[openssl-dev] [openssl.org #3897] request: add BLAKE2 hash function (let's kill md5sum!)
Bill Cox
waywardgeek at google.com
Tue Jun 9 16:33:51 UTC 2015
On Mon, Jun 8, 2015 at 10:02 PM, Yoav Nir <ynir.ietf at gmail.com> wrote:
>
> > On Jun 9, 2015, at 4:07 AM, Zooko Wilcox-OHearn <
> zooko at leastauthority.com> wrote:
> >
> > On Tue, Jun 9, 2015 at 12:57 AM, Salz, Rich <rsalz at akamai.com> wrote:
> >> So if you're going to replace md5sum... which one should you use?
> Which ONE HASH should replace MD5?
> >
> > I'd suggest blake2sp. It's currently the fastest on my machine, and I
> > guess that there will often be multiple cores in systems where hash
> > performance matters (i.e. hashing large files or many files).
>
> As a replacement for md5sum (like it says in the title) - I agree.
>
> If we also want blake for protocols (like TLS_RSA_WITH_AES_128_GCM_BLAKE
> or something), the non-parallel versions would be more suitable.
>
> Yoav
Zooko only asked for supporting Blake2 as an MD5 replacement, but he's
being too modest. I can't stress enough how important the speed of Blake2
is. Even at it's default of 12 rounds (6 is probably perfectly secure from
what I've heard), it stomps every other hash function. This will make a
big difference for the future of crypto, making it more usable and
accessible in the real world. I personally will only use SHA256/SHA512 in
the future when speed is absolutely a non-issue. Blake2 is simply better.
Here's my dumb thoughts about why OpenSSL should support more modern hashes
like Blake2, rather than keeping things simple by relying on older crypto.
OpenSSL has become the crypto platform of choice for crypto algorithms.
For example, in considering how to rewrite TrueCrypt, replacing its custom
crypto with OpenSSL is a no brainer. OpenSSL has more options, better
timing attack resistance, faster implementations, more real-world testing,
etc. The Password Hashing Competition's call for submissions said,
"OpenSSL's libcrypto may be used (e.g. for AES, SHA-256)." If you wanted
to include any crypto not in OpenSSL, you were required to submit the
source code. OpenSSL is where crypto algorithms go to grow up, and if an
algorithm is not there, people assume it's not ready for prime-time.
I think this is a role OpenSSL should embrace. In the race to be the
world's #1 crypto library, OpenSSL won. To extend it's lead, OpenSSL needs
to add modern algorithms like Blake2, SHA3, and ChaCha. This is where I
imagine OpenSSL continuing to evolve and thrive, even if forks like
LibreSSL become popular.
The world is improved every time OpenSSL makes these difficult calls, and
blesses a new worthy crypto algorithm. Blake2 seems like a simple call,
based on it's performance, pedigree, history, and cryptanalysis. I'd say
that passing on Blake2 would be a mistake, for both the world and OpenSSL.
The world needs Blake2, and OpenSSL is how that happens.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150609/9889cfdf/attachment.html>
More information about the openssl-dev
mailing list