[openssl-users] Truncating A Hash

Jakob Bohm jb-openssl at wisemo.com
Mon May 25 15:01:32 UTC 2015

On 15-05-2015 00:09, Jay Foster wrote:
> What is the down side of truncating a hash?  For example, an SHA-256 
> hash is 256 bits.  Is it any less secure if one was to drop the last 
> 128 bits to make a 128 bit hash or take the MD5 hash of the SHA-256 
> hash to get a 128 bit hash?  It does not seem that such an action 
> would make it any easier to brute force reverse the hash, but then 
> again, I am clearly not a security expert.
In addition to the previous 3 answers, "recent" versions
of the official SHA-256 standard (US Federal Information
Processing Standard 180-4) specify that if you want to
truncate SHA-512 or any of the other "SHA-2" hashes, then
you are supposed to change the initial state at the start
of the calculation to a value that depends on how many
bits you are going to keep.

The alternate start value is specified for SHA-512/128
(which is the same as SHA-384/128) via a formula (which
is somewhat underspecified, check that your
interpretation provides the correct values for
SHA-512/256).  There is currently no clear formula for
SHA-256/t and thus SHA-256/128.

Note that unless otherwise specified in another official
standard (such as NIST Special Publication 800-107),
only the specific truncations SHA-512/256 and SHA-512/224
are approved for use by/for the US government.  This is
purely a bureaucratic requirement, there is no known
security reason for the rest of the world to follow this
latter limitation to the letter.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list