The beginning of Git supporting other hash algorithms

I&#x27;m the person who&#x27;s been working on this conversion for some time. This series of commits is actually the sixth, and there will be several more coming. (I just posted the seventh to the list, and I have two more mostly complete.)<p>The current transition plan is being discussed here: <a href="https:&#x2F;&#x2F;public-inbox.org&#x2F;git&#x2F;CA+dhYEViN4-boZLN+5QJyE7RtX+q6a92p0C2O6TA53==BZfTrQ@mail.gmail.com&#x2F;T&#x2F;" rel="nofollow">https:&#x2F;&#x2F;public-inbox.org&#x2F;git&#x2F;CA+dhYEViN4-boZLN+5QJyE7RtX+q6a...</a>

From a cryptographer&#x27;s perspective, everything around SHA-3 is a little weird. We ended up with something that&#x27;s pretty slow even though we had faster things, for which general consensus was that they were just as strong. Similarly, consensus was that some SHA-3 candidates made it as far as they did because they are drastically different from previous designs. Picking a major standard takes a while, and immediately preceding it we saw scary advances in attacks on traditional Merkle-Damgard hashes like SHA-0, SHA-1. Not SHA-2, but it&#x27;s pretty similar, so the parallels are obvious.<p>Bow that we have SHA-3, we ended up with a gazillion Keccak variants and Keccak-likes. The authors of Keccak have suggested that Git may instead want to consider e.g. SHAKE128. [0]<p>[0]: <a href="https:&#x2F;&#x2F;public-inbox.org&#x2F;git&#x2F;91a34c5b-7844-3db2-cf29-411df5bcf886@noekeon.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;public-inbox.org&#x2F;git&#x2F;91a34c5b-7844-3db2-cf29-411df5b...</a><p>It&#x27;s a bit unfortunate that this is really a cryptographic choice, and it seems to mostly be made by non-cryptographers. Furthermore, the people making that choice seem to be deeply unhappy about having to make it.<p>This makes me unhappy, because I wish making cryptographic choices got much easier over time, not harder. While SHA-2 was the most recent SHA, picking the correct hash function was easy: SHA-2. Sure, people built broken constructions (like prefix-MAC or whatever) with SHA-2, but that was just SHA-2 being abused, not SHA-2 being weak.<p>A lot of those footguns are removed with SHA-3, so I guess safe crypto choices are getting easier to make. On the other hand, the &quot;obvious&quot; choice, being made by aforementioned unhappy maintainers, is slow in a way that probably matters for some use cases. On the other hand, not even the designers think it&#x27;s an obvious choice, I think most cryptographers don&#x27;t think it&#x27;s the best tool we have, and we have a design that we&#x27;re less sure how to parametrize. There are easy and safe ways to parametrize SHA-3 to e.g. fix flaws like Fossil&#x27;s artifact confusion -- but BLAKE2b&#x27;s are faster and more obvious. And it&#x27;s slow. Somehow, I can&#x27;t be terribly pleased with that.

FWIW, Fossil released a version with backwards compatibility, configurable graceful upgrades a week ago: <a href="https:&#x2F;&#x2F;www.fossil-scm.org&#x2F;index.html&#x2F;doc&#x2F;trunk&#x2F;www&#x2F;changes.wiki#v2_1" rel="nofollow">https:&#x2F;&#x2F;www.fossil-scm.org&#x2F;index.html&#x2F;doc&#x2F;trunk&#x2F;www&#x2F;changes....</a>

This work actually began in 2014... <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;715716&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;715716&#x2F;</a>

Is there some explainer on how the support will look like in the end? I&#x27;m curious to know how multiple hash algorithms will be supported in parallel.

I immediately looked at the length of this commit&#x27;s hash to see if it was longer than 40 hex chars -- but no, it&#x27;s just an SHA-1. It would have been cool if somehow the hash of this commit that added new hashes was a new hash.<p>Slightly similar: for a while I&#x27;ve wanted to recreate just enough of git&#x27;s functionality to commit and push to GitHub. My guess is the commit part would be pretty trivial (as git&#x27;s object and tree model is so simple) but the push&#x2F;network&#x2F;remote part a bunch harder.

The commit on git.kernel.org: <a href="https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;git&#x2F;git.git&#x2F;commit&#x2F;?id=e1fae930193b3e8ff02cee936605625f63e1d1e4" rel="nofollow">https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;git&#x2F;git.git&#x2F;commit&#x2F;?id=e1fae9...</a>

Someone please remind me why the hash is not a type definition so the representation would only have to be changed in one place.

So could be my ignorance of this project in detail, but where are the tests for this?

Do they anticipate that one day we&#x27;ll have to move from SHA256 to something else again? It&#x27;s only matter of time. Hash function have lifecycle. Tre transition has to be done in a way that will also make the next transition more straightforward.

This is the chance to get rid of the object prefixes (i.e. &quot;blob&quot; plus file length) that prevent the generated hashes from being compatible with hashes generated by other software.

Since the majority of us are running x64 machines, will the hash be a truncated SHA-512&#x2F;256 or will it be SHA-256? The former is significantly faster on x64 machines.

What problem does this solve? Are collisions common?

struct object_id was introduced in this commit, in 2015:<p><a href="https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;git&#x2F;git.git&#x2F;commit&#x2F;?id=5f7817c85d4b5f65626c8f49249a6c91292b8513" rel="nofollow">https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;git&#x2F;git.git&#x2F;commit&#x2F;?id=5f7817...</a><p>So this change doesn&#x27;t do much for now. Good to see, though.