Security of truncated hash functions
Alphax
alphasigmax at gmail.com
Sat Jul 29 11:56:18 CEST 2006
Qed wrote:
> Suppose you need a 160 bit digest.
> You can choose RIPEMD160/SHA1 or a truncated version of a bigger one
> (e.g.: SHA2 family).
> Which solution would be safer?
> Is a digest algo designed for a given length stronger than a truncated
> longer one?
>
Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll
assume that you're asking about using the "DSA2" option to use truncated
hashes with DSA keys that have q=160.
Now, I could be completely wrong, but "common sense" seems to suggest
that there's no reason why it's any safer; in fact, you may be worse off.
The reasoning for this answer is as follows: since DSA OpenPGP keys
don't have a hash function firewall, it just gives an attacker more
oppurtunities to find a hash collision; instead of having to pick from
SHA1 and RIPEMD160 as the hash algorithms to pick a colliding message
digest from, they can now add the SHA2 family of algorithms to their
choices; plus, instead of having to collide 160/160 bits, they now only
have to collide 160/{224,256,384,512} bits.
Again, I could be completely wrong, but that's what "common sense" seems
to suggest.
> I googled, but I found only
> http://www.schneier.com/blog/archives/2005/10/nist_hash_works_3.html
> I know that sci.crypt would be a better place to ask this question, but
> I don't like it.
You could also ask at PGP-Basics :)
--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 564 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060729/77bcf27e/signature.pgp
More information about the Gnupg-users
mailing list