From: Johannes Schindelin <Johannes.Schindelin@gmx.de> To: Joan Daemen <jda@noekeon.org> Cc: Gilles Van Assche <gilles.vanassche@st.com>, Linus Torvalds <torvalds@linux-foundation.org>, demerphq <demerphq@gmail.com>, Brandon Williams <bmwill@google.com>, Junio C Hamano <gitster@pobox.com>, Jonathan Nieder <jrnieder@gmail.com>, Git Mailing List <git@vger.kernel.org>, Stefan Beller <sbeller@google.com>, Jonathan Tan <jonathantanmy@google.com>, Jeff King <peff@peff.net>, David Lang <david@lang.hm>, "brian m. carlson" <sandals@crustytoothpaste.net>, Keccak Team <keccak@noekeon.org> Subject: Re: RFC v3: Another proposed hash function transition plan Date: Sat, 30 Sep 2017 00:33:33 +0200 (CEST) Message-ID: <alpine.DEB.2.21.1.1709292355060.40514@virtualbox> (raw) In-Reply-To: <acd96750-c165-650c-c67f-44465f2075f2@noekeon.org> Hi Joan, On Fri, 29 Sep 2017, Joan Daemen wrote: > if ever there was a SHA-2 competition, it must have been held inside NSA:-) Oops. My bad, I indeed got confused about that, as you suggest below (I actually thought of the AES competition, but that was obviously not about SHA-2). Sorry. > But maybe you are confusing with the SHA-3 competition. In any case, > when considering SHA-2 vs SHA-3 for usage in git, you may have a look at > arguments we give in the following blogpost: > > https://keccak.team/2017/open_source_crypto.html Thanks for the pointer! Small nit: the post uses "its" in place of "it's", twice. It does have a good point, of course: the scientific exchange (which you call "open-source" in spirit) makes tons of sense. As far as Git is concerned, we not only care about the source code of the hash algorithm we use, we need to care even more about what you call "executable": ready-to-use, high quality, well-tested implementations. We carry source code for SHA-1 as part of Git's source code, which was hand-tuned to be as fast as Linus could get it, which was tricky given that the tuning should be general enough to apply to all common intel CPUs. This hand-crafted code was blown out of the water by OpenSSL's SHA-1 in our tests here at Microsoft, thanks to the fact that OpenSSL does vectorized SHA-1 computation now. To me, this illustrates why it is not good enough to have only a reference implementation available at our finger tips. Of course, above-mentioned OpenSSL supports SHA-256 and SHA3-256, too, and at least recent versions vectorize those, too. Also, ARM processors have become a lot more popular, so we'll want to have high-quality implementations of the hash algorithm also for those processors. Likewise, in contrast to 2005, nowadays implementations of Git in languages as obscure as Javascript are not only theoretical but do exist in practice (https://github.com/creationix/js-git). I had a *very* quick look for libraries providing crypto in Javascript and immediately found the Standford Javascript Crypto library (https://github.com/bitwiseshiftleft/sjcl/) which seems to offer SHA-256 but not SHA3-256 computation. Back to Intel processors: I read some vague hints about extensions accelerating SHA-256 computation on future Intel processors, but not SHA3-256. It would make sense, of course, that more crypto libraries and more hardware support would be available for SHA-256 than for SHA3-256 given the time since publication: 16 vs 5 years (I am playing it loose here, taking just the year into account, not the exact date, so please treat that merely as a ballpark figure). So from a practical point of view, I wonder what your take is on, say, hardware support for SHA3-256. Do you think this will become a focus soon? Also, what is your take on the question whether SHA-256 is good enough? SHA-1 was broken theoretically already 10 years after it was published (which unfortunately did not prevent us from baking it into Git), after all, while SHA-256 is 16 years old and the only known weakness does not apply to Git's usage? Also, while I have the attention of somebody who knows a heck more about cryptography than Git's top 10 committers combined: how soon do you expect practical SHA-1 attacks that are much worse than what we already have seen? I am concerned that if we do not move fast enough to a new hash algorithm, and somebody finds a way in the meantime to craft arbitrary messages given a prefix and an SHA-1, then we have a huge problem on our hands. Ciao, Johannes
next prev parent reply index Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-03-04 1:12 RFC: " Jonathan Nieder 2017-03-05 2:35 ` Linus Torvalds 2017-03-06 0:26 ` brian m. carlson 2017-03-06 18:24 ` Brandon Williams 2017-06-15 10:30 ` Which hash function to use, was " Johannes Schindelin 2017-06-15 11:05 ` Mike Hommey 2017-06-15 13:01 ` Jeff King 2017-06-15 16:30 ` Ævar Arnfjörð Bjarmason 2017-06-15 19:34 ` Johannes Schindelin 2017-06-15 21:59 ` Adam Langley 2017-06-15 22:41 ` brian m. carlson 2017-06-15 23:36 ` Ævar Arnfjörð Bjarmason 2017-06-16 0:17 ` brian m. carlson 2017-06-16 6:25 ` Ævar Arnfjörð Bjarmason 2017-06-16 13:24 ` Johannes Schindelin 2017-06-16 17:38 ` Adam Langley 2017-06-16 20:52 ` Junio C Hamano 2017-06-16 21:12 ` Junio C Hamano 2017-06-16 21:24 ` Jonathan Nieder 2017-06-16 21:39 ` Ævar Arnfjörð Bjarmason 2017-06-16 20:42 ` Jeff King 2017-06-19 9:26 ` Johannes Schindelin 2017-06-15 21:10 ` Mike Hommey 2017-06-16 4:30 ` Jeff King 2017-06-15 17:36 ` Brandon Williams 2017-06-15 19:20 ` Junio C Hamano 2017-06-15 19:13 ` Jonathan Nieder 2017-03-07 0:17 ` RFC v3: " Jonathan Nieder 2017-03-09 19:14 ` Shawn Pearce 2017-03-09 20:24 ` Jonathan Nieder 2017-03-10 19:38 ` Jeff King 2017-03-10 19:55 ` Jonathan Nieder 2017-09-28 4:43 ` [PATCH v4] technical doc: add a design doc for hash function transition Jonathan Nieder 2017-09-29 6:06 ` Junio C Hamano 2017-09-29 8:09 ` Junio C Hamano 2017-09-29 17:34 ` Jonathan Nieder 2017-10-02 8:25 ` Junio C Hamano 2017-10-02 19:41 ` Jason Cooper 2017-10-02 9:02 ` Junio C Hamano 2017-10-02 19:23 ` Jason Cooper 2017-10-03 5:40 ` Junio C Hamano 2017-10-03 13:08 ` Jason Cooper 2017-10-04 1:44 ` Junio C Hamano 2017-09-06 6:28 ` RFC v3: Another proposed hash function transition plan Junio C Hamano 2017-09-08 2:40 ` Junio C Hamano 2017-09-08 3:34 ` Jeff King 2017-09-11 18:59 ` Brandon Williams 2017-09-13 12:05 ` Johannes Schindelin 2017-09-13 13:43 ` demerphq 2017-09-13 22:51 ` Jonathan Nieder 2017-09-14 18:26 ` Johannes Schindelin 2017-09-14 18:40 ` Jonathan Nieder 2017-09-14 22:09 ` Johannes Schindelin 2017-09-13 23:30 ` Linus Torvalds 2017-09-14 18:45 ` Johannes Schindelin 2017-09-18 12:17 ` Gilles Van Assche 2017-09-18 22:16 ` Johannes Schindelin 2017-09-19 16:45 ` Gilles Van Assche 2017-09-29 13:17 ` Johannes Schindelin 2017-09-29 14:54 ` Joan Daemen 2017-09-29 22:33 ` Johannes Schindelin [this message] 2017-09-30 22:02 ` Joan Daemen 2017-10-02 14:26 ` Johannes Schindelin 2017-09-18 22:25 ` Jonathan Nieder 2017-09-26 17:05 ` Jason Cooper 2017-09-26 22:11 ` Johannes Schindelin 2017-09-26 22:25 ` [PATCH] technical doc: add a design doc for hash function transition Stefan Beller 2017-09-26 23:38 ` Jonathan Nieder 2017-09-26 23:51 ` RFC v3: Another proposed hash function transition plan Jonathan Nieder 2017-10-02 14:54 ` Jason Cooper 2017-10-02 16:50 ` Brandon Williams 2017-10-02 14:00 ` Jason Cooper 2017-10-02 17:18 ` Linus Torvalds 2017-10-02 19:37 ` Jeff King 2017-09-13 16:30 ` Jonathan Nieder 2017-09-13 21:52 ` Junio C Hamano 2017-09-13 22:07 ` Stefan Beller 2017-09-13 22:18 ` Jonathan Nieder 2017-09-14 2:13 ` Junio C Hamano 2017-09-14 15:23 ` Johannes Schindelin 2017-09-14 15:45 ` demerphq 2017-09-14 22:06 ` Johannes Schindelin 2017-09-13 22:15 ` Junio C Hamano 2017-09-13 22:27 ` Jonathan Nieder 2017-09-14 2:10 ` Junio C Hamano 2017-09-14 12:39 ` Johannes Schindelin 2017-09-14 16:36 ` Brandon Williams 2017-09-14 18:49 ` Jonathan Nieder 2017-09-15 20:42 ` Philip Oakley 2017-03-05 11:02 ` RFC: " David Lang [not found] ` <CA+dhYEXHbQfJ6KUB1tWS9u1MLEOJL81fTYkbxu4XO-i+379LPw@mail.gmail.com> 2017-03-06 9:43 ` Jeff King 2017-03-06 23:40 ` Jonathan Nieder 2017-03-07 0:03 ` Mike Hommey 2017-03-06 8:43 ` Jeff King 2017-03-06 18:39 ` Jonathan Tan 2017-03-06 19:22 ` Linus Torvalds 2017-03-06 19:59 ` Brandon Williams 2017-03-06 21:53 ` Junio C Hamano 2017-03-07 8:59 ` Jeff King 2017-03-06 18:43 ` Junio C Hamano 2017-03-07 18:57 ` Ian Jackson 2017-03-07 19:15 ` Linus Torvalds 2017-03-08 11:20 ` Ian Jackson 2017-03-08 15:37 ` Johannes Schindelin 2017-03-13 9:24 ` The Keccak Team 2017-03-13 17:48 ` Jonathan Nieder 2017-03-13 18:34 ` ankostis 2017-03-17 11:07 ` Johannes Schindelin 2017-03-08 15:40 Johannes Schindelin 2017-03-20 5:21 ` Use base32? Jason Hennessey 2017-03-20 5:58 ` Michael Steuer 2017-03-20 8:05 ` Jacob Keller 2017-03-21 3:07 ` Michael Steuer
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=alpine.DEB.2.21.1.1709292355060.40514@virtualbox \ --to=johannes.schindelin@gmx.de \ --cc=bmwill@google.com \ --cc=david@lang.hm \ --cc=demerphq@gmail.com \ --cc=gilles.vanassche@st.com \ --cc=git@vger.kernel.org \ --cc=gitster@pobox.com \ --cc=jda@noekeon.org \ --cc=jonathantanmy@google.com \ --cc=jrnieder@gmail.com \ --cc=keccak@noekeon.org \ --cc=peff@peff.net \ --cc=sandals@crustytoothpaste.net \ --cc=sbeller@google.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Git Mailing List Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/git/0 git/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 git git/ https://lore.kernel.org/git \ git@vger.kernel.org public-inbox-index git Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.git AGPL code for this site: git clone https://public-inbox.org/public-inbox.git