1 |
On 10/24/2017 00:11, Michał Górny wrote: |
2 |
> W dniu wto, 24.10.2017 o godzinie 06∶04 +0200, użytkownik Michał Górny |
3 |
> napisał: |
4 |
|
5 |
[snip] |
6 |
|
7 |
>>> [BOBO06] is relevant research here, I cited it in the work that went into |
8 |
>>> GLEP59, the last time we updated the hashes. The less-technical explanation of it is: |
9 |
>>> "If you can express the output of H1(x)H2(x) in LESS bits than the combined |
10 |
>>> output size of H1,H2, then the attacks get a little bit easier" |
11 |
>>> |
12 |
>>> Some important pieces from it: |
13 |
>>> [J04] "showed that the concatenation of two Merkle-Damgard functions is not |
14 |
>>> much more secure than the individual functions.", but this holds ONLY if |
15 |
>>> the hash functions chosen are of the same construction (MD). |
16 |
>>> Choosing hashes with different constructions (Merkle-Damgard, HAIFA, |
17 |
>>> Sponge) is important, and given a black box environment, |
18 |
>>> |
19 |
>>> The original mail reached the same approximate decision, just to look |
20 |
>>> for diverse hashes, but decided that 2 was enough. |
21 |
>>> |
22 |
>>> Q: What are the odds of a simultaneous successful attack against two hashes? |
23 |
>>> A: IDK, but if the hash functions are truly independent, it must be provably |
24 |
>>> lower than the odds of an attack against a single hash. |
25 |
>> |
26 |
>> We're talking about really huge (→∞) numbers here. It's not a 'random' |
27 |
>> attack against one hash. It's an attack that allows to sneak a malicious |
28 |
>> code with unchanged file size (since we store that too), and no apparent |
29 |
>> side effects (what's the point of spending up that much resources |
30 |
>> if the user is going to notice?). |
31 |
>> |
32 |
>>> Q: What's the big difference between a bug and a successful attack in a hash? |
33 |
>>> A: Bugs are more likely initially, and attacks come later. |
34 |
>> |
35 |
>> Sounds like an entirely abstract point in time ;-). |
36 |
>> |
37 |
>>> All of that said, is there really a significant long-term gain in |
38 |
>>> multiple hashes? (setting aside the short-term advantage in a transition |
39 |
>>> period for changing hashes) |
40 |
>> |
41 |
>> No, and that's my point. One hash is perfectly fine. |
42 |
>> |
43 |
>> Two hashes are useful for transition purposes. If we take two fast |
44 |
>> hashes (e.g. proposed SHA512 + BLAKE2B which have similar speed), |
45 |
>> we can use 2 threads to prevent the speed loss (except for old single- |
46 |
>> core machines). |
47 |
|
48 |
Minor clarification, old single core //and// uni-processor. Some older |
49 |
machines have multiple physical CPUs that are single-core. Threading should be |
50 |
okay on these, as long as the thread count stays under NR_CPUS. |
51 |
|
52 |
I also have a really old single-CPU system, MIPS (obviously). Not the fastest |
53 |
on the block compared to the other equipment I've got, but does anyone know of |
54 |
any simple timing scripts/programs available that can benchmark some of these |
55 |
proposed digest hashes? If they turn out to be reasonably quick on my old |
56 |
machine, I doubt then that speed will be too much of an issue. |
57 |
|
58 |
Also, for whatever hashes we ultimately go with, what are considerations for |
59 |
the userland support for them on non-glibc systems? E.g., are they provided by |
60 |
third-party libraries or do they need implementations in |
61 |
uclibc/uclibc-ng/musl/*? And what about the Alt/BSD side of things? I assume |
62 |
FreeBSD implements this already, but worth verifying with all of the |
63 |
combinations of arches/libc's/kernels and whatnot. I mean, there still might |
64 |
be a lonely m68k install out there... |
65 |
|
66 |
-- |
67 |
Joshua Kinard |
68 |
Gentoo/MIPS |
69 |
kumba@g.o |
70 |
6144R/F5C6C943 2015-04-27 |
71 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
72 |
|
73 |
"The past tempts us, the present confuses us, the future frightens us. And our |
74 |
lives slip away, moment by moment, lost in that vast, terrible in-between." |
75 |
|
76 |
--Emperor Turhan, Centauri Republic |