SHA3-255, one bit lessSHA-256: (Probabilistic?) partial preimage possible?The probability of finding a limited set of collisions for HMACSHA256I need a 64-bit cryptographic hash for 96 bits of dataIs finding collisions in a part-hash not often enough a bad problem?Hash algorithm for converting n-bit number into another n-bit numberCreate a CR hash function where truncating one bit leads to collisionsIs there a way one can combine two correlated hash outputs to maximize the collision resistance?How many hex digits do I need to compare when manually checking hash functions?What are the consequences of removing a single byte from a sha256 hash?Integrity check of a binary firmware file with hash function
"last" command not working properly
Can I voluntarily exit from the US after a 20 year overstay, or could I be detained at the airport?
What's the difference between motherboard and chassis?
Is there any problem with students seeing faculty naked in university gym?
Anonymous reviewer disclosed his identity. Should I thank him by name?
Young adult short story book with one story where a woman finds a walrus suit and becomes a walrus
Why is my vegetable stock bitter, but the chicken stock not?
The work of mathematicians outside their professional environment
How does case-insensitive collation work?
How to "Start as close to the end as possible", and why to do so?
Does Hogwarts have its own anthem?
Colleague's grant application resembles my PhD thesis
Is it unethical to give a gift to my professor who might potentially write me a LOR?
Sum of series with addition
How to tension rope between two trees?
Are there manual checks for non EU citizens in airports when travelling inside the EU?
Should I be able to see patterns in a HS256 encoded JWT?
What does a textbook look like while you are writing it?
Advices to added homemade symbols
Is "weekend warrior" derogatory?
Did Joe Biden "stop a prosecution" into his son in Ukraine? And did he brag about stopping the prosecution?
Did the Humans find out about Gaius Baltar's role in the sabotage of the fleet?
Check reference list in pandas column using numpy vectorization
Can I pay off my mortgage with a new one?
SHA3-255, one bit less
SHA-256: (Probabilistic?) partial preimage possible?The probability of finding a limited set of collisions for HMACSHA256I need a 64-bit cryptographic hash for 96 bits of dataIs finding collisions in a part-hash not often enough a bad problem?Hash algorithm for converting n-bit number into another n-bit numberCreate a CR hash function where truncating one bit leads to collisionsIs there a way one can combine two correlated hash outputs to maximize the collision resistance?How many hex digits do I need to compare when manually checking hash functions?What are the consequences of removing a single byte from a sha256 hash?Integrity check of a binary firmware file with hash function
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.
What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.
Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.
Any well known approach I'm not aware of?
collision-resistance preimage-resistance sha-3 2nd-preimage-resistance
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
$endgroup$
add a comment
|
$begingroup$
I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.
What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.
Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.
Any well known approach I'm not aware of?
collision-resistance preimage-resistance sha-3 2nd-preimage-resistance
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
$endgroup$
1
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago
add a comment
|
$begingroup$
I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.
What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.
Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.
Any well known approach I'm not aware of?
collision-resistance preimage-resistance sha-3 2nd-preimage-resistance
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
$endgroup$
I need a SHA3-255 or 511, basically one bit less. What if I set the most significant bit of a standard SHA3-256 and 512 to zero? Apart from the doubled probability of hash collision, are there any other things I should be aware of? I could also truncate one byte instead of one bit, if useful.
What I need is being able to store something different than the hash, in the same 32 bytes, or 64 bytes, so I need to sacrifice one bit to mark when the bytes represent a hash or something else.
Alternatively I could say that if the first byte, not bit, is 0xff, then the remaining ones represent something else. This should reduce the probability of hash collision, but what I would have a probability of 1/256 that a hash starts with 0xff, generating ambiguity in my encoding. I could say that if the for 4 bytes are 0xffffffff, then I would end up with probability of generating an ambiguous encoding of 1/2^32, but I would prefer having a well-defined encoding under any circumstances.
Any well known approach I'm not aware of?
collision-resistance preimage-resistance sha-3 2nd-preimage-resistance
collision-resistance preimage-resistance sha-3 2nd-preimage-resistance
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
edited 8 hours ago
kelalaka
11k3 gold badges28 silver badges55 bronze badges
11k3 gold badges28 silver badges55 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
asked 10 hours ago
ragazzojpragazzojp
765 bronze badges
765 bronze badges
1
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago
add a comment
|
1
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago
1
1
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago
add a comment
|
3 Answers
3
active
oldest
votes
$begingroup$
Apart from the slightly reduced resistances, there is no problem:
Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.
The trimmed case resistance should be good enough for your application.
Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
$begingroup$
With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.
There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).
For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.
It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
$endgroup$
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
add a comment
|
$begingroup$
Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.
Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.
As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.
Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
$endgroup$
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74646%2fsha3-255-one-bit-less%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Apart from the slightly reduced resistances, there is no problem:
Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.
The trimmed case resistance should be good enough for your application.
Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
$begingroup$
Apart from the slightly reduced resistances, there is no problem:
Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.
The trimmed case resistance should be good enough for your application.
Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
$begingroup$
Apart from the slightly reduced resistances, there is no problem:
Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.
The trimmed case resistance should be good enough for your application.
Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
$endgroup$
Apart from the slightly reduced resistances, there is no problem:
Pre-image resistance decreased to $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Secondary preimage resistance decreased to o $2^511$ or $2^504$, if 1 bit or 1 byte trimmed, respectively.
Collision resistance decreased to o $sqrt2^511 = sqrt2cdot 2^255$ or $sqrt2^504 = 2^252$, if 1 bit or 1 byte trimmed, respectively.
The trimmed case resistance should be good enough for your application.
Actually, this is not uncommon, for example SHA-224 is the truncated version of SHA-256 with different initial values that provides domain separation.
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
answered 9 hours ago
kelalakakelalaka
11k3 gold badges28 silver badges55 bronze badges
11k3 gold badges28 silver badges55 bronze badges
add a comment
|
add a comment
|
$begingroup$
With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.
There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).
For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.
It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
$endgroup$
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
add a comment
|
$begingroup$
With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.
There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).
For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.
It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
$endgroup$
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
add a comment
|
$begingroup$
With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.
There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).
For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.
It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
$endgroup$
With all well-regarded hash functions, the bits of the hash all have equal worth: as far as anyone knows (unless they aren't telling), the bits are not correlated. If you take $k$ bits of an $n$-bit hash, you get a $k$-bit hash function. Truncating SHA-256 to 255 bits gives you a hash that's almost as good as SHA-256: it has $2^255$ strength against preimage attacks and $2^127.5$ strength against collision attacks.
There are precedents for taking certain bits of a hash. SHA-224 and SHA-384 are obtained with calculations that are essentially the same as SHA-256 and SHA-512 respectively, just with different initial values (which shouldn't matter to the strength of the algorithm) and with the output truncated to the smaller size. UUID are constructed from 122 bits of MD5 or SHA-1 hashes (out of 128 or 160 respectively).
For SHA3, there's a cleaner construction. Instead of taking SHA3-256 and cutting off one bit, take the SHAKE128 255-bit or 248-bit output. SHAKE128 is exactly the same as SHA3-256 except for two bits near the beginning of the calculation, so it has the same security properties, but it's explicitly designed to have variable-length output.
It's unlikely that there's an actual security problem with truncating a hash, but using SHAKE gives you greater confidence that nothing will go wrong. Even better, to avoid domain collisions (where two parts of the system calculate the hash of the same string for different reasons), calculate the cSHAKE output with a unique string as the customization string.
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
answered 7 hours ago
GillesGilles
10.2k3 gold badges31 silver badges61 bronze badges
10.2k3 gold badges31 silver badges61 bronze badges
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
add a comment
|
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
SHAKE128 is also cheaper to compute than SHA3-256 for the same security!
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
(Specifically, it's not exactly the same as SHA3-256 aside from padding: SHAKE128 uses a 256-bit capacity while SHA3-256, for political reasons, uses an unnecessarily large 512-bit capacity.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
$begingroup$
Nit: Not all UUIDs are constructed by hashing; only v3 and v5 ones are (and v4 ones, if the PRNG counts as ‘hashing’). v1 and v2 UUIDs are very much not constructed by hashing. (I am sure you're aware; I'm saying this because unwary readers might read this and get confused into thinking all UUIDs are effectively hashes.)
$endgroup$
– Squeamish Ossifrage
5 hours ago
add a comment
|
$begingroup$
Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.
Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.
As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.
Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
$endgroup$
add a comment
|
$begingroup$
Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.
Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.
As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.
Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
$endgroup$
add a comment
|
$begingroup$
Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.
Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.
As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.
Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
$endgroup$
Lets get one thing out of the way: forcing one bit to 0 or 1 does not change the output size of the hash. A hash output is not a number, so the output size would not be affected.
Reducing hash output is common practice. Although maybe not a direct requirement, generally the output of a hash is considered indistinguishable from random - if the input is unknown, of course. So basically you can do with it what you want. The common thing to do is to take the leftmost bits or bytes of the hash output. You're taking the rightmost bits or bytes, and that's OK too.
As you already found out, trying to use one value out of 256 to indicate a special case is tricky. You can of course use set of bytes to escape values, but since your output size is static, you'll have to sacrifice more security for the special cases: the hashes starting with 0xFF in your case. As SHA3-512 has plenty of security, I'd just sacrifice a bit or even byte.
Finally, there is one rather odd issue with taking the leftmost bytes. You might get in trouble if you have other full hashes over the same data (the domain collision in Gilles' answer). To compensate for this, most hash functions have special bits or other constants when generating a shorter hash. Usually publishing the shorter hash is not a problem though. You could play it safe though and start off by hashing a specific magic value in advance, or by using SHAKE instead.
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
edited 7 hours ago
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
answered 7 hours ago
Maarten Bodewes♦Maarten Bodewes
59.4k7 gold badges86 silver badges216 bronze badges
59.4k7 gold badges86 silver badges216 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74646%2fsha3-255-one-bit-less%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
Heh, three utterly different but seemingly correct answers already, all focussing on different aspects. Consider yourself lucky, and good luck accepting one :)
$endgroup$
– Maarten Bodewes♦
7 hours ago