New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Play around with hashes
#2664
base: master
Are you sure you want to change the base?
Play around with hashes
#2664
Conversation
cc @apoelstra (here instead of mention in PR description). |
hashes/README.md
Outdated
|
||
### [SHA-1](https://en.wikipedia.org/wiki/SHA-1) | ||
|
||
Since 2005, SHA-1 has not been considered secure against well-funded opponents |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In ce1881b:
I would either drop this line or qualify "secure" and "well-funded" much more precisely. This is quite a provocative line when applied to a hash used by git (2005) and bitcoin (2009)! (I checked the wikipedia page which has these exact words, so I guess I don't blame you....but wtf. They link to a blog post by Bruce Schneier which is slightly less provocative, which in turn cites an actual result, which is that SHA1 had 2^69 security against collisions in 2005.)
Since 2017 (SHAttered) sha1 has not been collision resistant even against poorly-funded components. I would suggest instead writing:
SHA-1 has seen a series of cryptographic breaks and should not be considered collision-resistant. While there are no practical weaknesses against its first- or second-preimage security, we do not recommend it for any modern application.
and we could link "should not be considered collision-resistant" to the wiki page or the SHAttered paper or press release or whatever. Or to the bitcoin transaction which claimed petertodd's "collide sha1 bounty" transaction :).
hashes/README.md
Outdated
- SHA-256 | ||
|
||
Module: `sha256` | ||
Digest: 256 bit (32 byte) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In ce1881b
These all look fine but a little hard to keep up-to-date. The digest length is in the name of every one of these hashes, and also we may rearrange our modules so that the Module:
line goes out of date.
hashes/README.md
Outdated
code](https://en.wikipedia.org/wiki/Message_authentication_code) (MAC) involving a cryptographic | ||
hash function and a secret cryptographic key. | ||
|
||
We implement HMAC-x where x is any of the hashes above. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In ce1881b:
We implement HMAC for any hash implementing our Hash
trait. It is not limited to the hashes in this repository and not explicitly implemented for any of them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And do we want to keep it like that? A lot of the problems patching the Hash
trait stem (in my experience) from the traits usage in Hmac
.
As for the rearranging of modules, this structure feels ad-hoc and undiscoverable to me. It's strange that we have HMAC under Then I don't understand why some hashes are "compound" and some are "hash functions". This sorta makes sense for hashes which are the composition of other hash functions, though this isn't an obvious way to categorize hash functions for either users or implementors...but then why is sha256t there for example? |
Thanks for reviewing man.
Yeah, I think I agree with you.
wiki says the siphash family is only suitable for MAC - is that correct? https://en.wikipedia.org/wiki/SipHash
Am I correct in thinking that the "compound" hashes are all Bitcoin things and they are constructs that use "primitive" cryptographic hash functions. I couldn't find any discussion of this outside of bip119 talking about tagged hashes. I made up the word "compound" and am not that happy with it. (I started with |
It is not correct. It seems like wikipedia is just fatally confused about hash functions.
Ok, but this is really an implementation detail whether a hash function is constructed as the composition of other hash functions or not. And tagged hashes are identical to sha256 except for their IV so I don't see why one would be "primitive" and the other not.
In the literature tagging hashes is referred to as "domain separation". |
Cool, thanks man. I'll have another play with it. |
Hey @apoelstra could you take a little squiz at this please? It does not include Note please:
I'm just chasing a quick "looks ok" or "miles off" before I try to work the tagged stuff in. Thanks man. |
Looks ok. Not sure why Lots of small nits (e.g. the Not sure what you mean about the trait bounds in hmac.rs. They look pretty straightforward. Though you shouldn't have trait bounds on |
Sweet, thanks man. |
In preparation for patching the `sha256t` module add a regression test to make sure I don't break the current implementation.
The generics on `sha256t::Hash` make working with the `hashes` module more complicated that it needs to be. The only reason for the tag is to have a way to keep a compile time midstate constant for the sha256 engine used by the tagged hash. Note also that the `sha25t::Hash` type is only ever used in test code, any user of the `hashes` lib (including `bitcoin` creates a new type and uses that). The same can be achieved by creating new engine type and putting the const midstate in the `Default` implementation.
Pull Request Test Coverage Report for Build 8793573668Details
💛 - Coveralls |
Interesting, the CI fail is because feature gating on a trait impl does not work. I tried to find where we discussed doing so before but all I found was a reference to the conversation (#2493 (comment)). So, I remember someone (@Kixunil?) telling me not to feature gate trait impls but I can't remember why. Turns out it doesn't work anyway - I hit this today in this PR and yesterday also by coincidence while trying to implement I'm posting all this because I do not know how to solve the problem of "implement this trait if this feature is enabled" which seems like a sane thing to do? I used |
I'm confused. CI failure looks like it's about schemars and some macro thing, not about trait impls. What do you mean by "feature-gating a trait impl". Obviously we need to feature-gate impls of |
Oh bizzare, yes you are right feature gating of |
Apologies, I was assuming you could read the changes on my local machine :( I've now pushed up the failure. The schemars test will fail with "the trait I've added a patch that shows that the exact same code from the failing test passes if it is in the same crate as the macro is defined i.e., in |
Ah! So, the issue here is that the In principle what you're doing is fine, but you need to do it by conditionally defining the macro, which will be a little ugly. (Probably you need an aux macro which is conditionally compiled either as a schemars trait impl or as nothing.) |
aaaahhhh! Legend, thanks man. I wish I raised this question a few days ago!!!! |
There are a few problems with
hashes
, mainly:hashes
is an epic PITA to work on #2197I've played with
hashes
at least 5 times over the last 3 months and I always get in knots without making any progress. Today I went wikipedia to try and understand the high level functions so I could better understand the current code design. #2663 fell out of this too.Can you review the last 2 patches please Andrew and tell me if they are even close to being correct and/or acceptable.
The first 4 patches could go in but its not worth the bother till we release I rekon.