[Monotone-devel] Monotone's usage of SHA1

[Markus Wanner]

Hi,

On 02/09/2016 09:45 PM, grarpamp wrote:
> Subscription to the archives is required as said, and is also
> documented on the list page. It's free, no human is involved.
> Bug them on policy, not me. The context for this thread begins
> there and would be of interest to those with interest.
> 
> https://lists.sonic.net/mailman/listinfo/crypto-practicum

Okay, thanks, I've read through the archives, now.

One thing I'm curious about is the proposal to use Argon2 (a password
hash) over SHA3 or Blake2b for user facing hashes (or portions thereof).
Do I understand correctly that this "only" makes it (proportionally)
harder for Mallory to come up with a collision on the first few bytes of
the resulting hash? Or put another way: Is there any point in using
Argon2 (compared to Keccak or Blake2), if the full hash is used?

Monotone is pretty rigorous in checking its data's hashes. For example,
it checks not just after receiving from another node, but even after
loading a revision from disk. Therefore, I'd be pretty hesitant to
impose that additional computational cost for the normal user.

I rather thought about using a more compact encoding, like base58 as
used by Bitcoin. That way you'd get 45% more information into those 5-7
chars that humans can comfortably pass around (compared to hex),
resulting in 29 - 40 bits of hash.

I'm not saying that's enough, either. But in the case of monotone, I'm
less concerned, because there we have integrated certs, which check
against the full hash. And just to identify a revision out of the set of
already validated revisions, 5-7 chars usually are enough. (Sounds
suspiciously similar to Linus' argument, except that certs are external
to git, AFAIUI.)

Kind Regards

Markus Wanner