Just a quibble. Truncating sha-256 down to 224 bits does not give the
same output as sha-224, as sha-256 and sha-224 use different
initialization vectors. So "truncated sha-256" and "sha-224" really
would be totally different hash values.
No comment on the rest of what you say.
Tony Hansen
tony(_at_)att(_dot_)com
David Shaw wrote:
I understand the argument about wanting 128 bits of security, but
since the new DSA allows a 224 bit q, there just isn't room for 128
bits of security. Whether we truncate SHA-256 and call it "truncated
SHA-256" or truncate SHA-256 and call it "SHA-224", we have to
truncate.