[zfs] [Review] 4185 New hash algorithm support

Tue Oct 22 10:47:26 PDT 2013

On Tue, Oct 22, 2013 at 6:05 AM, Schlacta, Christ <aarcane at aarcane.org> wrote:
>
> If any weakened algorithm is to be implemented, how can we know how weak is too weak, and how strong is sufficient?  Each professional Cryptographer has given different opinions and all those at our immediate disposal have now been biased.

A good way to do that is use an algorithm that has attracted interest
from a large number of independent cryptographers. If many
cryptographers have invested extensive effort trying to find
weaknesses in a algorithm, and haven't reported any, then we can feel
more confident that it is less likely to harbor undiscovered
weaknesses.

Among the algorithms we've been talking about in this thread, SHA-256,
HMAC-MD5, Skein, Keccak, and BLAKE are all in this category of being
well-studied.

Cryptographers publish it if they find a weakness in a reduced-round
variant of an important algorithm. You can see a summary of the best
results against weakened variants of BLAKE in ¹ (Table 1).

¹ http://eprint.iacr.org/2013/467

The rows labeled "perm." and "cf." are attacks on just one component
of the hash, not the whole algorithm. The "# Rounds" column shows how
many rounds of a reduced-round variant would be vulnerable to that
attack.

Don't forget to look at the "Complexity" column, too! That shows
(roughly) how many calculations would be necessary to implement the
attack. Yes, almost all of them are computations that are completely
impossible for anyone to actually execute in the forseeable future.
But still, they are the best attack that anyone has (publicly) come up
with against those weakened variants of BLAKE so they serve as a
heuristic indicator of how strong it is.

Among the well-studied algorithms listed above, BLAKE is one of the
best-studied. It was one of the five finalists in the SHA-3 contest,
and in the final report of the contest ², NIST wrote “The
cryptanalysis performed on BLAKE […] appears to have a great deal of
depth”. Here is a list of research reports that analyzed BLAKE: ³.

² http://dx.doi.org/10.6028/NIST.IR.7896
³ https://131002.net/blake/#cr

Now, BLAKE2 is not necessarily as secure as BLAKE. We could have
accidentally introduced weaknesses into BLAKE2 when making tweaks to
optimize it. The paper ¹ looked for such weaknesses and reported that
they found nothing to make them distrust BLAKE2.

We use a stream cipher named ChaCha ⁴,⁵ as the core of BLAKE and
BLAKE2, and nobody has found any weakness in ChaCha. Again, that
doesn't mean we didn't manage to screw it up somehow, but I think it
helps! If anyone found a weakness in ChaCha, it would *probably* also
show them a weakness in BLAKE2, and vice versa.

⁴ https://en.wikipedia.org/wiki/ChaCha_%28cipher%29#ChaCha_variant
⁵ https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-02

In sum, there has been a lot of independent analysis of BLAKE2, BLAKE,
and ChaCha, and I hope there will be more in the future. If you use a
reduced-round version of BLAKE2, you can look at these results to see
whether anyone has published an attack that would break that
reduced-round version. Of course, more rounds is safer against future
breakthroughs.

It was in that context that I recommended that ZFS use the most rounds
of BLAKE2 that it can while still being faster than Edon-R. ☺ That
will probably be around 5 rounds.

Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters.

-------------------------------------------
illumos-zfs
Archives: https://www.listbox.com/member/archive/182191/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-6fe17e6f
Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-a25d3366
Powered by Listbox: http://www.listbox.com