Security of truncated hash functions

Alphax alphasigmax at
Sat Jul 29 11:56:18 CEST 2006

Qed wrote:
> Suppose you need a 160 bit digest.
> You can choose RIPEMD160/SHA1 or a truncated version of a bigger one
> (e.g.: SHA2 family).
> Which solution would be safer?
> Is a digest algo designed for a given length stronger than a truncated
> longer one?

Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll
assume that you're asking about using the "DSA2" option to use truncated
hashes with DSA keys that have q=160.

Now, I could be completely wrong, but "common sense" seems to suggest
that there's no reason why it's any safer; in fact, you may be worse off.

The reasoning for this answer is as follows: since DSA OpenPGP keys
don't have a hash function firewall, it just gives an attacker more
oppurtunities to find a hash collision; instead of having to pick from
SHA1 and RIPEMD160 as the hash algorithms to pick a colliding message
digest from, they can now add the SHA2 family of algorithms to their
choices; plus, instead of having to collide 160/160 bits, they now only
have to collide 160/{224,256,384,512} bits.

Again, I could be completely wrong, but that's what "common sense" seems
to suggest.

> I googled, but I found only
> I know that sci.crypt would be a better place to ask this question, but
> I don't like it.

You could also ask at PGP-Basics :)

        Death to all fanatics!
  Down with categorical imperative!
OpenPGP key:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 564 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060729/77bcf27e/signature.pgp

More information about the Gnupg-users mailing list