From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: Herczeg Zsolt <zsolt94@gmail.com>, git@vger.kernel.org
Subject: Re: Git and SHA-1 security (again)
Date: Thu, 21 Jul 2016 16:13:39 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1607211520170.14111@virtualbox> (raw)
In-Reply-To: <20160718224450.GF6644@vauxhall.crustytoothpaste.net>
Hi Brian,
On Mon, 18 Jul 2016, brian m. carlson wrote:
> On Mon, Jul 18, 2016 at 09:00:06AM +0200, Johannes Schindelin wrote:
>
> > FWIW it never crossed my mind to allow different same-sized hash
> > algorithms. So I never thought we'd need a way to distinguish, say,
> > BLAKE2b-256 from SHA-256.
> >
> > Is there a good reason to add the maintenance burden of several 256-bit
> > hash algorithms, apart from speed (which in my mind should decide which
> > one to use, always, rather than letting the user choose)? It would also
> > complicate transport even further, let alone subtree merges from
> > differently-hashed repositories.
>
> There are really three candidates:
>
> * SHA-256 (the SHA-2 algorithm): While this looks good right now,
> cryptanalysis is advancing. This is not a good choice for a long-term
> solution.
> * SHA3-256 (the SHA-3 algorithm): This is the conservative choice. It's
> also faster than SHA-256 on 64-bit systems. It has a very
> conservative security margin and is a good long-term choice.
> * BLAKE2b-256: This is the blisteringly fast choice. It outperforms
> SHA-1 and even MD5 on 64-bit systems. This algorithm was designed so
> that nobody would have a reason to use an insecure algorithm. It will
> probably be secure for some time, but maybe not as long as SHA3-256.
>
> I'm only considering 256-bit hashes, because anything longer won't fit
> on an 80-column terminal in hex form.
>
> The reason I had considered implementing both SHA3-256 and BLAKE2b-256
> is that I want there to be no reason not to upgrade. People who need a
> FIPS-approved algorithm or want a long-term, conservative choice should
> use SHA3-256. People who want even better performance than current Git
> would use BLAKE2b-256.
>
> Performance comparison (my implementations):
> SHA-1: 437 MiB/s
> SHA-256: 196 MiB/s
> SHA3-256: 273 MiB/s
> BLAKE2b: 649 MiB/s
Those are impressive numbers on BLAKE2b. However, Keccak was chosen as
SHA-3 because it can be implemented in hardware more efficiently than
BLAKE (and hence, probably, also BLAKE2). Given that there are already SSE
instructions implementing SHA-1/SHA-256 on some CPUs [*1*], I would not be
surprised if SHA3 would also see some hardware support.
So speed seems less of a concern to me. We are talking about a multi-year
roadmap, after all.
And given the complications for public repository hosters, I would like to
settle for a single 256-bit hash. That'll be challenging enough.
Ciao,
Dscho
Footnote *1*: https://en.wikipedia.org/wiki/Intel_SHA_extensions
next prev parent reply other threads:[~2016-07-21 14:15 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-16 13:48 Git and SHA-1 security (again) Herczeg Zsolt
2016-07-16 20:13 ` brian m. carlson
2016-07-16 21:46 ` Herczeg Zsolt
2016-07-16 22:03 ` brian m. carlson
2016-07-17 8:01 ` Johannes Schindelin
2016-07-17 14:21 ` brian m. carlson
2016-07-17 15:19 ` Duy Nguyen
2016-07-17 15:42 ` brian m. carlson
2016-07-17 16:23 ` Theodore Ts'o
2016-07-17 22:04 ` brian m. carlson
[not found] ` <1468804249.2037.0@smtp.gmail.com>
2016-07-18 1:18 ` Fwd: " Herczeg Zsolt
2016-07-18 7:12 ` Johannes Schindelin
2016-07-18 15:09 ` Herczeg Zsolt
2016-07-18 15:57 ` Johannes Schindelin
2016-07-18 16:05 ` Duy Nguyen
2016-07-19 7:18 ` Johannes Schindelin
2016-07-19 15:31 ` Duy Nguyen
2016-07-19 17:34 ` David Lang
2016-07-19 17:43 ` Duy Nguyen
2016-07-19 17:59 ` David Lang
2016-07-19 18:04 ` Duy Nguyen
2016-07-19 18:58 ` Herczeg Zsolt
2016-07-20 14:48 ` Duy Nguyen
2016-07-20 12:28 ` Johannes Schindelin
2016-07-20 14:44 ` Duy Nguyen
2016-07-20 17:10 ` Stefan Beller
2016-07-20 19:26 ` Junio C Hamano
2016-08-22 22:01 ` Philip Oakley
2016-07-18 16:12 ` Herczeg Zsolt
2016-07-19 7:21 ` Johannes Schindelin
2016-07-18 18:00 ` Junio C Hamano
2016-07-18 21:26 ` Jonathan Nieder
2016-07-18 23:03 ` brian m. carlson
2016-07-21 13:19 ` Johannes Schindelin
2016-07-21 12:53 ` Johannes Schindelin
2016-07-22 15:59 ` Junio C Hamano
2016-07-18 7:00 ` Johannes Schindelin
2016-07-18 22:44 ` brian m. carlson
2016-07-21 14:13 ` Johannes Schindelin [this message]
2016-07-18 16:51 ` Duy Nguyen
2016-07-19 7:31 ` Johannes Schindelin
2016-07-19 7:46 ` David Lang
2016-07-19 16:07 ` Duy Nguyen
2016-07-19 17:06 ` Junio C Hamano
2016-07-19 17:27 ` Duy Nguyen
2016-07-19 18:46 ` Junio C Hamano
2016-07-18 16:51 ` Ævar Arnfjörð Bjarmason
2016-07-18 17:48 ` Herczeg Zsolt
2016-07-18 20:01 ` David Lang
2016-07-18 20:02 ` Ævar Arnfjörð Bjarmason
2016-07-18 20:55 ` Junio C Hamano
2016-07-18 21:28 ` Herczeg Zsolt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1607211520170.14111@virtualbox \
--to=johannes.schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=sandals@crustytoothpaste.net \
--cc=zsolt94@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).