012 - )3 2 4 5 62 + ) # $ 7 8 & 9 / - 4 ): 2 ; 0)2 0< 5 + )< - NIST
[Pages:18]SHA-160: A Truncation Mode for SHA256
(and most other hashes)
John Kelsey, NIST Halloween Hash Bash 2005
1
What's a Truncation Mode?
? Rule for chopping bits off a hash output
? We have a big hash fn we trust,
Like SHA256
? We need a smaller hash output
Like 160 bits
? We need to specify how this is done
? Interoperability and security reasons
2
Why Do We Need One?
? Need drop in replacement for SHA1 (MD5?) ? Have unbroken hashes of wrong size
? ECDSA/DSA key sizes ? File and protocol formats
? Obvious approach: Truncate SHA256/SHA512
? This has been done before: Snefru, Tiger, SHA384, SHA224
3
Our Proposal in a Nutshell
H(X,M) = hash M from initial value X
? Start with different IV for each truncation length n: n has fixed-length representation IVTn = H(IV xor 0xccc...c,n)
? Run bigger hash normally HTn(m) = truncate(H(IVTn, m),n)
? Generic: Any n, many big hashes
? (Rivest comment to SHA224)
4
Intuition: Why should this be okay?
? If hash "good", seems like truncation should be good, too.
? Fits our intuition about hash functions ? Easy proof in Random Oracle Model ? Prior art suggests other people agree
? So, is intuition correct here?
5
Security Considerations
? Issue #1: Related hash outputs
? HTn(X) ! H(X')
? Issue #2: Can we safely truncate?
? No reduction proof ? "Near collisions"
6
Issue #1: Related Outputs
Why we need IVTn!IV
What if IVTn =IV? Then we get collision before truncation:
HT160(M) = ABCDE HT192(M) = ABCDEF
7
Does This Matter? A Common KDF
? KDF(S,P,n):
? T = "" ? for j = 1 to n:
T = T || hash(S||P||j)
? Two people use different truncations:
? Result: Two closely related keys "AAAABBBBCCCCDDDD" "AAABBBCCCDDD"
? Very unintuitive property!
? Related key attack? Protocol problem? 8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- 1 0 0 8 7 6 5 4 3 2 9 8 b a 8 c d 3
- new york state attorney general new york state attorney general
- su p e r b i ke q u al i fic at i on fast t i m e s i sl e of man t t
- 2 0 6 5 9 2 0 6 6 9 2 0 6 7 9 e a s t l e i g h c r e s c e n t
- 2 8 2 7 6 5 9 4 3 1 2 1 gov
- 01 2 3 4 5 6 4 7 2 7 8 4 2 9 9
- 01 2 3 4 5 6 4 7 2 7 8 4 2 9 9 4 3 2 3 4 7
- 0 1 1 2
- 012 3 2 4 5 62 7 8 9 4 2 0 2 0 5 nist
- 0 1 2 3 4 5 6 17 8 9 2 5 8