Authentication tag length and post-quantum security

The recommended hash length for post-quantum security seems to be either 384-bits or 512-bits. 512-bits gives 256-bit collision resistance, and 256-bit security is obviously ideal for post-quantum security.

A 256-bit authentication tag offers 128-bit collision resistance, but it’s not clear whether that’s sufficient for post-quantum security due to use of the MAC key (typically the same key size as the tag length – e.g. 256-bit for a 256-bit tag).

I’ve never found the security level of MACs to be explained well. Does the key mean a shorter tag length is safe? Or is the tag length still crucial for achieving a high security level?

Authentication tag length and post-quantum security

Shopping cart
There are no products in the cart!
Continue shopping