← Back to team overview

mimblewimble team mailing list archive

Switch to Blake2


Hi all,
I originally picked SHA3 (Keccak) for all hashing in grin [1]. The advantages of SHA3 over SHA256 are numerous (more modern design, less known weaknesses, designed independently from NSA, well studied and long review process, etc.) which motivated my original decision. However it turns out that in practice, SHA3 is on the slower side [2] due to last minute decisions from NIST to increase the security parameters.
We will need a fair amount of hashing operations in grin, as our "transactions" are broken down into inputs, outputs (in which range proofs can be considered separately) and kernels which may all be hashed independently. We also maintain at least one sum tree of the UTXO set. Hashing performance is important to our normal operation.
So I'm considering a switch to the Blake2 [3] hash function. It's extremely fast in software (faster than SHA256 and even MD5), has been shown to be as secure as SHA3, was designed independently and has been widely reviewed.
Any strong opposition or concerns?
- Igno
[1] https://github.com/ignopeverell/grin/blob/master/core/src/core/hash.rs#L153
[2] https://www.imperialviolet.org/2017/05/31/skipsha3.html
[3] https://blake2.net

Follow ups