Blake2 is in coreutils already, provides an excellent security margin, and is considerably faster than both sha2 and sha3.
On Oct 19, 2017 21:09, "Michał Górny" <mgo...@gentoo.org> wrote: > Hi, everyone. > > The previous discussion on Manifest2 hashes pretty much died away > pending fixes to Portage. Since Portage was fixed a while ago, and we > can now safely switch, I'd like to reboot the discussion before > submitting the item for the next Council meeting. > > Considering all arguments made so far, I'd like to propose changing: > > manifest-hashes = SHA256 SHA512 WHIRLPOOL > > to: > > manifest-hashes = SHA512 SHA3_512 > > In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. > > > Rationale > --------- > > 1. The main argument for using multiple hashes is to prevent the (very > unlikely) possibility that if a weakness is discovered in one of > the hashes, the other would still hold. This is given by using two > algorithms; more than two do not increase security significantly, while > they do increase performance cost. > > 2. For the above to hold, the hashes should be diverse. SHA256 > and SHA512 are the same algorithm, so a weakness discovered in either > would probably apply to both -- keeping both does not make sense at all. > Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so > a weakness in the construct would apply to both. > > 3. Keeping one of the three old hashes is necessary for compatibility > reasons. Furthermore, the current versions of Portage consider SHA512 > obligatory, so we can't remove it without redesigning Portage first > (though I think this applies only to developer installs, i.e. those > creating Manifests). > > 4. The new hashes that are stronger and commonly available are > SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from > our current algorithms, so either is a good candidate. The choice of > Keccak is purely arbitrary (because it's the winner?). > > All the above considered, I think it's most reasonable to use two hashes > with diverse constructs. SHA512 needs to be one of them, for > compatibility reasons. The other could be either SHA3_512 or BLAKE2B, > as a strong, future-proof hash. SHA3 is probably a better choice because > it's going to have more support as the official recommendation. > > -- > Best regards, > Michał Górny > > >