On Wed, Jan 23, 2008 at 02:55:06PM -0700, zooko wrote: > I have to ask: why does darcs use SHA-1? > > On the one hand, SHA-1 is cryptographically fragile and is deprecated > for use in applications that require collision-resistance and pre- > image resistance. SHA-2 is the current standard for those > applications (SHA-2 is about twice as expensive in CPU [1]), and > SHA-3 is under development. > > On the other hand, why does darcs need a cryptographically secure > hash function at all? Wouldn't MD5 or a sufficiently wide CRC, such > as the one used in ZFS [2], do just as well? They would certainly be > a lot faster to compute. > > Is there some behavior on the part of some malicious actor that darcs > tries to prevent, such that the collision-resistance (such as it is) > of SHA-1 is necessary to prevent it?
It's mostly historical, but also supported by the assumption that Linus thought about it when *he* decided to use sha1 for the same purpose. In principle it is good to provide a cryptographically secure hash, as this allows users to sign their repositories by signing a single file, which seems like it's potentially quite a useful feature. On the other hand, using sha2, which is twice as expensive (and twice as large, right) would perhaps be too costly. I don't know. SHA-2 would cost more in disk space and network bandwidth, as well as in CPU time. Is SHA-1 optimal? I don't know. Is it reasonable? I suspect so. -- David Roundy Department of Physics Oregon State University _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
