From: Alex Elsayed <eternaleye@gmail.com>
To: linux-btrfs@vger.kernel.org
Subject: Re: [RFC PATCH] Btrfs: add sha256 checksum option
Date: Mon, 01 Dec 2014 15:23:03 -0800 [thread overview]
Message-ID: <m5it8o$8gf$1@ger.gmane.org> (raw)
In-Reply-To: CAJBj3vfr+awjY1iztH-wcy9PSzsCa2cYsDhmRz2cV-O=SFifHw@mail.gmail.com
John Williams wrote:
> On Mon, Dec 1, 2014 at 12:35 PM, Austin S Hemmelgarn
> <ahferroin7@gmail.com> wrote:
>> My only reasoning is that with this set of hashes (crc32c, adler32, and
>> md5), the statistical likely-hood of running into a hash collision with
>> more than one of them at a time is infinitesimally small compared to the
>> likely-hood of any one of them having a collision (or even compared to
>> something ridiculous like the probability of being killed by a meteor
>> strike), and the combination is faster on most systems that I have tried
>> than many 256-bit crypto hashes.
>
> I have not seen any evidence that combining hashes like that actually
> reduces the chances of collision, but if we assume it does, then
> again, the non-crypto hashes would be faster. For example, 128-bit
> Spooky2 combined with 128-bit CityHash would produce a 256-bit hash
> and would be faster than MD5 + whatever.
It has no real benefit, but _why_ depends on what your model is.
There's a saying that engineers worry about stochastic failure; security
professionals have to worry about malicious failure.
If your only concern is stochastic failure (random bitflips, etc), then the
chances of collision with 128-bit CityHash or MurmurHash or SipHash or what-
have-you are already so small that every single component in your laptop
dying simultaneously is more likely. Adding another hash is thus just a
waste of cycles.
If your concern is malicious failure (in-band deduplication attack or
similar, ignoring for now that btrfs actually compares the extent data as
well IIRC), then it's well-known in the cryptographic community that the
concatenation of multiple hashes is as strong as the strongest hash, _but no
stronger_ [1].
Since the strongest cipher in the above list is either a non-cryptographic
hash or MD5, which is known-weak to the point of there being numerous toy
programs finding collisions for arbitrary data, it would not be worth much.
The only place this might be of use is if you used N strong/unbroken hashes,
in order to hedge against up to N-1 of them being broken. However, the gain
of that is (again) infinetismal, and the performance cost quite large
indeed.
[1] http://eprint.iacr.org/2008/075
next prev parent reply other threads:[~2014-12-01 23:23 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 5:23 [RFC PATCH] Btrfs: add sha256 checksum option Liu Bo
2014-11-24 5:23 ` [RFC PATCH] Btrfs-progs: support sha256 checksum algorithm Liu Bo
2014-11-24 8:23 ` [RFC PATCH] Btrfs: add sha256 checksum option Holger Hoffstätte
2014-11-24 18:55 ` Duncan
2014-11-24 19:34 ` John Williams
2014-11-25 10:30 ` Liu Bo
2014-11-25 10:52 ` Daniel Cegiełka
2014-11-25 23:17 ` John Williams
2014-11-26 12:50 ` Holger Hoffstätte
2014-11-26 17:53 ` John Williams
2014-11-25 10:28 ` Liu Bo
2014-11-24 20:07 ` Chris Mason
2014-11-24 20:58 ` Hugo Mills
2014-11-25 3:04 ` Qu Wenruo
2014-11-25 5:13 ` Zygo Blaxell
2014-11-25 11:30 ` Liu Bo
2014-11-26 13:36 ` Brendan Hide
2014-11-25 16:47 ` David Sterba
2014-11-25 19:45 ` Bardur Arantsson
2014-11-26 13:38 ` Brendan Hide
2014-11-26 13:58 ` Austin S Hemmelgarn
2014-12-01 18:37 ` David Sterba
2014-12-01 20:35 ` Austin S Hemmelgarn
2014-12-01 20:51 ` John Williams
2014-12-01 23:23 ` Alex Elsayed [this message]
2014-12-15 18:47 ` David Sterba
2014-11-25 16:39 ` David Sterba
2014-11-27 3:52 ` Liu Bo
2014-12-01 18:51 ` David Sterba
2014-11-29 20:38 ` Alex Elsayed
2014-11-29 21:00 ` John Williams
2014-11-29 21:07 ` Alex Elsayed
2014-11-29 21:21 ` John Williams
2014-11-29 21:27 ` Alex Elsayed
2014-12-01 12:39 ` Austin S Hemmelgarn
2014-12-01 17:22 ` John Williams
2014-12-01 17:42 ` Austin S Hemmelgarn
2014-12-01 17:49 ` John Williams
2014-12-01 19:28 ` Alex Elsayed
2014-12-01 19:34 ` Alex Elsayed
2014-12-01 20:26 ` Austin S Hemmelgarn
2014-12-01 19:58 ` John Williams
2014-12-01 20:04 ` Alex Elsayed
2014-12-01 20:08 ` Alex Elsayed
2014-12-01 20:46 ` John Williams
2014-12-01 22:56 ` Alex Elsayed
2014-12-01 23:05 ` Alex Elsayed
2014-12-01 23:37 ` John Williams
2014-12-01 23:46 ` Alex Elsayed
2014-12-02 0:03 ` John Williams
2014-12-02 0:15 ` Alex Elsayed
2014-12-02 0:30 ` John Williams
2014-12-02 0:34 ` Alex Elsayed
2014-12-02 0:11 ` John Williams
2014-12-01 23:48 ` John Williams
2014-12-02 0:06 ` Alex Elsayed
2014-12-02 0:10 ` Alex Elsayed
2014-12-02 0:16 ` John Williams
2014-12-02 0:28 ` Christoph Anton Mitterer
2014-12-02 0:43 ` Alex Elsayed
2014-12-02 0:53 ` Christoph Anton Mitterer
2014-12-02 1:25 ` Alex Elsayed
2014-12-02 1:32 ` Alex Elsayed
2014-11-30 22:51 ` Christoph Anton Mitterer
2014-11-30 22:59 ` Christoph Anton Mitterer
2014-11-30 23:05 ` Dimitri John Ledkov
2014-12-01 2:55 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='m5it8o$8gf$1@ger.gmane.org' \
--to=eternaleye@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).