> A collision in a widely used cryptographic hash would be a major, > publishable security advance.
That's true for SHA-256 itself. But I ran the numbers, and it turns out brute force search for a collision on a 128-bit hash (even with no algorithmic weakness) is feasible. I wrote more on the GitHub ticket. I think the per-session random secret would fix this issue, but I will think about it more. And it will slow things down at least some. (cc:ing some people I discussed this with on IRC) > As an added note, looks like Skylake is going to have SHA instructions Yeah, that's one reason to pursue this approach. If we can access crypto accelerators on mobile, it might be an even bigger win there. We could even support SHA interning alongside table-based interning, and select one based on the availability of crypto acceleration. keegan _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
