mimblewimble team mailing list archive

Thread
Date

Switch to Blake2

To: "mimblewimble@xxxxxxxxxxxxxxxxxxx" <mimblewimble@xxxxxxxxxxxxxxxxxxx>
From: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>
Date: Fri, 21 Jul 2017 14:12:44 -0400
Feedback-id: G8oYroY5d92pDGib9ZSQuAzn8O3JuHnC9BYqk1_LZGLiD5_Mc-EkTbswwpCLUOpi1Q3pbIzgCwewBVSqDCwbaw==:Ext:ProtonMail
Reply-to: Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx>

Hi all,
I originally picked SHA3 (Keccak) for all hashing in grin [1]. The advantages of SHA3 over SHA256 are numerous (more modern design, less known weaknesses, designed independently from NSA, well studied and long review process, etc.) which motivated my original decision. However it turns out that in practice, SHA3 is on the slower side [2] due to last minute decisions from NIST to increase the security parameters.
We will need a fair amount of hashing operations in grin, as our "transactions" are broken down into inputs, outputs (in which range proofs can be considered separately) and kernels which may all be hashed independently. We also maintain at least one sum tree of the UTXO set. Hashing performance is important to our normal operation.
So I'm considering a switch to the Blake2 [3] hash function. It's extremely fast in software (faster than SHA256 and even MD5), has been shown to be as secure as SHA3, was designed independently and has been widely reviewed.
Any strong opposition or concerns?
- Igno
[1] https://github.com/ignopeverell/grin/blob/master/core/src/core/hash.rs#L153
[2] https://www.imperialviolet.org/2017/05/31/skipsha3.html
[3] https://blake2.net

Follow ups

Re: Switch to Blake2
From: John Tromp, 2017-07-21
Re: Switch to Blake2
From: Oleg Andreev, 2017-07-21