Multihash – self-describing hashes

Hey everyone. The SHAttered break made us release a new website for Multiformats: <a href="http:&#x2F;&#x2F;multiformats.io" rel="nofollow">http:&#x2F;&#x2F;multiformats.io</a> which includes a page explaining Multihash -- <a href="http:&#x2F;&#x2F;multiformats.io&#x2F;multihash" rel="nofollow">http:&#x2F;&#x2F;multiformats.io&#x2F;multihash</a> --<p>The page goes through a bunch of examples of how a multihash would work in practice, why it is useful to do this, and goes through some FAQs.<p>I&#x27;m writing a post about all this that I&#x27;ll push out soon, but wanted to drop the site here now.<p>Please, as you make new systems or start to upgrade your systems out of SHA1 (or MD5!!!), please use Multihash so that your upgrades will be much, much easier in the future. This makes rolling up a matter of recompiling some tools, and by far not facing the horrible breakages that occur when tools and scripts assume certain things (like the hash digest of git will always be 160bits... now git faces breaking a lot of things and may have to stick with 160bits of a truncated SHA3 or BLAKE2...)<p>Oh also-- definitely check out BLAKE2, it&#x27;s a fantastic hash function from Zooko, JP Aumasson, Samuel Neves, and Christian Winnerlein -- <a href="https:&#x2F;&#x2F;blake2.net" rel="nofollow">https:&#x2F;&#x2F;blake2.net</a> -- use it for all your hashing needs! So much faster than SHA2, and has the same &quot;unbrokenness&quot; that SHA3 enjoys. (And, I believe deep cryptanalysis has gone into BLAKE, Keccak is not particularly safer)<p>The Multiformats site also has a Multiaddr description, but that&#x27;s far from complete and doesn&#x27;t have the examples. The other multiformats arent well explained on the website yet. Sorry, coming soon :) we wanted to get this out ASAP -- PR&#x27;s accepted at <a href="https:&#x2F;&#x2F;github.com&#x2F;multiformats&#x2F;website" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;multiformats&#x2F;website</a> (oh and yes, TLS certs coming too)

IMHO: Using varint for this is silly, and just wastes decoding time. (Doing because proto&#x2F;etc did it, when they have <i>wildly</i> different use cases, it a bad idea.)<p>The example they purport to give even proves it: &quot; For example, a 100 TB file in IPFS may have as many as 400 million subobjects, which would mean 400 million hashes.<p>400,000,000 hashes * (7 - 2) bytes = 2 GB&quot;<p>Right, so uh, that&#x27;s 0.002% of that 100tb. (IE who cares)<p>(This already appears to be the difference between what it would normally take, at 7 bytes, and what it takes with varint, which is ~17 bits per int)<p>But assume we go crazy, and use 8 bytes per hash.<p>we have 3.2 gigabytes there. vs 800 megabytes for your varint encoding. Or, for our 100 terabyte file, approximately, &quot;who cares&quot; vs &quot;who cares&quot;.<p>if you could transfer at a gigabyte per second, the version with varint would take ~28 hours. The version with fixed-size 8 bytes would take ... 2 seconds longer.<p>Remind me again how this is showing it&#x27;s a good idea?<p>Also, if you really wanted to use variable size integers, variable byte encoding is pretty much the slowest way to do it.<p>See, e.g, <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1209.2137.pdf" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1209.2137.pdf</a><p>Using variable sized integers here doesn&#x27;t save space, precisely because th , but it does make it more annoying to splat these in and out of memory.

Looks awesome, so long as its easy to ensure attackers can&#x27;t quietly make you use a weak hash. Some JWT implementations quietly allowed the &quot;none&quot; algorithm which allowed an attacker to forge creds [1]. Any similar &quot;pluggable&quot; system needs to learn fro this and be careful to avoid letting attackers pick weak algorithms.<p>[1] <a href="https:&#x2F;&#x2F;auth0.com&#x2F;blog&#x2F;critical-vulnerabilities-in-json-web-token-libraries&#x2F;" rel="nofollow">https:&#x2F;&#x2F;auth0.com&#x2F;blog&#x2F;critical-vulnerabilities-in-json-web-...</a>

I&#x27;m not sure I like that much that there&#x27;s a fixed table purporting to contain IDs for all hashes ever used in the universe. It sound both inflexible - each time somebody uses a new parameter or new hash modification, it has to be updated, and hard to use - you have to drag this table around in all code that uses the protocol and remember to update it all the time. And all seems in service of saving a couple of bytes - maybe there would be better to have more verbose, but more flexible scheme, that allows to relatively easily add and identify hashes and read them by many tools?<p>I have same reservations about variable-int thing - it would sometimes save 2-3 bytes, but makes processing with simple tools much harder as many tools make it easy to cleave arbitrary strings into fixes pieces without knowing string&#x27;s specific content, but variable-length fields make it significantly harder. Is the gain really worth the complications?<p>I&#x27;ve seen the FAQ but I guess I am not sure I agree with the authors on the question that what they did is actually the best...

I wrote about Multihash the other day [1], but in that comment I refrained from outright criticism. However, my biggest reservation about Multihash is that it deliberately pollutes the value space of a hash digest, while in good faith claiming to domain-segregate the value space of a digest. It&#x27;s got no magic number, no magic anything, really; nor can it, since the output of a hash digest is an opaque binary value with any and all outputs equally likely.<p>Therefore, while before multihash there was sometimes no way to figure out which hash function produced a given digest, after multihash there is no way to figure out whether a particular digest is actually a multihash value, or a real raw digest. The fact that it&#x27;s a multihash value has to be inferred from context or out-of-band just like before, in which case it brings little additional value that the particular hash function is encoded <i>inside</i> the value, when it could&#x27;ve just as well have been communicated the same external context.<p>Then comes the problem of the lookup table, which was left overridable instead of globally prescriptive, so without additional context you don&#x27;t even know whether to use the global lookup, or someone else&#x27;s special one.<p>I don&#x27;t find their arguments laid out on the website persuasive. Really, this is all information that should have been put somewhere else, not into the digest, without affecting any of the &quot;insecure warning&quot; features that implementations may bring. For IPFS, the first part of the URI would have been an excellent place, function names and parameterizations and all, or if they&#x27;re trying to save space like they admit, the values from the global lookup encoded as a path element. Like it or not, each hash function creates its own sub-tree of all of its possible digests, and multihash values on their own are not suitable to globally an unambiguously describe resources, because they&#x27;re only deterministic if it&#x27;s known that the context is &quot;just like the defaults in IFPS&quot;. And for these reasons, I feel it muddies content-addressing with no real gain, while all of its good ideas could have been implemented differently inside of IFPS to better effect.<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13726589" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13726589</a>

Multihash looks cool. It looks a little tricky to apply directly to git, though. The problem is that git and git users treat the first few bytes specially. In git, directories are split on the first few bytes, and users particularly use the first few bytes to distinguish between commit ids.<p>I wonder if multihash might be useful in git if slightly reordered (so that at least the first several bytes of the hash function are first).<p>I&#x27;m thinking out loud; I&#x27;d be interested in hearing others&#x27; thoughts.

Cool to find this on HN!<p>Just last Thursday I added this to an &quot;Oh fuck, we&#x27;re still using MD5 for passwords?&quot; issue, Multihash should provide a really easy way of migrating to a new hash once we&#x27;ve &quot;Multihashified&quot; all existing MD5 hashes in the db.

Seems rather like the ASN.1&#x2F;DER based encodings already used in crypto to describe hash outputs, except using an integer rather than an OID to describe the hash type.

Crypto has a long history of using ASN.1 for its data types. I&#x27;d prefer defining the data types in that and calling it a day. It isn&#x27;t like DER would be any harder to parse than a new byte-oriented custom format like this.

&gt; It is useful to write applications that future-proof their use of hashes, and allow multiple hash functions to coexist.<p>Is the suggestion that applications, which have now switched to SHA-256, should serialize this using Multihash, in order to be able to easily switch to a new hash function in 15 years, when SHA-256 is broken?<p>I think, for most cases, it makes more sense for a protocol&#x2F;application to just define that v1 uses SHA-256, and, if this ever breaks, we&#x27;ll update the protocol&#x2F;application version (rather than change the protocol&#x27;s hash serialization format). Unless you explicitly need to support many different hash functions.<p>For example, let&#x27;s say your app needs to securely hash many files, and store all these hashes somewhere. Would you rather serialize thousands of hashes, all of the same type, each with a pre-pended identifier and length? Or would it make more sense to put the hash function identifier in a single place, and use this for all the hashes? So perhaps Multihash would benefit from separating the versioning scheme from the serialization format of the hash itself?

ASN.1 just called and wants it&#x27;s encoding back...

MD5 doesn&#x27;t seem to be in the table...<p>That is going to make it harder to change code to use multihash then migrate away from MD5 gradually.<p>MD5 may be broken as a crypto hash, but there are probably more MD5 hashes than any of the others in the table (eg one on every S3 object!) so not having a representation for it seems short sighted.

I like the idea of multihash. Using a registry mapping hash names to numbers seems like it might hinder adoption, though.<p>If I want to use a hash that isn&#x27;t yet in multihash&#x27;s registry (or will never be because reasons, but I nonetheless want to use it), what do I do?<p>I could make a forked copy of the registry where I allocate my own number to the hash, but, I have to guess very well what numbers will not be used by future allocations in multihash. If I guess wrong, I might have to go through every hash I&#x27;ve encoded with my forked registry and re-encode them, which could be very onerous if they&#x27;re spread across s3, glacier, cold storage, etc.<p>If there is a well-defined set of numbers that are set aside for personal &#x2F; non-sanctioned use, I have the same problem when examining hashes from other parties, because they may have chosen a different number for a particular hash, or we may have conflicts. Likewise, when a hash &quot;graduates&quot; from the personal space to the official mapping, all the old hashes are now encoded &quot;wrong&quot;: they&#x27;ll keep working, as long as you ensure the hash keeps a number in the personal space, but now you have to choose whether to, when making new hashes, to use the official number &quot;for consistency (with the standard)&quot; or the personal one, also &quot;for consistency (with your existing hashes)&quot;.<p>It looks like every hash in multihash has a number (like 0x13), a name (like &quot;sha-512&quot;), and a description (&quot;The SHA512 Cryptographic Hash Function&quot;) [0]. I suggest letting people use e.g. &quot;{name}:{len}:{hash}&quot; if they choose to make the tradeoff in favor of readability &#x2F; portability (with lower performance and marginally higher storage cost).<p>Then when those hashes get read by some other person&#x27;s copy of multihash, they&#x27;ll either map the {name} to the local number (if if it&#x27;s different from the number of the multihash library that encoded the hash) or if the {name} doesn&#x27;t show up they can throw an appropriate error. This is forwards compatible and I think will allow more people to be comfortable adopting multihash, because they won&#x27;t have to think so much up-front about how to encode hashes that aren&#x27;t in the registry.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;multiformats&#x2F;multihash&#x2F;pull&#x2F;41&#x2F;files#diff-71c19e973ffcdb60141b3cc511acadb4R59" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;multiformats&#x2F;multihash&#x2F;pull&#x2F;41&#x2F;files#diff...</a>

I wonder if storing the hashing parameters next to the hash is the right approach to take for systems. Your system isn&#x27;t going to support all hashes (adds a lot of library bloat, you don&#x27;t want to support weak hashes), so you&#x27;ll probably want one specific algorithm&#x2F;parameter set, with room for upgrades in case weaknesses get discovered (not likely to occur often). A single byte&#x2F;varint, starting at 0 and incrementing for every new parameter set sounds reasonable. A downside would be interoperability, but if that&#x27;s your main concern then perhaps a human-readable string representation of the hash algorithm&#x2F;parameters would be preferable.<p>What are the benefits of using Multihash?

I dont get the trend of security hashes &#x2F; encryption trying to describe itself with a header, it just makes breaking this hashed &#x2F; encrypted data faster.. no humans needed, fully automated hacking at scale!

This seems kind of like a cross between a uuid and a plain hash. Perhaps it would be better to incorporate the hash into a uuid. Uuids already have metadata.

Why not just encode a proto:<p>message Hash { optional HashFunction hash_function = 1; optional bytes digest = 2; }