Re: SHA-2 based HMAC algorithm...

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Dan Brown <dbrown%certicom.com@localhost> writes:

>What about FIPS 180-4, which, if I recall, defines SHA-512-256, a truncation
>of SHA-512 with a different IV?
>
>Arguably for use in HMAC it could be truncated to 128 bits (or less), so one
>could have:
>
>HMAC-SHA2-512-256-128

Argh, no!  The point is to have a single common SHA2 version that everyone can
agree on (or possibly two), not to do a breadth-first walk of every bizarrro
mutation of SHA2 that NIST has dreamed up.  Currently we have SHA2-256,
SHA2-512, SHA2-384, SHA2-224, SHA2-chipotle, SHA2-streaky-bacon, SHA2-
thousand-island, SHA2-chunky, SHA2-extra-chunky, SHA2-barbeque, SHA2-salt-
and-vinegar, SHA2-balsamic-vinaigrette, SHA2-caesar, SHA2-organic-sea-salt,
and SHA2-barium-enema, but what's mostly implemented in practice is SHA2-256
and... nope, can't actually recall seeing anything else in use in practice
[0].  So all we need to do is choose one standard mode with 256 bits of output
to match SHA2-256, and probably another one for SHA2-512 for people who feel
the need to make that particular fashion statement.  Just because NIST hands
us a really long coil of rope, doesn't mean we have to use it [1].

Peter.

[0] OK, I've seen -512 and -384 in obscure, isolated implementations, but I've
    also seen Whirlpool and Tiger and others.  I think I saw SHA-224 on
    display at the Ripley's Odditorium, but it may have been Haval.
[1] This rant contains approximately 85% recycled content from another list
    that's just gone through the same thing.