Replace SHA-1 with BLAKE3 for ISO images

Currently, Manjaro ISO images are hashed with SHA-1.
SHA-1 is old, slow, and vulnerable.
SHA-2 (which has many variants e.g. SHA-256 and SHA-512) is slow.

BLAKE3 is a quite new hashing algorithm (2020), which is fast, and is resistant to some new attacks.
It’s approximately 3.5 times faster than SHA-1 and 8.8 times faster than SHA-256 with single threaded hashing.
But it supports multithreading, so it’s even faster for users who have CPU with many cores.
It’s shipped in Arch repositories: b3sum

You can check performance against SHA-1 and SHA-256 using the hyperfine benchmarking tool.

# install needed utilities
sudo pacman -S hyperfine b3sum
# run the tests
hyperfine -w 3 'b3sum --num-threads 1 manjaro.iso' 'sha256sum manjaro.iso' 'sha1sum manjaro.iso'

(Because BLAKE3 is fast, it is not suitable for password hashing, but it’s suitable for hashing ISO images. Password hashing requires slow hashing algorithm (e.g. the Password Hashing Competition winner Argon2) to mitigate brute-force attacks, because passwords are small amount of data, which makes it easy to try many variations. But BLAKE3 is suitable for hashing ISO images, because these are multiple GiB in size, so it’s hard to build, compress (squashfs), then hash a malicious ISO image even with a fast algorithm, so speed is only an advantage in this case.)

Don’t hold your breath. :wink:

1 Like

Age is irrelevant, it’s fast enough and it is not used as a cryptographic hash function (that is what those gpg signature files are for).

1 Like