[14867] in cryptography@c2.net mail archive
Re: Additional Proposed Hash Function (Forwarded)
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Sat Dec 6 19:57:48 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 6 Dec 2003 17:55:58 -0500 (EST)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: David Shaw <dshaw@jabberwocky.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <20031206044446.GC26945@jabberwocky.com>
| > NIST is proposing a change notice for FIPS 180-2, the Secure Hash Standard
| > that will specify an additional hash function, SHA-224, that is based on
| > SHA-256. The change notice is available at
| > http://csrc.nist.gov/publications/drafts.html. NIST requests comments for
| > the change notice by January 16, 2004. Comments should be addressed to
| > ebarker@nist.gov.
|
| Does anyone know what the story is behind this? It seems to be the
| same sort of relationship that SHA-384 has to SHA-512 - that is, the
| same basic algorithm, the same amount of work to calculate it, but
| with different initial values, and some bits chopped off at the end.
| It all seems a lot of effort just to save 4 bytes in the final hash.
I'd guess that this is part of an effort to define hashes "equivalent in
strength" to various standardized ciphers. Because of birthday attacks, in
some sense the security of an n-bit hash is comparable to that of an n/2-bit
cipher. So SHA-256, -384, and -512 are intended to match the three supported
AES key sizes of 128, 196, and 256 bits. SHA-224 then comes out to match
2-key 3-DES.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
