0

Let say I want to truncate SHA256 to 128 bits. What would be the best way to minimize a probability of a collision and improve collision resistance?

  1. Taking the last 16 bytes
  2. Taking the first 16 bytes
  3. XORing the first 16 bytes and the last 16 bytes together

And should I assume that the same logic will apply for other hash functions from the SHA-2 set (like SHA516) as well as other hash functions in general, for example, SHA-1 or MD5?

CoolCodeBro
  • 123
  • 1
  • 3
  • It might be reasonable if you would include what security properties you expect from the truncated hash. I don't know if that would change which one is best; however, depending on what security properties you expect, it may be that none of them would meet that goal. – poncho Aug 12 '14 at 18:20
  • @poncho Yes. Thank you. I updated my answer to clarify what security properties I expect. – CoolCodeBro Aug 12 '14 at 18:38
  • 1
    Now, the question I dup'ed this two doesn't talk about xor'ing the two halves; however it's the same as the other two. However, you talk about "minimize the probability of a collision"; who's generating the images? Is it someone deliberately trying to create a collision? If so, then if he also has significant amount of computational resources, he can create a collision in any of the three methods (with Pollard Rho and computing circa $2^{64}$ hashes). – poncho Aug 12 '14 at 18:45
  • @poncho I don't think that other question is really a duplicate, since it doesn't even consider the possibility of using XOR. However the answer to that other question may still be applicable to this question. – kasperd Aug 12 '14 at 19:31
  • 2
  • Just take the first 16 bytes. Simple and secure if SHA256 is. 2) Any unkeyed 128 bit hash has at most 64 bits of collision resistance. That's generally not considered secure. Either increase the size or introduce a key not known to the attacker (using HMAC-SHA-2).
    • – CodesInChaos Aug 12 '14 at 20:12
  • May I ask what research you have done? What did you find out and where did you get stuck? Also, what exactly is the scenario? What is the reason not to use a cryptographically secure hashing function that produces a 128 bit output by default? I’m asking because we expect you to do a significant amount of research before asking here, including searching on this site for other questions and answers that might shed light on your question. At worst it will help you frame a better question; at best it will answer your question. Just an example: you mention MD5… which outputs 128 bits by nature! – e-sushi Aug 12 '14 at 20:15
  • @e-sushi I don't know any cryptographically secure hashing functions, which output 128 bit by default. There is UUID version 5, which computes a SHA1 hash and ignores 38 of the output bits. But I wouldn't call that a cryptographic hash outputting 128 bits by default. – kasperd Aug 12 '14 at 20:43
  • @kasperd Re.I don't know any cryptographically secure hashing functions, which output 128 bit by default. Well, maybe this can provide a hint. ;) – e-sushi Aug 12 '14 at 20:46
  • @e-sushi I was checking it out already. Sounds like MD2 and RIPEMD-128 are the only contenders. Couldn't help noticing that the cited article about MD4 has a hilarious typo in the abstract: However, there were some tyops and oversights in their paper. – kasperd Aug 12 '14 at 20:51
  • @kasperd Yep… one of those things that enforces trust. ;) – e-sushi Aug 12 '14 at 20:52