On Thu, Jun 15, 2017 at 08:05:18PM +0900, Mike Hommey wrote: > On Thu, Jun 15, 2017 at 12:30:46PM +0200, Johannes Schindelin wrote: > > Footnote *1*: SHA-256, as all hash functions whose output is essentially > > the entire internal state, are susceptible to a so-called "length > > extension attack", where the hash of a secret+message can be used to > > generate the hash of secret+message+piggyback without knowing the secret. > > This is not the case for Git: only visible data are hashed. The type of > > attacks Git has to worry about is very different from the length extension > > attacks, and it is highly unlikely that that weakness of SHA-256 leads to, > > say, a collision attack. > > What do the experts think or SHA512/256, which completely removes the > concerns over length extension attack? (which I'd argue is better than > sweeping them under the carpet) I don't think it's sweeping them under the carpet. Git does not use the hash as a MAC, so length extension attacks aren't a thing (and even if we later wanted to use the same algorithm as a MAC, the HMAC construction is a well-studied technique for dealing with it). That said, SHA-512 is typically a little faster than SHA-256 on 64-bit platforms. I don't know if that will change with the advent of hardware instructions oriented towards SHA-256. -Peff