Crypto appendix - what about SHA-512/224?

[randomstuff]

The section of the crypto appendix about hash functions mentions SHA-512/256 (approved) but does not mention SHA-512/224 in either "Approved Hash Functions for Password Storage" or "Disallowed Hash Functions".

I think it is weird that is is not mentioned in either section.

SHA-512/224 is mentioned in other places:

• "Disallowed Hash Functions for Digital Signatures"
• "Disallowed Hashes for RBG"

FWIW,

• NIST currently allows it until 2030
• others such as the BSI (?) or ANSSI do not recommend it.

Proposition: can we just include it in "Disallowed Hash Functions"?

[randomstuff]

ping @danielcuthbert

[unprovable]

We included SHA512/256 as, although it is a truncated hash, it still provides a large output that is likely going to remain resistant to truncated hash collision attacks. We set the bar at 256bits in length to ensure this, hence we did not allow SHA512/224 - in short, it's too short for where we drew the line.

You can probably include it, but I wouldn't make a point of it. In our analysis internally at a large enterprise, it's barely used. So our calculation was; it's not very long + it's a truncated hash + it's barely used = don't include it.

[randomstuff]

it's not very long + it's a truncated hash + it's barely used = don't include it

Do you mean "don't approve it" or "don't talk about it"?

To be clear, my proposition was to include in "Disallowed Hash Functions" (not allow it). Not saying whether it is approved or not feels weird. Maybe it would make sense to include it as "legacy/discouraged" (see #2398)?

[unprovable]

Ah I understand - yes, remove it if possible, certainly consign it to "legacy/disallowed for new designs". Apologies for the mix up, M.