On Jan 14, 2011, at 14:32, Peter Taps wrote:

> Also, another related question. Why 256 bits was chosen and not 128 bits or 
> 512 bits? I guess Sha512 may be an overkill. In your formula, how many blocks 
> of data would be needed to have one collision using Sha128?


There are two ways to get 128 bits: use a 128-bit function (e.g., MD5), or use 
a longer function and truncate its output.

In the case of MD5, it has been depreciated for a while now because of 
collisions. [1] Similarly 160-bit hash functions are getting collisions as well 
(SHA-1). [2] So the next step up is generally 256 (though there are a few 
224-bit-output hashes out there).

However, if you're going to use to 256-bit hash functions, why throw away half 
of security if you've already done all the work to get those 256 bits? Might as 
well use all the bits and get extra security.

Using a 512-bit hash function was probably deemed as "too expensive" for CPUs 
at this time. There's also the fact that things are a bit in flux currently, as 
there's a competition to find the official (US) 'next generation' hash 
function. [3] And while it official-ness is mostly a US (military) thing, it 
will probably become a de facto standard in many other countries and industries.

For the proverbial "sha128", you'd roughly need only half the blocks of data 
before getting a collision as compared to SHA-256. The math is left as an 
exercise for the reader.

[1] http://en.wikipedia.org/wiki/MD5#Security
[2] http://en.wikipedia.org/wiki/SHA-1#SHA-1
[3] http://en.wikipedia.org/wiki/SHA-3
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to