On 2014-12-01 12:22, John Williams wrote:
I'm not saying they don't have excellent collision resistance properties. I'm also not saying that we shouldn't support such non-cryptographic hashes, just that we shouldn't explicitly NOT support other hashes, and that if we are going to support more than one hash algorithm, we should use the infrastructure already in place in the kernel for such things because it greatly simplifies maintaining the code.On Mon, Dec 1, 2014 at 4:39 AM, Austin S Hemmelgarn <ahferroin7@xxxxxxxxx> wrote:Just because it's a filesystem doesn't always mean that speed is the most important thing. Personally, I can think of multiple cases where using a cryptographically strong hash would be preferable, for example: * On an fs used solely for backup purposes * On a fs used for /boot * On an fs spread across a very large near-line disk array and mounted by a system with a powerful CPU * Almost any other case where data integrity is more important than speedWhat does data integrity have to do with whether the hash is cryptographic or not? The primary difference between a cryptographic and non-cryptographic hash is that the non-cryptographic hash can be easily guessed / predicted (eg., an attack to deliberately create collisions) whereas the cryptographic hash cannot (given reasonable assumptions of CPU power). For filesystem checksums it is difficult to imagine a deliberate attack on the checksums. Consequently, the only really important quality for the hash besides speed is collision resistance. The non-crypto hashes that I have mentioned in this thread have excellent collision resistant properties.
In fact, if I had the time, I'd just write CryptoAPI implementations of those hashes myself.
Except most of the CPU optimized hashes aren't crypto hashes (other than the various SHA implementations). Furthermore, I've actually tested the speed of a generic CRC32c implementation versus SHA-1 using the SHA instructions on an UltraSPARC processor, and the difference ammounts to a few microseconds in _favor_ of the optimized crypto hash; and I've run the math for every other ISA that has instructions for computing SHA hashes (I don't have the hardware for any of the others), and expect similar results for those as well.The biggest reason to use the in-kernel Crypto API though, is that it gives a huge amount of flexibility, and provides pretty much transparent substitution of CPU optimized versions of the exported hash functions (for example, you don't have to know whether or not your processor supports Intel's CRC32 ISA extensions).Which is worse than useless if the CPU-optimized crypto hash is slower than the default non-crypto hash, and that will almost always be the case. Besides, there is nothing magic happening in the Crypto API library. If you implement your own hash, you can easily do a few checks and choose the best code for the CPU.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
