Re: Why do hashes have bigger keys than block ciphers?

On May 8, 10:50 am, MTGAP <mtga...@xxxxxxxxx> wrote:
I've noticed that modern block ciphers usually have 128-bit or 256-bit
keys, but hashes are usually twice as large (e.g. AES is 128, 192, or
256 bits, but Skein is 256, 512, or 1024 bits). Why are hashes bigger?
Does it have to do with preventing collision attacks?

Basically. You can generate a collision in about 2**(n/2) steps
(assuming n is the length of your hash) with a birthday attack. So if
you have a 128 bit hash, you can generate a collision (two messages
that generate the same hash) is about 2**64 steps. Note that
collision resistance is usually the toughest criteria for a hash, pre-
image resistance (where you generate a new message with same hash as
an existing message) is usually significantly harder for the attacker
(with a good hash, on the order of 2**n), so if collision resistance
is not an issue for your application, you could use a shorter hash.

FWIW, the 1024 bit hashes seem a bit silly, but it probably doesn't
hurt to build in a little slack - I think the recent results against
MD-5 and SHA-1 have spooked some people.

Relevant Pages

  • Re: keys and counters
    ... how many times can the counter be incremented before there is a collision in the hash, that is what i am asking. ... A hash function operated in such a counter mode as you suggest does not have this property - if I can guess or discover the input to the first block then I will know all the other blocks. ... You might think that some attacks are unreasonable/infeasible but do you really know what is possible to the world's largest employer of mathematicians, who have had for many years the world's largest computer budget and unlimited access to 60 plus years of classified research or what is possible for any of the other multi-billion dollar "smaller" big brothers?. ...
  • Re: Determining the encryption used
    ... impression that if a password verification system is checking passwords ... against a hash table, all you needed was a collision (as this would hash ... They involve generating two seperate hashes which have a collision. ... The collision attacks found can break the security of cryptographic ...
  • Re: Outrageous claims on cash collision exploits???
    ... > an evil binary executable or evil macro to come out with the desired ... > hash identical to a good executable or macro? ... use of two hashes does yield at least the collision- ... Joux (the same Antoine Joux as noted in the "Collision in SHA-0" ...
  • Re: what is probability to create two equal hashes for md5 algorithm
    ... This has nothing to do with the collision ... they are random enough when seen from the perspective of the hash ... doesn't change the collision probability of the generated hashes. ... SHA1 is specified up to a block size of two exabytes. ...
  • Re: Should be in crypto for criminals Re: just stupid?
    ... > in six different hashes can be done in an hour, ... > compute a single hash collision for MD5. ... > a single collision to a known hash value. ...