1 |
Blake2 is in coreutils already, provides an excellent security margin, and |
2 |
is considerably faster than both sha2 and sha3. |
3 |
|
4 |
On Oct 19, 2017 21:09, "Michał Górny" <mgorny@g.o> wrote: |
5 |
|
6 |
> Hi, everyone. |
7 |
> |
8 |
> The previous discussion on Manifest2 hashes pretty much died away |
9 |
> pending fixes to Portage. Since Portage was fixed a while ago, and we |
10 |
> can now safely switch, I'd like to reboot the discussion before |
11 |
> submitting the item for the next Council meeting. |
12 |
> |
13 |
> Considering all arguments made so far, I'd like to propose changing: |
14 |
> |
15 |
> manifest-hashes = SHA256 SHA512 WHIRLPOOL |
16 |
> |
17 |
> to: |
18 |
> |
19 |
> manifest-hashes = SHA512 SHA3_512 |
20 |
> |
21 |
> In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
22 |
> |
23 |
> |
24 |
> Rationale |
25 |
> --------- |
26 |
> |
27 |
> 1. The main argument for using multiple hashes is to prevent the (very |
28 |
> unlikely) possibility that if a weakness is discovered in one of |
29 |
> the hashes, the other would still hold. This is given by using two |
30 |
> algorithms; more than two do not increase security significantly, while |
31 |
> they do increase performance cost. |
32 |
> |
33 |
> 2. For the above to hold, the hashes should be diverse. SHA256 |
34 |
> and SHA512 are the same algorithm, so a weakness discovered in either |
35 |
> would probably apply to both -- keeping both does not make sense at all. |
36 |
> Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
37 |
> a weakness in the construct would apply to both. |
38 |
> |
39 |
> 3. Keeping one of the three old hashes is necessary for compatibility |
40 |
> reasons. Furthermore, the current versions of Portage consider SHA512 |
41 |
> obligatory, so we can't remove it without redesigning Portage first |
42 |
> (though I think this applies only to developer installs, i.e. those |
43 |
> creating Manifests). |
44 |
> |
45 |
> 4. The new hashes that are stronger and commonly available are |
46 |
> SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
47 |
> our current algorithms, so either is a good candidate. The choice of |
48 |
> Keccak is purely arbitrary (because it's the winner?). |
49 |
> |
50 |
> All the above considered, I think it's most reasonable to use two hashes |
51 |
> with diverse constructs. SHA512 needs to be one of them, for |
52 |
> compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
53 |
> as a strong, future-proof hash. SHA3 is probably a better choice because |
54 |
> it's going to have more support as the official recommendation. |
55 |
> |
56 |
> -- |
57 |
> Best regards, |
58 |
> Michał Górny |
59 |
> |
60 |
> |
61 |
> |