Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

[Russ Allbery <rra@debian.org>]

Wouter Verhelst <wouter@debian.org> writes:

> Simple mathematics.

> To me, a "strong hash" is a hash for which collisions are unlikely.

> A SHA512 hash is longer than a SHA1 hash. Therefore it has more bits.
> Therefore it has more possible values, which decreases the likelihood
> that two collections of bits will produce the same hash value by
> accident.

SHA-1 is already sufficiently unlikely that, barring a break in the
underlying mathematics, it's not clear that you're gaining anything.
Increasing the number of multiples of the age of the universe that it
takes to brute force something doesn't make any actual, practical
difference.

In both cases, the primary concern is around breaks in the underlying
mathematics, rather than in comparative brute force.  I find it very hard
to get excited about simple counts of the number of bits in the hash when
the important factor for whether it's a secure hash is basically
independent of length.  The length is adequate for even theoretical
computation models that use every atom in the solar system.

> In addition, there are some concerns today about the strength of SHA1.
> It's not yet broken, but it's not right to think of it as "fully safe"
> anymore, either. Hashes don't get stronger over time; they get weaker.

This is the part that's more interesting.

However, SHA-256 and SHA-512 are the same algorithm, and therefore are
probably subject to the same attacks.  So adding SHA-512 when we already
have SHA-256 seems rather pointless.  Adding SHA-3, which is a different
algorithm and therefore might resist mathematical attacks that break
SHA-2, is much more interesting.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>