[darcs-devel] [Haskell-cafe] Re: announcing darcs 2.0.0pre3
droundy at darcs.net
Wed Jan 23 17:08:37 EST 2008
On Wed, Jan 23, 2008 at 02:55:06PM -0700, zooko wrote:
> I have to ask: why does darcs use SHA-1?
> On the one hand, SHA-1 is cryptographically fragile and is deprecated
> for use in applications that require collision-resistance and pre-
> image resistance. SHA-2 is the current standard for those
> applications (SHA-2 is about twice as expensive in CPU ), and
> SHA-3 is under development.
> On the other hand, why does darcs need a cryptographically secure
> hash function at all? Wouldn't MD5 or a sufficiently wide CRC, such
> as the one used in ZFS , do just as well? They would certainly be
> a lot faster to compute.
> Is there some behavior on the part of some malicious actor that darcs
> tries to prevent, such that the collision-resistance (such as it is)
> of SHA-1 is necessary to prevent it?
It's mostly historical, but also supported by the assumption that Linus
thought about it when *he* decided to use sha1 for the same purpose. In
principle it is good to provide a cryptographically secure hash, as this
allows users to sign their repositories by signing a single file, which
seems like it's potentially quite a useful feature. On the other hand,
using sha2, which is twice as expensive (and twice as large, right) would
perhaps be too costly. I don't know. SHA-2 would cost more in disk space
and network bandwidth, as well as in CPU time.
Is SHA-1 optimal? I don't know. Is it reasonable? I suspect so.
Department of Physics
Oregon State University
More information about the Haskell-Cafe