mimblewimble team mailing list archive
Mailing list archive
Re: Switch to Blake2
My apologies for bike shedding, but have you considered SHAKE128? It uses the same Keccak function but with saner (faster) parameters and you use the extensible output for simpler generation of several blinding factors, forged elements etc.
> On 21 Jul 2017, at 21:12, Ignotus Peverell <igno.peverell@xxxxxxxxxxxxxx> wrote:
> Hi all,
> I originally picked SHA3 (Keccak) for all hashing in grin . The advantages of SHA3 over SHA256 are numerous (more modern design, less known weaknesses, designed independently from NSA, well studied and long review process, etc.) which motivated my original decision. However it turns out that in practice, SHA3 is on the slower side  due to last minute decisions from NIST to increase the security parameters.
> We will need a fair amount of hashing operations in grin, as our "transactions" are broken down into inputs, outputs (in which range proofs can be considered separately) and kernels which may all be hashed independently. We also maintain at least one sum tree of the UTXO set. Hashing performance is important to our normal operation.
> So I'm considering a switch to the Blake2  hash function. It's extremely fast in software (faster than SHA256 and even MD5), has been shown to be as secure as SHA3, was designed independently and has been widely reviewed.
> Any strong opposition or concerns?
> - Igno
>  https://github.com/ignopeverell/grin/blob/master/core/src/core/hash.rs#L153
>  https://www.imperialviolet.org/2017/05/31/skipsha3.html
>  https://blake2.net
> Mailing list: https://launchpad.net/~mimblewimble
> Post to : mimblewimble@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mimblewimble
> More help : https://help.launchpad.net/ListHelp