[147675] in cryptography@c2.net mail archive
Re: [Cryptography] please dont weaken pre-image resistance of SHA3
daemon@ATHENA.MIT.EDU (Adam Back)
Tue Oct 15 14:53:45 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Oct 2013 20:22:50 +0200
From: Adam Back <adam@cypherspace.org>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <6C1141E5-B7AC-46F6-8C7E-744B61E1C894@gmail.com>
Cc: Adam Back <adam@cypherspace.org>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, Oct 15, 2013 at 03:09:58AM -0400, John Kelsey wrote:
>On Oct 14, 2013, at 4:17 PM, ianG <iang@iang.org> wrote:
>...
>> What is the preimage protection of SHA3-512 when truncated to 256? It
>> seems that SHA3-384 still gets 256.
>
>If the capacity is c bits, then preimages are never more than 2^{c/2} bits.
> So SHA3-512 as proposed in my CHES slides would have preimage resistance
> of 256 bits.
Are you including truncation in that? (The question was would SHA3-512
STILL have 256-bit preimage security if it was truncated to 256-bit ie
motivated by a workaround to get a 256-bit output with conventional 256-bit
preimage resistance).
Adam
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
