On Wed, Jan 23, 2008 at 02:55:06PM -0700, zooko wrote:
I have to ask: why does darcs use SHA-1?
On the one hand, SHA-1 is cryptographically fragile and is deprecated for use in applications that require collision-resistance and pre- image resistance. SHA-2 is the current standard for those applications (SHA-2 is about twice as expensive in CPU [1]), and SHA-3 is under development.
On the other hand, why does darcs need a cryptographically secure hash function at all? Wouldn't MD5 or a sufficiently wide CRC, such as the one used in ZFS [2], do just as well? They would certainly be a lot faster to compute.
Is there some behavior on the part of some malicious actor that darcs tries to prevent, such that the collision-resistance (such as it is) of SHA-1 is necessary to prevent it?
It's mostly historical, but also supported by the assumption that Linus thought about it when *he* decided to use sha1 for the same purpose. In principle it is good to provide a cryptographically secure hash, as this allows users to sign their repositories by signing a single file, which seems like it's potentially quite a useful feature. On the other hand, using sha2, which is twice as expensive (and twice as large, right) would perhaps be too costly. I don't know. SHA-2 would cost more in disk space and network bandwidth, as well as in CPU time. Is SHA-1 optimal? I don't know. Is it reasonable? I suspect so. -- David Roundy Department of Physics Oregon State University