What are the proper MAC sizes?

What are the proper MAC sizes?

Common hash sizes are typically 256 bits or 512 bits. 256 bits are enough for preimage resistance, and 512 bits are enough to prevent collisions. (Both means 256 bits of security.) Message Authentication Codes however are sometimes even smaller. Poly1305 for instance only has a 128-bit output.

My question is, could this be generalised, and why? Could we safely truncate the output of HMAC-SHA512 or use Blake2b/128? Or is there a reason why only polynomial hashes can get away with so few bits?

(I do have an idea why 128 may be enough, but I’m not sure it’s correct: if the attacker doesn’t know the authentication key, there’s no way to brute force the MAC, they have to guess it and have the victim authenticate it. Presumably the number of tries is much more limited than if one could perform an offline attack, so we can have fewer bits of security. Is that right?)

submitted by /u/loup-vaillant
[link] [comments]

top scoring links : crypto
Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math, programming, and computer science. This subreddit covers the theory and practice of modern and *strong* cryptography, and it is a technical subreddit focused on the algorithms and implementations of cryptography.

Related posts

Leave a Comment