| 1 |
On 10/24/2017 00:11, Michał Górny wrote: |
| 2 |
> W dniu wto, 24.10.2017 o godzinie 06∶04 +0200, użytkownik Michał Górny |
| 3 |
> napisał: |
| 4 |
|
| 5 |
[snip] |
| 6 |
|
| 7 |
>>> [BOBO06] is relevant research here, I cited it in the work that went into |
| 8 |
>>> GLEP59, the last time we updated the hashes. The less-technical explanation of it is: |
| 9 |
>>> "If you can express the output of H1(x)H2(x) in LESS bits than the combined |
| 10 |
>>> output size of H1,H2, then the attacks get a little bit easier" |
| 11 |
>>> |
| 12 |
>>> Some important pieces from it: |
| 13 |
>>> [J04] "showed that the concatenation of two Merkle-Damgard functions is not |
| 14 |
>>> much more secure than the individual functions.", but this holds ONLY if |
| 15 |
>>> the hash functions chosen are of the same construction (MD). |
| 16 |
>>> Choosing hashes with different constructions (Merkle-Damgard, HAIFA, |
| 17 |
>>> Sponge) is important, and given a black box environment, |
| 18 |
>>> |
| 19 |
>>> The original mail reached the same approximate decision, just to look |
| 20 |
>>> for diverse hashes, but decided that 2 was enough. |
| 21 |
>>> |
| 22 |
>>> Q: What are the odds of a simultaneous successful attack against two hashes? |
| 23 |
>>> A: IDK, but if the hash functions are truly independent, it must be provably |
| 24 |
>>> lower than the odds of an attack against a single hash. |
| 25 |
>> |
| 26 |
>> We're talking about really huge (→∞) numbers here. It's not a 'random' |
| 27 |
>> attack against one hash. It's an attack that allows to sneak a malicious |
| 28 |
>> code with unchanged file size (since we store that too), and no apparent |
| 29 |
>> side effects (what's the point of spending up that much resources |
| 30 |
>> if the user is going to notice?). |
| 31 |
>> |
| 32 |
>>> Q: What's the big difference between a bug and a successful attack in a hash? |
| 33 |
>>> A: Bugs are more likely initially, and attacks come later. |
| 34 |
>> |
| 35 |
>> Sounds like an entirely abstract point in time ;-). |
| 36 |
>> |
| 37 |
>>> All of that said, is there really a significant long-term gain in |
| 38 |
>>> multiple hashes? (setting aside the short-term advantage in a transition |
| 39 |
>>> period for changing hashes) |
| 40 |
>> |
| 41 |
>> No, and that's my point. One hash is perfectly fine. |
| 42 |
>> |
| 43 |
>> Two hashes are useful for transition purposes. If we take two fast |
| 44 |
>> hashes (e.g. proposed SHA512 + BLAKE2B which have similar speed), |
| 45 |
>> we can use 2 threads to prevent the speed loss (except for old single- |
| 46 |
>> core machines). |
| 47 |
|
| 48 |
Minor clarification, old single core //and// uni-processor. Some older |
| 49 |
machines have multiple physical CPUs that are single-core. Threading should be |
| 50 |
okay on these, as long as the thread count stays under NR_CPUS. |
| 51 |
|
| 52 |
I also have a really old single-CPU system, MIPS (obviously). Not the fastest |
| 53 |
on the block compared to the other equipment I've got, but does anyone know of |
| 54 |
any simple timing scripts/programs available that can benchmark some of these |
| 55 |
proposed digest hashes? If they turn out to be reasonably quick on my old |
| 56 |
machine, I doubt then that speed will be too much of an issue. |
| 57 |
|
| 58 |
Also, for whatever hashes we ultimately go with, what are considerations for |
| 59 |
the userland support for them on non-glibc systems? E.g., are they provided by |
| 60 |
third-party libraries or do they need implementations in |
| 61 |
uclibc/uclibc-ng/musl/*? And what about the Alt/BSD side of things? I assume |
| 62 |
FreeBSD implements this already, but worth verifying with all of the |
| 63 |
combinations of arches/libc's/kernels and whatnot. I mean, there still might |
| 64 |
be a lonely m68k install out there... |
| 65 |
|
| 66 |
-- |
| 67 |
Joshua Kinard |
| 68 |
Gentoo/MIPS |
| 69 |
kumba@g.o |
| 70 |
6144R/F5C6C943 2015-04-27 |
| 71 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
| 72 |
|
| 73 |
"The past tempts us, the present confuses us, the future frightens us. And our |
| 74 |
lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 75 |
|
| 76 |
--Emperor Turhan, Centauri Republic |
Archives