Eric Rescorla wrote: > > I don't understand this reasoning. Why does the output size of the > pre-truncated PRF > influence the desirable length of the verify_data (provided that the > output size is > than > the length of the verify_data of course). One of the purposes of a cryptographic hash function is to protect from collisions (both random and fabricated collisions). Cutting down the SHA-384 output from 48 to 12 octets significantly impairs its ability to protect from collisions. It's comparable to truncating the SHA-1 output from 20 to 5 octets. Unless you have _a_very_good_reason_ to truncate a hash output so severely, you very probably should not do it. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf