Re: Why do hashes have bigger keys than block ciphers?

On May 8, 10:50 am, MTGAP <mtga...@xxxxxxxxx> wrote:
I've noticed that modern block ciphers usually have 128-bit or 256-bit
keys, but hashes are usually twice as large (e.g. AES is 128, 192, or
256 bits, but Skein is 256, 512, or 1024 bits). Why are hashes bigger?
Does it have to do with preventing collision attacks?

Basically. You can generate a collision in about 2**(n/2) steps
(assuming n is the length of your hash) with a birthday attack. So if
you have a 128 bit hash, you can generate a collision (two messages
that generate the same hash) is about 2**64 steps. Note that
collision resistance is usually the toughest criteria for a hash, pre-
image resistance (where you generate a new message with same hash as
an existing message) is usually significantly harder for the attacker
(with a good hash, on the order of 2**n), so if collision resistance
is not an issue for your application, you could use a shorter hash.

FWIW, the 1024 bit hashes seem a bit silly, but it probably doesn't
hurt to build in a little slack - I think the recent results against
MD-5 and SHA-1 have spooked some people.