Hi Dscho,
Johannes Schindelin wrote:
> From what I read, pretty much everybody who participated in the discussion
> was aware that the essential question is: performance vs security.
I don't completely agree with this framing. The essential question is:
how to get the right security properties without abysmal performance.
> It turns out that we can have essentially both.
>
> SHA-256 is most likely the best-studied hash function we currently know
[... etc ...]
Thanks for a thoughtful restart to the discussion. This is much more
concrete than your previous objections about process, and that is very
helpful.
In the interest of transparency: here are my current questions for
cryptographers to whom I have forwarded this thread. Several of these
questions involve predictions or opinions, so in my ideal world we'd
want multiple, well reasoned answers to them. Please feel free to
forward them to appropriate people or add more.
1. Now it sounds like SHA-512/256 is the safest choice (see also Mike
Hommey's response to Dscho's message). Please poke holes in my
understanding.
2. Would you be willing to weigh in publicly on the mailing list? I
think that would be the most straightforward way to move this
forward (and it would give you a chance to ask relevant questions,
etc). Feel free to contact me privately if you have any questions
about how this particular mailing list works.
3. On the speed side, Dscho states "SHA-256 will be faster than BLAKE
(and even than BLAKE2) once the Intel and AMD CPUs with hardware
support for SHA-256 become common." Do you agree?
4. On the security side, Dscho states "to compete in the SHA-3
contest, BLAKE added complexity so that it would be roughly on par
with its competitors. To allow for faster execution in software,
this complexity was *removed* from BLAKE to create BLAKE2, making
it weaker than SHA-256." Putting aside the historical questions,
do you agree with this "weaker than" claim?
5. On the security side, Dscho states, "The type of attacks Git has to
worry about is very different from the length extension attacks,
and it is highly unlikely that that weakness of SHA-256 leads to,
say, a collision attack", and Jeff King states, "Git does not use
the hash as a MAC, so length extension attacks aren't a thing (and
even if we later wanted to use the same algorithm as a MAC, the
HMAC construction is a well-studied technique for dealing with
it)." Is this correct in spirit? Is SHA-256 equally strong to
SHA-512/256 for Git's purposes, or are the increased bits of
internal state (or other differences) relevant? How would you
compare the two functions' properties?
6. On the speed side, Jeff King states "That said, SHA-512 is
typically a little faster than SHA-256 on 64-bit platforms. I
don't know if that will change with the advent of hardware
instructions oriented towards SHA-256." Thoughts?
7. If the answer to (2) is "no", do I have permission to quote or
paraphrase your replies that were given here?
Thanks, sincerely,
Jonathan