[Cryptography] hash size
jamesd at echeque.com
jamesd at echeque.com
Wed Oct 31 18:20:04 EDT 2018
On 2018-11-01 06:49, Derek Atkins wrote:
> Worse, you'll have to
> explain to everyone, over-and-over, why you're not succeptible to
> collision attacks. And then after you're done explaining, the next person
> will come up and ask again.
>
> Worse, a 256-bit hash is pretty fast, so it's unclear what you're actually
> buying yourself with a 128-bit hash.
A block chain ledger should be implemented as a merkle patricia tree.
You are buying a noticeable decrease in the size of that tree, and a
corresponding increase in the speed at which a consensus can be generated.
But the speed improvement is only modest, and the human effort involved
in discussing birthday attacks likely to be significant.
We need to ensure that it can never happen that two people see a
different final consensus on which transactions are committed to the
block chain, and which have been rolled back, but if the attack merely
disrupts the process for generating that consensus with respect to the
birthdayed transactions, a low value attack. So 128 bit hashes are OK
for flood filling transactions through the peers, but likely to be
unacceptable for the authoritative merkle patricia tree of committed
transactions.
But less coding effort and fewer bugs if we use the same hash
throughout, and truncate them during the flood fill.
So yes, you are right. Since we sometimes have to use a 256 bit hash,
might as well use a 256 bit hash all the time, and truncate where the
savings matter, and collision attacks do not.
More information about the cryptography
mailing list