On Tue, Sep 18, 2018 at 8:18 AM Joan Daemen wrote:
>
> 3) The relatively large state in the sponge construction increases the
> generic strength against attacks when the input contains redundancy or
> has a certain form. For instance, if the input is restricted to be text in
> ASCII (such as
Hi,
A quick note.
Joan Daemen wrote:
> when going over my todo list I was confronted with the mail of Dan
> Shumow on the successor of SHA-1 for git. I know the decision was
> made and it is not my intention to change it, but please see below
> some comments on Dan's arguments.
When the time
Dear all,
when going over my todo list I was confronted with the mail of Dan Shumow on
the successor of SHA-1 for git. I know the decision was made and it is not my
intention to change it, but please see below some comments on Dan's arguments.
In short, I argue below that SHA256 has no serious
Hi Dan,
Dan Shumow wrote:
[replying out of order for convenience]
> However, I agree with Adam Langley that basically all of the
> finalists for a hash function replacement are about the same for the
> security needs of Git. I think that, for this community, other
> software engineering
Hello all. Johannes, thanks for adding me to this discussion.
So, as one of the coauthors of the SHA-1 collision detection code, I just
wanted to chime in and say I'm glad to see the move to a longer hash function.
Though, as a cryptographer, I have a few thoughts on the matter that I
Hi Brian,
On Tue, 24 Jul 2018, brian m. carlson wrote:
> On Tue, Jul 24, 2018 at 02:13:07PM -0700, Junio C Hamano wrote:
> > Yup. I actually was leaning toward saying "all of them are OK in
> > practice, so the person who is actually spear-heading the work gets to
> > choose", but if we picked
Hi Joan,
On Sun, 22 Jul 2018, Joan Daemen wrote:
> I wanted to react to some statements I read in this discussion. But
> first let me introduce myself. I'm Joan Daemen and I'm working in
> symmetric cryptography since 1988. Vincent Rijmen and I designed
> Rijndael that was selected to become AES
Hi Eric,
On Sun, 22 Jul 2018, Eric Deplagne wrote:
> On Sun, 22 Jul 2018 14:21:48 +, brian m. carlson wrote:
> > On Sun, Jul 22, 2018 at 11:34:42AM +0200, Eric Deplagne wrote:
> > > On Sat, 21 Jul 2018 23:59:41 +, brian m. carlson wrote:
> > > > I don't know your colleagues, and they
On Tue, Jul 24, 2018 at 02:13:07PM -0700, Junio C Hamano wrote:
> Yup. I actually was leaning toward saying "all of them are OK in
> practice, so the person who is actually spear-heading the work gets
> to choose", but if we picked SHA-256 now, that would not be a choice
> that Brian has to later
Linus Torvalds writes:
> On Tue, Jul 24, 2018 at 12:01 PM Edward Thomson
> wrote:
>>
>> Switching gears, if I look at this from the perspective of the libgit2
>> project, I would also prefer SHA-256 or SHA3 over blake2b. To support
>> blake2b, we'd have to include - and support - that code
Hi,
Linus Torvalds wrote:
> On Tue, Jul 24, 2018 at 12:01 PM Edward Thomson
> wrote:
>> Switching gears, if I look at this from the perspective of the libgit2
>> project, I would also prefer SHA-256 or SHA3 over blake2b. To support
>> blake2b, we'd have to include - and support - that code
On Tue, Jul 24, 2018 at 12:01 PM Edward Thomson
wrote:
>
> Switching gears, if I look at this from the perspective of the libgit2
> project, I would also prefer SHA-256 or SHA3 over blake2b. To support
> blake2b, we'd have to include - and support - that code ourselves. But
> to support
On Fri, Jul 20, 2018 at 09:52:20PM +, brian m. carlson wrote:
>
> To summarize the discussion that's been had in addition to the above,
> Ævar has also stated a preference for SHA-256 and I would prefer BLAKE2b
> over SHA-256 over SHA3-256, although any of them would be fine.
>
> Are there
Hi Yves,
demerphq wrote:
> On Sun, 22 Jul 2018 at 01:59, brian m. carlson
> wrote:
>> I will admit that I don't love making this decision by myself, because
>> right now, whatever I pick, somebody is going to be unhappy.
[...]
> I do not envy you this decision.
>
> Personally I would aim
On Mon, Jul 23, 2018 at 5:48 AM Sitaram Chamarty wrote:
>
> I would suggest (a) hash size of 256 bits and (b) choice of any hash
> function that can produce such a hash. If people feel strongly that 256
> bits may also turn out to be too small (really?) then a choice of 256 or
> 512, but not
On Mon, Jul 23, 2018 at 5:41 AM demerphq wrote:
>
> On Sun, 22 Jul 2018 at 01:59, brian m. carlson
> wrote:
> > I will admit that I don't love making this decision by myself, because
> > right now, whatever I pick, somebody is going to be unhappy. I want to
> > state, unambiguously, that I'm
On Mon, 23 Jul 2018 at 14:48, Sitaram Chamarty wrote:
> On 07/23/2018 06:10 PM, demerphq wrote:
> > On Sun, 22 Jul 2018 at 01:59, brian m. carlson
> > wrote:
> >> I will admit that I don't love making this decision by myself, because
> >> right now, whatever I pick, somebody is going to be
On 07/23/2018 06:10 PM, demerphq wrote:
> On Sun, 22 Jul 2018 at 01:59, brian m. carlson
> wrote:
>> I will admit that I don't love making this decision by myself, because
>> right now, whatever I pick, somebody is going to be unhappy. I want to
>> state, unambiguously, that I'm trying to
On Sun, 22 Jul 2018 at 01:59, brian m. carlson
wrote:
> I will admit that I don't love making this decision by myself, because
> right now, whatever I pick, somebody is going to be unhappy. I want to
> state, unambiguously, that I'm trying to make a decision that is in the
> interests of the Git
Somewhere upthread, Brian refers to me as a cryptographer. That's
flattering (thank you), but probably not really true even on a good
day. And certainly not true next to Joan Daemen. I do have experience
with crypto at scale and in ecosystems, though.
Joan's count of cryptanalysis papers is a
Dear all,
I wanted to react to some statements I read in this discussion. But
first let me introduce myself. I'm Joan Daemen and I'm working in
symmetric cryptography since 1988. Vincent Rijmen and I designed
Rijndael that was selected to become AES and Guido Bertoni, Michael
Peeters and Gilles
On Sun, 22 Jul 2018 14:21:48 +, brian m. carlson wrote:
> On Sun, Jul 22, 2018 at 11:34:42AM +0200, Eric Deplagne wrote:
> > On Sat, 21 Jul 2018 23:59:41 +, brian m. carlson wrote:
> > > I don't know your colleagues, and they haven't commented here. One
> > > person that has commented
On Sun, Jul 22, 2018 at 11:34:42AM +0200, Eric Deplagne wrote:
> On Sat, 21 Jul 2018 23:59:41 +, brian m. carlson wrote:
> > I don't know your colleagues, and they haven't commented here. One
> > person that has commented here is Adam Langley. It is my impression
> > (and anyone is free to
On Sat, 21 Jul 2018 23:59:41 +, brian m. carlson wrote:
> On Sun, Jul 22, 2018 at 12:38:41AM +0200, Johannes Schindelin wrote:
> > Do you really want to value contributors' opinion more than
> > cryptographers'? I mean, that's exactly what got us into this hard-coded
> > SHA-1 mess in the
On Sun, Jul 22, 2018 at 12:38:41AM +0200, Johannes Schindelin wrote:
> Do you really want to value contributors' opinion more than
> cryptographers'? I mean, that's exactly what got us into this hard-coded
> SHA-1 mess in the first place.
I agree (believe me, of all people, I agree) that
On Sat, Jul 21, 2018 at 3:39 PM Johannes Schindelin
wrote:
>
> Do you really want to value contributors' opinion more than
> cryptographers'? I mean, that's exactly what got us into this hard-coded
> SHA-1 mess in the first place.
Don't be silly.
Other real cryptographers consider SHA256 to be
Hi Brian,
On Fri, 20 Jul 2018, brian m. carlson wrote:
> On Mon, Jun 11, 2018 at 12:29:42PM -0700, Jonathan Nieder wrote:
> > My understanding of the discussion so far:
> >
> > Keccak team encourages us[1] to consider a variant like K12 instead of
> > SHA3.
> >
> > AGL explains[2] that the
On Sat, Jul 21, 2018 at 09:52:05PM +0200, Ævar Arnfjörð Bjarmason wrote:
>
> On Fri, Jul 20 2018, brian m. carlson wrote:
> > I know this discussion has sort of petered out, but I'd like to see if
> > we can revive it. I'm writing index v3 and having a decision would help
> > me write tests for
On Fri, Jul 20 2018, brian m. carlson wrote:
> On Mon, Jun 11, 2018 at 12:29:42PM -0700, Jonathan Nieder wrote:
>> My understanding of the discussion so far:
>>
>> Keccak team encourages us[1] to consider a variant like K12 instead of
>> SHA3.
>>
>> AGL explains[2] that the algorithms
Hi,
brian m. carlson wrote:
> I know this discussion has sort of petered out, but I'd like to see if
> we can revive it. I'm writing index v3 and having a decision would help
> me write tests for it.
Nice! That's awesome.
> To summarize the discussion that's been had in addition to the
On Mon, Jun 11, 2018 at 12:29:42PM -0700, Jonathan Nieder wrote:
> My understanding of the discussion so far:
>
> Keccak team encourages us[1] to consider a variant like K12 instead of
> SHA3.
>
> AGL explains[2] that the algorithms considered all seem like
> reasonable choices and we should
On Mon, Jun 11, 2018 at 11:19:10PM +0200, Ævar Arnfjörð Bjarmason wrote:
> This is a great summary. Thanks.
>
> In case it's not apparent from what follows, I have a bias towards
> SHA-256. Reasons for that, to summarize some of the discussion the last
> time around[1], and to add more details:
Hi Ævar,
On Mon, 11 Jun 2018, Ævar Arnfjörð Bjarmason wrote:
> On Sat, Jun 09 2018, brian m. carlson wrote:
>
> [Expanding the CC list to what we had in the last "what hash" thread[1]
> last year].
>
> > == Discussion of Candidates
> >
> > I've implemented and tested the following algorithms,
On 14/06/18 01:58, brian m. carlson wrote:
>>> I imported the optimized 64-bit implementation of KangarooTwelve.
>>> The AVX2 implementation was not considered for licensing reasons
>>> (it's partially generated from external code, which falls foul of
>>> the GPL's "preferred form for
On Tue, Jun 12, 2018 at 06:21:21PM +0200, Gilles Van Assche wrote:
> Hi,
>
> On 10/06/18 00:49, brian m. carlson wrote:
> > I imported the optimized 64-bit implementation of KangarooTwelve. The
> > AVX2 implementation was not considered for licensing reasons (it's
> > partially generated from
Hi,
On 10/06/18 00:49, brian m. carlson wrote:
> I imported the optimized 64-bit implementation of KangarooTwelve. The
> AVX2 implementation was not considered for licensing reasons (it's
> partially generated from external code, which falls foul of the GPL's
> "preferred form for modifications"
On Mon, Jun 11, 2018 at 4:27 PM Ævar Arnfjörð Bjarmason
wrote:
> >
> > And no, I'm not a cryptographer. But honestly, length extension
> > attacks were how both md5 and sha1 were broken in practice, so I'm
> > just going "why would we go with a crypto choice that has that known
> > weakness?
On Tue, 12 Jun 2018, Ævar Arnfjörð Bjarmason wrote:
From a performance standpoint, I have to say (once more) that crypto
performance actually mattered a lot less than I originally thought it
would. Yes, there are phases that do care, but they are rare.
One real-world case is rebasing[1]. As
On Mon, Jun 11 2018, Linus Torvalds wrote:
> On Mon, Jun 11, 2018 at 12:29 PM Jonathan Nieder wrote:
>>
>> Yves Orton and Linus Torvalds prefer[5] SHA3 over SHA2 because of how
>> it is constructed.
>
> Yeah, I really think that it's a mistake to switch to something that
> has the same problem
On Mon, Jun 11, 2018 at 12:29:42PM -0700, Jonathan Nieder wrote:
> brian m. carlson wrote:
>
> > == Discussion of Candidates
> >
> > I've implemented and tested the following algorithms, all of which are
> > 256-bit (in alphabetical order):
>
> Thanks for this. Where can I read your code?
On Sat, Jun 09 2018, brian m. carlson wrote:
[Expanding the CC list to what we had in the last "what hash" thread[1]
last year].
> == Discussion of Candidates
>
> I've implemented and tested the following algorithms, all of which are
> 256-bit (in alphabetical order):
>
> * BLAKE2b (libb2)
> *
On Mon, Jun 11, 2018 at 12:29 PM Jonathan Nieder wrote:
>
> Yves Orton and Linus Torvalds prefer[5] SHA3 over SHA2 because of how
> it is constructed.
Yeah, I really think that it's a mistake to switch to something that
has the same problem SHA1 had.
That doesn't necessarily mean SHA3, but it
Hi,
brian m. carlson wrote:
> == Discussion of Candidates
>
> I've implemented and tested the following algorithms, all of which are
> 256-bit (in alphabetical order):
Thanks for this. Where can I read your code?
[...]
> I also rejected some other candidates. I couldn't find any reference or
== Discussion of Candidates
I've implemented and tested the following algorithms, all of which are
256-bit (in alphabetical order):
* BLAKE2b (libb2)
* BLAKE2bp (libb2)
* KangarooTwelve (imported from the Keccak Code Package)
* SHA-256 (OpenSSL)
* SHA-512/256 (OpenSSL)
* SHA3-256 (OpenSSL)
*
44 matches
Mail list logo