I'm taking an online class on cryptography at corsera.org / Stanford, and the professor is explaining that it's OK to truncate an AES MAC to $w$ bits as long as $1/2^w$ is still negligible (say $w > 63$)
Where did the value $1/2$ come from?
How is 64 and above negligible?
What is non-negligible today (5/17/2013) and in the future (5/17/2020)?
One of the factors that determines how hard it is to forge a MAC for a given message is how long the MAC is. If it's 1 bit long, you can definitely produce the correct MAC in two tries.
$2^n$ is the number of possible bit-strings of length $n$; $1/2^n$ is the probability that any random bit-string happens to be the MAC (of length $n$) for a given message and key.
Negligible depends on what you're protecting with your MAC, who your attacker is, and what information / oracles they have access to. In particular, if the attacker has to make some kind of service request to a single point to check that a MAC is valid, $2^{64}$ is an awful lot of requests – this is probably the assumption being made when it was stated that MACs of length 64 or more are secure.
Not all MACS can be truncated safely however. AES-GCM loses more security than expected by truncation, but HMAC is fine.
Given a MAC construction that can be safely truncated, truncating it to 128 bits is unlikely to pose a problem for a long time ($\gg$2020), for any attacker capability.
