Switch the internal hash function to SHA2 from RIPEMD160

[zmanian]

I'm expecting that the auditors will eventually make the same recommendation.

But I don't think we should go to 1.0 with RIPEMD160 as our hash function.

RIPEMD160 is a bad choice for a few reasons.

1. The birthday bound on RIPEMD160 is 2^80 for a second preimage. A 2nd preimage would at very least allow for state corruption in our database and possibly allow for forgeries

2. RIPEMD160 is roughly the same speed/throughput as SHA256 on current hardware. Future generations of Intel and ARM server hardware have will have native SHA256 instructions that allow massive speed ups. Here is how fast SHA156 is on Ryzen: https://crypto.stackexchange.com/questions/50618/how-fast-can-a-sha-256-implementation-go/50620

3. RIPEMD160 is 10x more expensive to verify on the EVM than sha256.
   https://github.com/ethereum/go-ethereum/blob/master/params/protocol_params.go#L69-L72

Bikeshed

It's a reasonable choice to ask if we should adopt a modern hash function. The consensus among hash function experts is that SHA2 will never be broken and will likely be the most widely supported hash function for the rest of human existence.

BLAKE2b is almost 5x faster in software than RIPE160MD but doesn't currently have ethereum ecosystem compatibility and is unlikely ever to be implemented in widely available hardware. Tho hardware sha256 is only 2x faster blake2b.

Shake128 is kinda slow. Farfalle is very fast but too new.

Ethereum KECCAK is indefensible.

[odeke-em]

I'll page @veorq too for a security blessing and thoughts.

[liamsi]

I've added #49 which simply changes the occurrences of ripemd160 to sha256.

I was wondering if we either 1) should have a central space where the hasher is defined (in case we want to experiment with other hashers we can simply modify one line) or 2) allow the user to choose or even configure which hasher to use (would make iavl more general purpose but potentially more difficult to use correctly). edit: related #11

[ebuchman]

Do we need to worry about length-extension attacks with SHA256 here ?

[ebuchman]

Also we discussed truncating the SHA256 hash to 20 bytes

[veorq]

Truncation to 20B would eliminate any length-extension risk. Or you can just use SHA-512/256, i.e. the NIST-official SHA-512 truncated to 256 bits. But SHA-256 would be slightly faster, in case performance matters.

[zmanian]

Length extension is irrelevant. Length extension attacks operate in a context where the attacker does not know a secret input to the hash function. Here all the inputs are publick

Merkle trees of in this context don't require any secret inputs.

Do we think it is safe to truncate our hashes to 160 Bytes?

it seems safe to me if we really want to optimize for proof size.

Even if a second preimage is 2^80, the second preimage isn't going to be semantically useful.

[mappum]

Or you can just use SHA-512/256, i.e. the NIST-official SHA-512 truncated to 256 bits. But SHA-256 would be slightly faster, in case performance matters.

Wouldn't SHA-512/256 be faster on 64-bit hardware? (Which I assume most nodes are)