Hi, Linus Torvalds wrote: > On Tue, Jul 24, 2018 at 12:01 PM Edward Thomson > <ethomson@xxxxxxxxxxxxxxxxx> wrote: >> Switching gears, if I look at this from the perspective of the libgit2 >> project, I would also prefer SHA-256 or SHA3 over blake2b. To support >> blake2b, we'd have to include - and support - that code ourselves. But >> to support SHA-256, we would simply use the system's crypto libraries >> that we already take a dependecy on (OpenSSL, mbedTLS, CryptoNG, or >> SecureTransport). Just to be clear, OpenSSL has built-in blake2b support. [...] > So I'm not a huge fan of sha256, partly because of my disappointment > in lack of hw acceleration in releant markets (sure, it's fairly > common in ARM, but nobody sane uses ARM for development because of > _other_ reasons). And partly because I don't like how the internal > data size is the same as the final hash. But that second issue is an > annoyance with it, not a real issue - in the absence of weaknesses > it's a non-issue, and any future weaknesses might affect any other > choice too. Thanks for saying this. With this in mind, I think we have a clear way forward: we should use SHA-256. My main complaint about it is that it is not a tree hash, but the common availability in libraries trumps that (versus SHA-256x16, say). I also was excited about K12, both because I like a world where Keccak gets wide hardware accelaration (improving PRNGs and other applications) and because of Keccak team's helpfulness throughout the process of helping us evaluate this, and it's possible that some day in the future we may want to switch to something like it. But today, as mentioned in [1] and [2], there is value in settling on one standard and SHA2-256 is the obvious standard today. Thanks, Jonathan [1] https://public-inbox.org/git/CAL9PXLyNVLCCqV1ftRa3r4kuoamDZOF29HJEhv2JXrbHj1nirA@xxxxxxxxxxxxxx/ [2] https://public-inbox.org/git/20180723183523.GB9285@xxxxxxxxxxxxxxxxxxxxxxxxx/
