Secure practice in truncating cryptographic hash

Introduction

Laymen explanation

Do you know how hash length is decided? What is the risk of truncating hash value? To understand it, first we need to understand security implication of cryptographic hash length reduction. A hash function that is not suitable for one application might be suitable for other cryptographic applications that do not require the same security properties.

Technical explanation

Note that cryptographic is a special kind of hash which has below strengths

• No two input text should result of same hash value. It is called as collision resistance strength

• Attacker should not able to construct input text if it knows hash value. It is called as preimage resistance strength

• Attacker should not able to replace text with another text which has same hash value. It is called as second preimage resistance strength

Any change in length of cryptographic hash impacts one or more strengths.

Approach for truncation

Identify which strengths your application needs

An application may need one or more property(ies) that the cryptographic hash offers. If an application requires more than one property from the hash function, then the weakest property is the security strength of the hash function for that application.

Refer table of minimum hash length for each property

Below is the example of popular NIST certified hash functions

From above table, we observe that the expected collision resistance strength of any approved hash function is, in general, half the length of its hash value. It means that truncation till half is safe for application which is only needing collision resistance property. An example of such application is hash table.

Truncate hash following NIST approach

Refer spec at here

Reference

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf

https://security.stackexchange.com/questions/72673/how-bad-is-it-to-truncate-a-hash