e. requires) hash
truncation in the new DSA spec.  At least in the context of DSA, the
official answer is that either a full SHA1 or a truncated SHA256 is
roughly of the same safety.


More information about the Gnupg-users mailing list