On Jan 14, 2011, at 14:32, Peter Taps wrote: > Also, another related question. Why 256 bits was chosen and not 128 bits or > 512 bits? I guess Sha512 may be an overkill. In your formula, how many blocks > of data would be needed to have one collision using Sha128?
There are two ways to get 128 bits: use a 128-bit function (e.g., MD5), or use a longer function and truncate its output. In the case of MD5, it has been depreciated for a while now because of collisions. [1] Similarly 160-bit hash functions are getting collisions as well (SHA-1). [2] So the next step up is generally 256 (though there are a few 224-bit-output hashes out there). However, if you're going to use to 256-bit hash functions, why throw away half of security if you've already done all the work to get those 256 bits? Might as well use all the bits and get extra security. Using a 512-bit hash function was probably deemed as "too expensive" for CPUs at this time. There's also the fact that things are a bit in flux currently, as there's a competition to find the official (US) 'next generation' hash function. [3] And while it official-ness is mostly a US (military) thing, it will probably become a de facto standard in many other countries and industries. For the proverbial "sha128", you'd roughly need only half the blocks of data before getting a collision as compared to SHA-256. The math is left as an exercise for the reader. [1] http://en.wikipedia.org/wiki/MD5#Security [2] http://en.wikipedia.org/wiki/SHA-1#SHA-1 [3] http://en.wikipedia.org/wiki/SHA-3 _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
