1

Assume I create a hash using SHA-256 and then take only the first 160 bits of the hash, as the result. is the result more cryptographically secured than SHA-1? Or are the two algorithms equally secure except for the hash size? (for example in terms of uneven distribution of the hashes and other means that determined the resilience of hashing algorithms)

What about the rest of the SHA family of hashing algorithms such as SHA-512?

Aviv Aviv
  • 113
  • 2
  • Did you know that SHA-1's collision is broken? What is your actual problem? 160-bit output can only provide 80-bit collision resistance with %50 probability and the %50 probability is already too high in the attacker's sense – kelalaka Oct 07 '22 at 11:54
  • @kelalaka like I said, I am choosing a hashing algorithm and I need its output to be small, so I am wondering wether it is better to use SHA-256 and take off part of the bits of the result or use SHA-1 and then have the exact amount of bits I need – Aviv Aviv Oct 07 '22 at 11:58
  • How much minimum output do you want? For collision against classical adversaries, you need around the 224-bit output. Does collision really necessary? – kelalaka Oct 07 '22 at 12:01
  • @kelalaka I want to hash to fit inside 13, base64-encoded characters (for password creation) So it's 6 bits * 13 = 78 bits hash. This is hardly ideal. But those hashes are used for passwords so I have password restrictions I need to care about. – Aviv Aviv Oct 07 '22 at 12:07
  • There are already password hashing algorithms like Argon2, BCrypt, and Baloon hashing ,etc.. for that purpose. Are you trying to reinvent the wheel? – kelalaka Oct 07 '22 at 12:12
  • 1
    @kelalaka I am trying to use hashing to generate passwords (not hash them) client side – Aviv Aviv Oct 07 '22 at 12:17
  • 1
    Then Collision attack is not your real problem, pre-image resistance is your problem. And, you come here with a half-explained problem. Every detail is really important. Still, you can benefit from password hashes besides, who is going to remember these passwords? Edit your question with your exact need and your consideration and the risks, etc.. – kelalaka Oct 07 '22 at 12:18
  • Let us continue this discussion in chat. – Aviv Aviv Oct 07 '22 at 12:19

1 Answers1

4

Yes, SHA-256 is safer than SHA-1 beyond the hash size.

In particular, SHA-256 truncated to 160 bits is significantly more collision resistant than SHA-1 is: we can make a collision for SHA-1 with effort like $2^{61.2}$ hashes, versus more than $2^{80}$ for an unbroken hash, including SHA-256.

When it's known that all targeted platforms are 64-bit, SHA-512 (and truncated versions) is often preferred to SHA-256, because it's faster for large input. It's probably also rather safer (but safer than safe is rather pointless).

SHA-3 and SHAKE have the further advantages of not having the length-extension property (contrary to non-truncated SHA-1, SHA-256, SHA-512), and (for SHAKE) of having customizable output length.

As far as I understand, the hash is used as a password generator, I imagine from a master secret, a site name, and a login. In theory, we'd need a MAC with the master secret as key, and the rest as the other input; or a hash designed to be a MAC simply by starting the hashed message with the key. SHA-3 is superior in that regard. If we use SHA-1 or SHA-256 we should use HMAC-SHA-1 or HMAC-SHA-256; but OTOH there is no known attack if we do not.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    The OP has revealed more about their intent, besides SHA-256/160 has some lenght extension resistance, too. – kelalaka Oct 07 '22 at 12:30
  • 2
    “SHA-512 (…) is often prefered to SHA-256, because it's faster for large input on 64-bit CPUs” That's arguably backward. The platforms that need the most help with performance are 32-bit CPUs without hardware acceleration, and they prefer SHA-256. – Gilles 'SO- stop being evil' Oct 07 '22 at 12:49
  • @Gilles'SO-stopbeingevil' Agreed, and all the Intel / AMD processors currently sold have SHA-1/SHA-256 hardware acceleration anyway. The same goes for most consumer ARM processors I presume, ARM has instructions since the Cortex-A57 (release in 2012!), although they are part of an instruction extension (so some embedded chips may not have this kind of hardware acceleration). Note that having such acceleration doesn't necessarily mean it is always used, but yeah... – Maarten Bodewes Oct 21 '22 at 15:18