@oetyng Thanks for pointing out the background data for the collision probability derivation and the birthday attack. This doesn’t really answer my questions though…

A few remarks:

Considering HPC performance and capacity increases alone at the typical 3 orders of magnitude every 10 years gives you a back-of-the-envelope figure that has @hunterlester’s example being reached in about 50 to 60 years, not 4 quintillion.

Taking experts at there word shows quantum computing claims that effectively cut the bit depth in half, similar to the birthday attack, so you need SHA-512 to get 256bit security and the comfort level of @polpolrene, but it seems that in some cases SHA-512 security can be further reduced to 170bits.

From searching the forum ( or easily shown in the primer ) I see that “SAFE uses SHA-3”. A search of the vault code on github confirms sha3_256 is the chosen hash function.

GitHub maidsafe/safe_vault An Implementation of a SAFE Network Vault. Contribute to maidsafe/safe_vault development by creating an account on GitHub.

Here too is a nice table on wikipedia that compares different hashing algorithms, showing the need for sha-3 (The whole wiki is a good introductory read…) :

en.wikipedia.org SHA-3 | Comparison of SHA functions In the table below, internal state means the number of bits that are carried over to the next block.

While big numbers are fine and make a point by allowing us to make relative comparisons, I do not think the “big number” argument is really the right way to look at things; since “big numbers” are only “big” relative to the computer processing power you have easy access to or how many degrees you have or how much politically motivated funding you can grab hold of. The big numbers approach just leads to a thought experiment arms race. And yes, I do understand the arguments and silly insults posted online like from the folks at syncthing:

github.com/syncthing/syncthing Issue: Consider SHA-512 or SHA-512/256 for any overhaul of syncing I noticed that there's an entry in the FAQ for why SyncThing takes so much CPU initially [1]. SHA-512 is 10-50%... enhancement frozen-due-to-age

(We’ll need to address that ^^^ issue facing all of us sooner or later as well… )

We are ants, the future always brings a bigger boot; and near earth asteroids aren’t multiplying and moving faster/closer to earth at a rate by 3 or 4 orders of magnitude every 10 years. The number of atoms in the universe may be finite, but ideas are not. We have no concept of what we will have no concept of 20 years from now; and one of the big bright sunny beautiful ideas in SAFE is the objective to keep data safe “forever”.

EDIT: Also found some interesting notes here :

crypto.stackexchange.com Does SHA-1024 hash exist?

Precaution.

I would instead offer a (long term) “precautionary approach” to risk management first, and only then consider any performance implications for that decision (in the short term) as a secondary issue. It’s supposed to be the SAFE Network, not the SPEED Network right? I don’t think this is “going off the deep end” or as “crazy” or “silly” as some might think. It is a situation of constraints on known future safety, in an environment of unknown yet maximal future processing resources. The simple fact is that 4 accepted and established standards exist SHA3-{224, 256, 384, 512} and are available for devs to choose from now. While you can take the view that SHA3-256 is safe, and granted I agree that it is for a long while, maybe long long enough. But the simple truth is that SHA3-512 will always be safer, and a modified SHAKE-2048 safer still; so in my mind the question comes down to how much safeness can be afforded from a hardware performance perspective at genesis on launch day.

It would appear that SHA3-512 isn’t that big of a deal computationally (this post discusses the faster 512bit competitor blake2), and for some processors it is more efficient, taking less than 2x the time of SHA3-256. It also falls in line as a codified and established standard rather than an arbitrary spin of SHAKE-Xbits. The wikipedia table references put median SHA3-512 at 16 cycles/byte vs. 8 for SHA3-256 on Skylake, while an ARM cortex-9 (1ghz) can be around a 120 cycles/byte for SHA3-512 and about 70 cycles/byte for SHA3-256 . It that benchmark performance also plays out in practice, a single amd64 core in a single mid-range 2Ghz processor (which will soon have 8 to 16 cores on average) can completely saturate a 1 Gb network connection. ( EDIT : Just noticed those were software benchmarks. Small dedicated hardware ASICS are doing SHA3 “Keccak” between 15Gb/s and 44Gb/s … so an RPi with something like that might fly. )

A few questions are raised from these figures that are pertinent to the conversation :

What will it take for 1Gb at home to be the standard?

How many RPi are really going to run Gig-E to an ISP on launch day when they can’t even saturate a 100Mbit connection with SHA3-256?

When wireless Gigabit arrives to mobile for everyone/everywhere, won’t that mobile processor in their pocket be another order of magnitude faster than now?

Why skimp? Today’s epyc threadripper is just an RPi in a few years from now, right?

With SHA3-512, you’re basically telling folks that they will need to buy 2 RPi for every one they had planned if you want to keep a 100Mbit connection saturated, but most people don’t have more than a 25Mbit connection so I would think that if an RPi is actually up to the task, it will keep up just fine with either SHA3-256 or SHA3-512. Embedded x86-64 boards make nice low cost options too, at an often better bang for the buck compared to RPi if low power computational efficiency is the main reasoning for reducing hash sizes to 256bits. Lastly,

Wasn’t the original plan for SAFE using a 512bit hash for XOR routing? Why change?

That’s about all the rant I can muster for this topic. Apologies if I kept repeating myself, but I bring it up again because it seems like the hash bits issue is the one thing that can’t be easily solved through future updates and gradual network evolution. Since the dev teams are ramping things up for routing, I figured this would be the last time to be able to bring this topic up. Maybe this is a big misconception on my part, so please mention if it is. Always happy to be convinced otherwise… and look forward to learning more insights from others. Maybe it’s time I summon @neo? Cheers.