012 - )3 2 4 5 62 + ) # $ 7 8 & 9 / - 4 ): 2 ; 0)2 0< 5 + )< - NIST
嚜燙HA-160: A Truncation Mode
for SHA256
(and most other hashes)
John Kelsey, NIST
Halloween Hash Bash 2005
1
What*s a Truncation Mode?
? Rule for chopping bits off a hash output
? We have a big hash fn we trust,
Like SHA256
? We need a smaller hash output
Like 160 bits
? We need to specify how this is done
每 Interoperability and security reasons
2
Why Do We Need One?
? Need drop in replacement for SHA1 (MD5?)
? Have unbroken hashes of wrong size
每 ECDSA/DSA key sizes
每 File and protocol formats
? Obvious approach:
Truncate SHA256/SHA512
? This has been done before:
Snefru, Tiger, SHA384, SHA224
3
Our Proposal in a Nutshell
H(X,M) = hash M from initial value X
? Start with different IV for each
truncation length n:
n has fixed-length representation
IVTn = H(IV xor 0xccc#c,n)
? Run bigger hash normally
HTn(m) = truncate(H(IVTn, m),n)
? Generic: Any n, many big hashes
每 (Rivest comment to SHA224)
4
Intuition:
Why should this be okay?
? If hash ※good§, seems like truncation
should be good, too.
每 Fits our intuition about hash functions
每 Easy proof in Random Oracle Model
每 Prior art suggests other people agree
? So, is intuition correct here?
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- math 215 hw 8 solutions colorado state university
- math 146 statistics for the health sciences student name
- spring 2005 exam c soa exam
- quadratic formula and the discriminant effortless math
- quick quiz 0 1 name time zeros date score multiplication
- guess the number math riddle math challenge
- mat 242 test 2 solutions form a arizona state university
- solutions to homework 2 math 170 summer session i 2012
- appendix webassign
- addition drill 4 digit s1 math worksheets 4 kids