-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace SHA256 with BLAKE2 everywhere #706
Comments
Let's use BLAKE2s (instead of BLAKE2b or something else). |
A good reason why you shouldn't: SHA256 has pervasive hardware support. |
I don't see a strong motivation for this. Enumerating all the options, we have:
None of the Blake2s options (3 to 6) look attractive to me. |
An additional downside from deviating from Bitcoin in this respect is that some tools which use these hashes for various purposes would have to be updated to work with our system. |
@ebfull: can you give an example of a tool, using SHA256 (probably because it was designed for Bitcoin), which would need to be changed if we used BLAKE2s instead of SHA256 in Zcash? |
For generating tx ids from from serialized txs. ie. tx_id = sha256(sha256(txhex) with javascript, python etc. Parsing transactions in other languages is a common thing |
I was thinking of lightning network "commitments" which are used to create multiparty bi-directional channels. These use SHA256 in the scripting system. However, we don't necessarily have to remove SHA256 there, we can just add BLAKE2 as an alternative, so that point is a little moot. Other than that, what @zmanian said also applies, but I can't think of anything else. |
I really strongly prefer BLAKE2 over SHA256. Here are at least some of
In short, BLAKE2 already offers better security and performance, and I I would like to ban SHA256 from the Zcash codebase. We should use |
I think it's easy to make a strong case for BLAKE over SHA-256 with the only downside being "widespread support." What is the case for BLAKE over Keccak/SHA3 though? There are some pros and cons of Keccak vs. BLAKE, but if we laid them all would we end up making a different conclusion than the SHA3 competition did? Also even if it is close, by virtue of Keccak's previous win it will (over time) have much more widespread support. I think the right debate to have is not BLAKE vs. SHA-256 but BLAKE vs. SHA3. |
Thanks for the comment, @jcb82! I don't agree that SHA3 is a good candidate. It's very inefficient in the two contexts we care about — inside libsnark and in software on ARM chips — and it doesn't have any major advantages for us that could compensate for that. Even if you're right that SHA3 will have the most widespread support, we don't need the most widespread support! We just need adequate security analysis and implementation support, which BLAKE2 already has. |
I'd suggest the following phased replacement strategy for SHA256.
It would be cool to publicize notice of pull requests acceptance for each of the proposed phases. 2 especially contains a bunch of low hanging fruit. |
Thanks, @zmanian — that seems like a very good proposal! |
Better performance in libsnark is a legitimate reason to prefer BLAKE over SHA3. I have no idea how they compare but if that's well established then it's a reasonable choice. I don't think hardware support on ARM will matter much in the long run. |
I'm not flatly opposed to Blake2s (I do think it's a better algorithm than SHA-256 in many technical aspects), but I'd just like to reiterate that writing and reviewing another hash implementation in libsnark will be difficult, time-consuming, and error-prone. There are many other improvements and necessary security fixes that I'd give a much higher priority than switching to Blake2s, since there is nothing actually wrong with SHA-256 for this use. |
Incidentally, I believe that NSA's semi-deprecation of SHA-256 was purely motivated by quantum resistance, and what they were recommending instead was SHA[2 or 3]-384 and -512. (The link is broken so I wasn't able to confirm that.) They're probably wrong about 384-bit hashes being necessary for quantum resistance, as Dan Bernstein has argued. [Edit: he actually argued that the Brassard-Høyer-Tapp algorithm doesn't provide an attack improving on classical methods.] Besides, Zcash can't aim for quantum resistance (yet) because there is no known practical and quantum-resistant zkSNARK construction. |
If you liked this ticket, you might like zcash/zips#36 (comment) |
Sapling essentially does this. The remaining uses of SHA-256 are only in Sprout and things inherited from Bitcoin, like the difficulty filter. So I'm going to consider this ticket fixed. |
Anywhere we use SHA256, let's replace it with BLAKE2 or come up with a good reason why we shouldn't.
One exception is the circuit where more factors come into play, see #705.
The text was updated successfully, but these errors were encountered: