Common hash sizes are typically 256 bits or 512 bits. 256 bits are enough for preimage resistance, and 512 bits are enough to prevent collisions. (Both means 256 bits of security.) Message Authentication Codes however are sometimes even smaller. Poly1305 for instance only has a 128-bit output.
My question is, could this be generalised, and why? Could we safely truncate the output of HMAC-SHA512 or use Blake2b/128? Or is there a reason why only polynomial hashes can get away with so few bits?
(I do have an idea why 128 may be enough, but I’m not sure it’s correct: if the attacker doesn’t know the authentication key, there’s no way to brute force the MAC, they have to guess it and have the victim authenticate it. Presumably the number of tries is much more limited than if one could perform an offline attack, so we can have fewer bits of security. Is that right?)