Re: Which hash function to use, was Re: RFC: Another proposed hash function transition plan
From: Jeff King <hidden>
Date: 2017-06-15 13:01:58
On Thu, Jun 15, 2017 at 08:05:18PM +0900, Mike Hommey wrote:
On Thu, Jun 15, 2017 at 12:30:46PM +0200, Johannes Schindelin wrote:quoted
Footnote *1*: SHA-256, as all hash functions whose output is essentially the entire internal state, are susceptible to a so-called "length extension attack", where the hash of a secret+message can be used to generate the hash of secret+message+piggyback without knowing the secret. This is not the case for Git: only visible data are hashed. The type of attacks Git has to worry about is very different from the length extension attacks, and it is highly unlikely that that weakness of SHA-256 leads to, say, a collision attack.What do the experts think or SHA512/256, which completely removes the concerns over length extension attack? (which I'd argue is better than sweeping them under the carpet)
I don't think it's sweeping them under the carpet. Git does not use the hash as a MAC, so length extension attacks aren't a thing (and even if we later wanted to use the same algorithm as a MAC, the HMAC construction is a well-studied technique for dealing with it). That said, SHA-512 is typically a little faster than SHA-256 on 64-bit platforms. I don't know if that will change with the advent of hardware instructions oriented towards SHA-256. -Peff