Crypto appendix - what about SHA-512/224?

[randomstuff]

The section of the crypto appendix about hash functions mentions SHA-512/256 (approved) but does not mention SHA-512/224 in either "Approved Hash Functions for Password Storage" or "Disallowed Hash Functions".

I think it is weird that is is not mentioned in either section.

SHA-512/224 is mentioned in other places:

• "Disallowed Hash Functions for Digital Signatures"
• "Disallowed Hashes for RBG"

FWIW,

• NIST currently allows it until 2030
• others such as the BSI (?) or ANSSI do not recommend it.

Proposition: can we just include it in "Disallowed Hash Functions"?

[randomstuff]

ping @danielcuthbert

[unprovable]

We included SHA512/256 as, although it is a truncated hash, it still provides a large output that is likely going to remain resistant to truncated hash collision attacks. We set the bar at 256bits in length to ensure this, hence we did not allow SHA512/224 - in short, it's too short for where we drew the line.

You can probably include it, but I wouldn't make a point of it. In our analysis internally at a large enterprise, it's barely used. So our calculation was; it's not very long + it's a truncated hash + it's barely used = don't include it.

[randomstuff]

it's not very long + it's a truncated hash + it's barely used = don't include it

Do you mean "don't approve it" or "don't talk about it"?

To be clear, my proposition was to include in "Disallowed Hash Functions" (not allow it). Not saying whether it is approved or not feels weird. Maybe it would make sense to include it as "legacy/discouraged" (see #2398)?

[unprovable]

Ah I understand - yes, remove it if possible, certainly consign it to "legacy/disallowed for new designs". Apologies for the mix up, M.

[randomstuff]

Actually, the same question/argument can be asked/made about SHA-224 and SHA3-224. Shall we move them in "disallowed" as well? @unprovable?

[randomstuff]

I re-read the NIST recommendations listed on KeyLength.com and the three of them (SHA-512/224, SHA-224 and SHA3-224) are approved by NIST for use with HMAC, KMAC, KDF and random bit generation.

[randomstuff]

I think the classification is actually fine. Maybe the wording of the paragraph of the "Disallowed Hash Functions for Digital Signatures" section should be clarified.

Current:

For digital signature implementations, the following hash functions MUST NOT be used due to insufficient collision resistance:

Proposition:

Due to insufficient collision resistance, the following hash functions MUST NOT be used for digital signature or other applications requiring collision resistance. For other usages, they might be used for compatibility with legacy systems but must not be used in new designs.