Hi Joan, On Fri, 29 Sep 2017, Joan Daemen wrote:
> if ever there was a SHA-2 competition, it must have been held inside NSA:-) Oops. My bad, I indeed got confused about that, as you suggest below (I actually thought of the AES competition, but that was obviously not about SHA-2). Sorry. > But maybe you are confusing with the SHA-3 competition. In any case, > when considering SHA-2 vs SHA-3 for usage in git, you may have a look at > arguments we give in the following blogpost: > > https://keccak.team/2017/open_source_crypto.html Thanks for the pointer! Small nit: the post uses "its" in place of "it's", twice. It does have a good point, of course: the scientific exchange (which you call "open-source" in spirit) makes tons of sense. As far as Git is concerned, we not only care about the source code of the hash algorithm we use, we need to care even more about what you call "executable": ready-to-use, high quality, well-tested implementations. We carry source code for SHA-1 as part of Git's source code, which was hand-tuned to be as fast as Linus could get it, which was tricky given that the tuning should be general enough to apply to all common intel CPUs. This hand-crafted code was blown out of the water by OpenSSL's SHA-1 in our tests here at Microsoft, thanks to the fact that OpenSSL does vectorized SHA-1 computation now. To me, this illustrates why it is not good enough to have only a reference implementation available at our finger tips. Of course, above-mentioned OpenSSL supports SHA-256 and SHA3-256, too, and at least recent versions vectorize those, too. Also, ARM processors have become a lot more popular, so we'll want to have high-quality implementations of the hash algorithm also for those processors. Likewise, in contrast to 2005, nowadays implementations of Git in languages as obscure as Javascript are not only theoretical but do exist in practice (https://github.com/creationix/js-git). I had a *very* quick look for libraries providing crypto in Javascript and immediately found the Standford Javascript Crypto library (https://github.com/bitwiseshiftleft/sjcl/) which seems to offer SHA-256 but not SHA3-256 computation. Back to Intel processors: I read some vague hints about extensions accelerating SHA-256 computation on future Intel processors, but not SHA3-256. It would make sense, of course, that more crypto libraries and more hardware support would be available for SHA-256 than for SHA3-256 given the time since publication: 16 vs 5 years (I am playing it loose here, taking just the year into account, not the exact date, so please treat that merely as a ballpark figure). So from a practical point of view, I wonder what your take is on, say, hardware support for SHA3-256. Do you think this will become a focus soon? Also, what is your take on the question whether SHA-256 is good enough? SHA-1 was broken theoretically already 10 years after it was published (which unfortunately did not prevent us from baking it into Git), after all, while SHA-256 is 16 years old and the only known weakness does not apply to Git's usage? Also, while I have the attention of somebody who knows a heck more about cryptography than Git's top 10 committers combined: how soon do you expect practical SHA-1 attacks that are much worse than what we already have seen? I am concerned that if we do not move fast enough to a new hash algorithm, and somebody finds a way in the meantime to craft arbitrary messages given a prefix and an SHA-1, then we have a huge problem on our hands. Ciao, Johannes
