I\'ve researched several forms of encryption/hashing and have often come across

Question

I've researched several forms of encryption/hashing and have often come across the term "bits of security". For example, at least one source claimed SHA-256 = AES128 = ECC256 = 128 bits of security.

My question is, if this is true, can I take a 256-bit SHA-256 digest and compress it down to 128 bits without loss of security? (For example, by just taking the XOR of the upper 128 bits and lower 128 bits of the digest)

In my particular case, it's important that the digest be small. Thanks in advance for any responses.

Explanation / Answer

The assessment of any strong 256 bit cryptographic hash as having a security level of either 128 or 256 bit depends entirely on how it is used. In an application where an attacker can succeed simply by finding any hash collision, the security level cannot exceed 128 bit since a simple birthday attack will (probabilistically) succeed after 2^128 random attempts. If you shorten the hash to a 128 bit hash, then you reduce its security level in this context to 64 bits.

However, applications are conceivable where a successful attack would have to find a collision to one (or very few) given hashes, such as for forging a digitally signed message not by forging the signature itself, but by finding a different message that yields the same hash (which is what signature schemes tend to actually sign). In the extreme case that only one real signature exists, SHA256 would arguably permit a security level of 256 bits when used only as in this example.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.