1 |
W dniu nie, 12.11.2017 o godzinie 21∶22 -0500, użytkownik Joshua Kinard |
2 |
napisał: |
3 |
> On 10/24/2017 00:11, Michał Górny wrote: |
4 |
> > W dniu wto, 24.10.2017 o godzinie 06∶04 +0200, użytkownik Michał Górny |
5 |
> > napisał: |
6 |
> |
7 |
> [snip] |
8 |
> |
9 |
> > > > [BOBO06] is relevant research here, I cited it in the work that went into |
10 |
> > > > GLEP59, the last time we updated the hashes. The less-technical explanation of it is: |
11 |
> > > > "If you can express the output of H1(x)H2(x) in LESS bits than the combined |
12 |
> > > > output size of H1,H2, then the attacks get a little bit easier" |
13 |
> > > > |
14 |
> > > > Some important pieces from it: |
15 |
> > > > [J04] "showed that the concatenation of two Merkle-Damgard functions is not |
16 |
> > > > much more secure than the individual functions.", but this holds ONLY if |
17 |
> > > > the hash functions chosen are of the same construction (MD). |
18 |
> > > > Choosing hashes with different constructions (Merkle-Damgard, HAIFA, |
19 |
> > > > Sponge) is important, and given a black box environment, |
20 |
> > > > |
21 |
> > > > The original mail reached the same approximate decision, just to look |
22 |
> > > > for diverse hashes, but decided that 2 was enough. |
23 |
> > > > |
24 |
> > > > Q: What are the odds of a simultaneous successful attack against two hashes? |
25 |
> > > > A: IDK, but if the hash functions are truly independent, it must be provably |
26 |
> > > > lower than the odds of an attack against a single hash. |
27 |
> > > |
28 |
> > > We're talking about really huge (→∞) numbers here. It's not a 'random' |
29 |
> > > attack against one hash. It's an attack that allows to sneak a malicious |
30 |
> > > code with unchanged file size (since we store that too), and no apparent |
31 |
> > > side effects (what's the point of spending up that much resources |
32 |
> > > if the user is going to notice?). |
33 |
> > > |
34 |
> > > > Q: What's the big difference between a bug and a successful attack in a hash? |
35 |
> > > > A: Bugs are more likely initially, and attacks come later. |
36 |
> > > |
37 |
> > > Sounds like an entirely abstract point in time ;-). |
38 |
> > > |
39 |
> > > > All of that said, is there really a significant long-term gain in |
40 |
> > > > multiple hashes? (setting aside the short-term advantage in a transition |
41 |
> > > > period for changing hashes) |
42 |
> > > |
43 |
> > > No, and that's my point. One hash is perfectly fine. |
44 |
> > > |
45 |
> > > Two hashes are useful for transition purposes. If we take two fast |
46 |
> > > hashes (e.g. proposed SHA512 + BLAKE2B which have similar speed), |
47 |
> > > we can use 2 threads to prevent the speed loss (except for old single- |
48 |
> > > core machines). |
49 |
> |
50 |
> Minor clarification, old single core //and// uni-processor. Some older |
51 |
> machines have multiple physical CPUs that are single-core. Threading should be |
52 |
> okay on these, as long as the thread count stays under NR_CPUS. |
53 |
> |
54 |
> I also have a really old single-CPU system, MIPS (obviously). Not the fastest |
55 |
> on the block compared to the other equipment I've got, but does anyone know of |
56 |
> any simple timing scripts/programs available that can benchmark some of these |
57 |
> proposed digest hashes? If they turn out to be reasonably quick on my old |
58 |
> machine, I doubt then that speed will be too much of an issue. |
59 |
|
60 |
You could play with utils/benchmark.py inside gemato [1]. Note that it's |
61 |
not very precise though but should give a rough measurement. Also note |
62 |
that it is suited for one big file while we mostly deal with a lot of |
63 |
small files and that changes things a bit. |
64 |
|
65 |
[1]:https://github.com/mgorny/gemato |
66 |
|
67 |
> Also, for whatever hashes we ultimately go with, what are considerations for |
68 |
> the userland support for them on non-glibc systems? E.g., are they provided by |
69 |
> third-party libraries or do they need implementations in |
70 |
> uclibc/uclibc-ng/musl/*? And what about the Alt/BSD side of things? I assume |
71 |
> FreeBSD implements this already, but worth verifying with all of the |
72 |
> combinations of arches/libc's/kernels and whatnot. I mean, there still might |
73 |
> be a lonely m68k install out there... |
74 |
|
75 |
We've selected the hashes that are guaranteed to be included in CPython |
76 |
3.6+. For older versions of Python, we are using the Python extension |
77 |
based on the reference implementation (just like the code in CPython) |
78 |
pyblake2. |
79 |
|
80 |
-- |
81 |
Best regards, |
82 |
Michał Górny |