search

Constellation-Labs / constellation

:milky_way::satellite: Decentralized Application Integration Platform
Apache License 2.0
153 stars 40 forks source link

2b or !2b? #190

Open tylerprete opened 5 years ago

tylerprete commented 5 years ago

Should we change our hash function from SHA-256 to Blake2b256?

It's used by many of the new projects -- rchain, cardano, etc. And it's faster: https://blake2.net/

No rush on this -- would just need to be done before main net.

Nikolaj-K commented 5 years ago

@tylerprete You could put the question out into discord. Previously, the user tyner (who I can't ping from this issue) has some opinions in that regard. Here's what a friend said, who works on a Monero-like protocol:

The official website has slides giving more detail on Blake and other hash algorithms, here (link).

The only reason stated was that it was used by newer projects and it was faster, but this will not be the only concern, depending on what it's used for. For example, a faster hashing algorithm is not always desirable in some circumstances. While in others like Message authentication, it is.

If you are planning to be ASIC resistant (e.g. if mining-para protocols are a thing and you want to provide toolings), then since SHA2 and Blake are similar, it would be better to implement a different hash algorithm which was less known or slower; since Blake2 is faster, then it will be faster to generate a lot of hashes using an ASIC, not too sure on the power requirements compared to SHA256 though, here (link).

If you are implementing things like ZK Snarks or other cryptographic protocols that rely on SHA256, you may need to have your implementation security reviewed again for Blake2b. Whereas SHA256 may already have an existing security reviewed implementation. This may be a weak point actually, because the security goals of Blake2 are a superset of those of SHA256, still the implementation varies which may cause side effects to the protocol that uses it.

You would also need to update all your test cases which rely on SHA256. But unlike SHA256, you may not have another reference implementation to ensure that you are right. I do this all the time, where I get the test cases from a reference implementation and make my own tweaks to my implementation, using the test cases to check if everything is still good.

One last thing is that SHA2 has more research than Blake and more people have tried to find weaknesses in it. This may not be relevant as Blake2 is based off of ChaCha which does have a lot of research on it. You could even decide to use Blake2b for the Merkle tree implementation only for example and SHA256 elsewhere, as you do not need to do one or the other.