From: Jason A. Donenfeld > Sent: 14 January 2022 15:21 > > On Fri, Jan 14, 2022 at 4:08 PM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > Yeah, so the issue is that, at *some* point, SHA-1 is going to have to > > go. So it would be helpful if Alexei could clarify *why* he doesn't > > see this as a problem. The fact that it is broken means that it is no > > longer intractable to forge collisions, which likley means that SHA-1 > > no longer fulfills the task that you wanted it to do in the first > > place. > > I think the reason that Alexei doesn't think that the SHA-1 choice > really matters is because the result is being truncated to 64-bits, so > collisions are easy anyway... Which probably means that SHA-1 is complete overkill and something much simpler could have been used instead. Is the buffer even big enough to have ever warranted the massive unrolling of the sha-1 function. (I suspect that just destroys the I-cache on most cpu.) The IPv6 address case seems even more insane - how many bytes are actually being hashed. The unrolled loop is only likely to be sane for large (megabyte) buffers. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
