I have the need for a hexadecimal token that is smaller than the normal length of the hexadecimal representation of a SHA-256 hash.
Should I take the first bits or the last bits? Which of them contain the most entropy?
Asked
Active
Viewed 9,690 times
1 Answers
44
If taking the first or last bits of a SHA-256 output made any difference, it would be viewed as a serious blow against the security of SHA-256. Right now, no such weakness is known in SHA-256. So, as far as we know, you can use whatever bits you want.
If you need a more "administrative" answer, have a look at SHA-224 (also specified in FIPS 180-3). This is a hash function with a 224-bit output, which NIST defined in order to "match" (administratively speaking) the proclaimed 112-bit security of 3DES. They defined SHA-224 by taking SHA-256, changing the conventional IV, and truncating the output. For the truncation, they took the first 224 bits. If it is good for NIST then it is good for you: take the first bits.
Thomas Pornin
- 88,324
- 16
- 246
- 315