Eric Rescorla wrote:
I don't understand this reasoning. Why does the output size of the
influence the desirable length of the verify_data (provided that the
output size is > than
the length of the verify_data of course).
One of the purposes of a cryptographic hash function is to protect
from collisions (both random and fabricated collisions).
Cutting down the SHA-384 output from 48 to 12 octets significantly impairs
its ability to protect from collisions. It's comparable to
truncating the SHA-1 output from 20 to 5 octets.
Unless you have _a_very_good_reason_ to truncate a hash output
so severely, you very probably should not do it.
Ietf mailing list