On Fri, Jun 16, 2017 at 06:10:22AM +0900, Mike Hommey wrote: > > > What do the experts think or SHA512/256, which completely removes the > > > concerns over length extension attack? (which I'd argue is better than > > > sweeping them under the carpet) > > > > I don't think it's sweeping them under the carpet. Git does not use the > > hash as a MAC, so length extension attacks aren't a thing (and even if > > we later wanted to use the same algorithm as a MAC, the HMAC > > construction is a well-studied technique for dealing with it). > > AIUI, length extension does make brute force collision attacks (which, > really Shattered was) cheaper by allowing one to create the collision > with a small message and extend it later. > > This might not be a credible thread against git, but if we go by that > standard, post-shattered Sha-1 is still fine for git. As a matter of > fact, MD5 would also be fine: there is still, to this day, no preimage > attack against them. I think collision attacks are of interest to Git. But I would think 2^128 would be enough (TBH, 2^80 probably would have been enough for SHA-1; it was the weaknesses that brought that down by a factor of a million that made it a problem). -Peff