[darcs-devel] [Haskell-cafe] Re: announcing darcs 2.0.0pre3

zooko zooko at zooko.com
Wed Jan 23 16:55:06 EST 2008

I have to ask: why does darcs use SHA-1?

On the one hand, SHA-1 is cryptographically fragile and is deprecated  
for use in applications that require collision-resistance and pre- 
image resistance.  SHA-2 is the current standard for those  
applications (SHA-2 is about twice as expensive in CPU [1]), and  
SHA-3 is under development.

On the other hand, why does darcs need a cryptographically secure  
hash function at all?  Wouldn't MD5 or a sufficiently wide CRC, such  
as the one used in ZFS [2], do just as well?  They would certainly be  
a lot faster to compute.

Is there some behavior on the part of some malicious actor that darcs  
tries to prevent, such that the collision-resistance (such as it is)  
of SHA-1 is necessary to prevent it?



[1] http://cryptopp.com/benchmarks.html
[2] http://blogs.sun.com/bonwick/entry/zfs_end_to_end_data

More information about the Haskell-Cafe mailing list