[darcs-devel] [Haskell-cafe] Re: announcing darcs 2.0.0pre3

[David Roundy]

On Wed, Jan 23, 2008 at 02:55:06PM -0700, zooko wrote:
> I have to ask: why does darcs use SHA-1?
> 
> On the one hand, SHA-1 is cryptographically fragile and is deprecated  
> for use in applications that require collision-resistance and pre- 
> image resistance.  SHA-2 is the current standard for those  
> applications (SHA-2 is about twice as expensive in CPU [1]), and  
> SHA-3 is under development.
> 
> On the other hand, why does darcs need a cryptographically secure  
> hash function at all?  Wouldn't MD5 or a sufficiently wide CRC, such  
> as the one used in ZFS [2], do just as well?  They would certainly be  
> a lot faster to compute.
> 
> Is there some behavior on the part of some malicious actor that darcs  
> tries to prevent, such that the collision-resistance (such as it is)  
> of SHA-1 is necessary to prevent it?

It's mostly historical, but also supported by the assumption that Linus
thought about it when *he* decided to use sha1 for the same purpose.  In
principle it is good to provide a cryptographically secure hash, as this
allows users to sign their repositories by signing a single file, which
seems like it's potentially quite a useful feature.  On the other hand,
using sha2, which is twice as expensive (and twice as large, right) would
perhaps be too costly.  I don't know.  SHA-2 would cost more in disk space
and network bandwidth, as well as in CPU time.

Is SHA-1 optimal? I don't know.  Is it reasonable? I suspect so.
-- 
David Roundy
Department of Physics
Oregon State University