SHA3-255, one bit lessSHA-256: (Probabilistic?) partial preimage possible?The probability of finding a limited set of collisions for HMACSHA256I need a 64-bit cryptographic hash for 96 bits of dataIs finding collisions in a part-hash not often enough a bad problem?Hash algorithm for converting n-bit number into another n-bit numberCreate a CR hash function where truncating one bit leads to collisionsIs there a way one can combine two correlated hash outputs to maximize the collision resistance?How many hex digits do I need to compare when manually checking hash functions?What are the consequences of removing a single byte from a sha256 hash?Integrity check of a binary firmware file with hash function

"last" command not working properly

Can I voluntarily exit from the US after a 20 year overstay, or could I be detained at the airport?

What's the difference between motherboard and chassis?

Is there any problem with students seeing faculty naked in university gym?

Anonymous reviewer disclosed his identity. Should I thank him by name?

Young adult short story book with one story where a woman finds a walrus suit and becomes a walrus

Why is my vegetable stock bitter, but the chicken stock not?

The work of mathematicians outside their professional environment

How does case-insensitive collation work?

How to "Start as close to the end as possible", and why to do so?

Does Hogwarts have its own anthem?

Colleague's grant application resembles my PhD thesis

Is it unethical to give a gift to my professor who might potentially write me a LOR?

Sum of series with addition

How to tension rope between two trees?

Are there manual checks for non EU citizens in airports when travelling inside the EU?

Should I be able to see patterns in a HS256 encoded JWT?

What does a textbook look like while you are writing it?

Advices to added homemade symbols

Is "weekend warrior" derogatory?

Did Joe Biden "stop a prosecution" into his son in Ukraine? And did he brag about stopping the prosecution?

Did the Humans find out about Gaius Baltar's role in the sabotage of the fleet?

Check reference list in pandas column using numpy vectorization

Can I pay off my mortgage with a new one?



SHA3-255, one bit less


SHA-256: (Probabilistic?) partial preimage possible?The probability of finding a limited set of collisions for HMACSHA256I need a 64-bit cryptographic hash for 96 bits of dataIs finding collisions in a part-hash not often enough a bad problem?Hash algorithm for converting n-bit number into another n-bit numberCreate a CR hash function where truncating one bit leads to collisionsIs there a way one can combine two correlated hash outputs to maximize the collision resistance?How many hex digits do I need to compare when manually checking hash functions?What are the consequences of removing a single byte from a sha256 hash?Integrity check of a binary firmware file with hash function






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








3












$begingroup$


I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.



What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.



Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.



Any well known approach I'm not aware of?










share|improve this question











$endgroup$









  • 1




    $begingroup$
    Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
    $endgroup$
    – Maarten Bodewes
    7 hours ago

















3












$begingroup$


I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.



What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.



Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.



Any well known approach I'm not aware of?










share|improve this question











$endgroup$









  • 1




    $begingroup$
    Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
    $endgroup$
    – Maarten Bodewes
    7 hours ago













3












3








3





$begingroup$


I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.



What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.



Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.



Any well known approach I'm not aware of?










share|improve this question











$endgroup$




I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.



What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.



Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.



Any well known approach I'm not aware of?







collision-resistance preimage-resistance sha-3 2nd-preimage-resistance






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 8 hours ago









kelalaka

11k3 gold badges28 silver badges55 bronze badges




11k3 gold badges28 silver badges55 bronze badges










asked 10 hours ago









ragazzojpragazzojp

765 bronze badges




765 bronze badges










  • 1




    $begingroup$
    Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
    $endgroup$
    – Maarten Bodewes
    7 hours ago












  • 1




    $begingroup$
    Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
    $endgroup$
    – Maarten Bodewes
    7 hours ago







1




1




$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes
7 hours ago




$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes
7 hours ago










3 Answers
3






active

oldest

votes


















2














$begingroup$

Apart from the slightly reduced resistances, there is no problem:




  1. Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


  2. Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


  3. Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.

The trimmed case resistance should be good enough for your application.



Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.






share|improve this answer









$endgroup$






















    1














    $begingroup$

    With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.



    There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).



    For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.



    It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.






    share|improve this answer









    $endgroup$














    • $begingroup$
      SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
      $endgroup$
      – Squeamish Ossifrage
      7 hours ago










    • $begingroup$
      (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
      $endgroup$
      – Squeamish Ossifrage
      5 hours ago










    • $begingroup$
      Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
      $endgroup$
      – Squeamish Ossifrage
      5 hours ago


















    0














    $begingroup$

    Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.



    Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.



    As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.



    Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.






    share|improve this answer











    $endgroup$
















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "281"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );














      draft saved

      draft discarded
















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74646%2fsha3-255-one-bit-less%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      $begingroup$

      Apart from the slightly reduced resistances, there is no problem:




      1. Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


      2. Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


      3. Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.

      The trimmed case resistance should be good enough for your application.



      Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.






      share|improve this answer









      $endgroup$



















        2














        $begingroup$

        Apart from the slightly reduced resistances, there is no problem:




        1. Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


        2. Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


        3. Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.

        The trimmed case resistance should be good enough for your application.



        Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.






        share|improve this answer









        $endgroup$

















          2














          2










          2







          $begingroup$

          Apart from the slightly reduced resistances, there is no problem:




          1. Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


          2. Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


          3. Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.

          The trimmed case resistance should be good enough for your application.



          Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.






          share|improve this answer









          $endgroup$



          Apart from the slightly reduced resistances, there is no problem:




          1. Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


          2. Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.


          3. Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.

          The trimmed case resistance should be good enough for your application.



          Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 9 hours ago









          kelalakakelalaka

          11k3 gold badges28 silver badges55 bronze badges




          11k3 gold badges28 silver badges55 bronze badges


























              1














              $begingroup$

              With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.



              There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).



              For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.



              It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.






              share|improve this answer









              $endgroup$














              • $begingroup$
                SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
                $endgroup$
                – Squeamish Ossifrage
                7 hours ago










              • $begingroup$
                (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago










              • $begingroup$
                Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago















              1














              $begingroup$

              With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.



              There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).



              For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.



              It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.






              share|improve this answer









              $endgroup$














              • $begingroup$
                SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
                $endgroup$
                – Squeamish Ossifrage
                7 hours ago










              • $begingroup$
                (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago










              • $begingroup$
                Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago













              1














              1










              1







              $begingroup$

              With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.



              There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).



              For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.



              It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.






              share|improve this answer









              $endgroup$



              With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.



              There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).



              For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.



              It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 7 hours ago









              GillesGilles

              10.2k3 gold badges31 silver badges61 bronze badges




              10.2k3 gold badges31 silver badges61 bronze badges














              • $begingroup$
                SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
                $endgroup$
                – Squeamish Ossifrage
                7 hours ago










              • $begingroup$
                (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago










              • $begingroup$
                Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago
















              • $begingroup$
                SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
                $endgroup$
                – Squeamish Ossifrage
                7 hours ago










              • $begingroup$
                (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago










              • $begingroup$
                Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
                $endgroup$
                – Squeamish Ossifrage
                5 hours ago















              $begingroup$
              SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
              $endgroup$
              – Squeamish Ossifrage
              7 hours ago




              $begingroup$
              SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
              $endgroup$
              – Squeamish Ossifrage
              7 hours ago












              $begingroup$
              (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
              $endgroup$
              – Squeamish Ossifrage
              5 hours ago




              $begingroup$
              (Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
              $endgroup$
              – Squeamish Ossifrage
              5 hours ago












              $begingroup$
              Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
              $endgroup$
              – Squeamish Ossifrage
              5 hours ago




              $begingroup$
              Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
              $endgroup$
              – Squeamish Ossifrage
              5 hours ago











              0














              $begingroup$

              Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.



              Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.



              As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.



              Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.






              share|improve this answer











              $endgroup$



















                0














                $begingroup$

                Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.



                Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.



                As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.



                Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.






                share|improve this answer











                $endgroup$

















                  0














                  0










                  0







                  $begingroup$

                  Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.



                  Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.



                  As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.



                  Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.






                  share|improve this answer











                  $endgroup$



                  Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.



                  Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.



                  As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.



                  Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 7 hours ago

























                  answered 7 hours ago









                  Maarten BodewesMaarten Bodewes

                  59.4k7 gold badges86 silver badges216 bronze badges




                  59.4k7 gold badges86 silver badges216 bronze badges































                      draft saved

                      draft discarded















































                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74646%2fsha3-255-one-bit-less%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її