Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
Discussion options

jaredly
Jan 19, 2023
Collaborator

Context:

For the first release of Unison Cloud JIT, we need to implement primitives for cryptographic hash functions in chez scheme.
Which ones?

  • sha1
  • sha2(256/512)
  • sha3(256/512)
  • blake2b(256/512)
  • blake2s(512)

Existing implementations

Scheme

There exist pure scheme implementations of sha1 and sha212, and some C bindings to sha134 and sha256. There's a set of C bindings for OpenSSL as well7, which would provide all of the hashing functions we need.

Other languages

The haskell-based unison runtime is using the library cryptonite, which has the hash functions implemented in C8

Nodejs, on the other hand, links to openssl for its hashing functions.

Recommendation

Given the anemic nature of the scheme community, I don't think it wise to depend on a pure scheme implementation for something as critical as cryptographic hashing, unless it were to be vetted by a security expert.

This leaves us with C FFI, and I see two options:

  1. link to openssl, which would give us all of the hashing we need, as well as x509 certificates & TLS stuff, which we'll need for the Cloud JIT anyway
  2. copy over the C implementations from cryptonite

Option 1 has the benefit of giving us TLS support & certificates and such, but it's obviously a much bigger library to include. Give the ubiquity of openssl, it's likely to be available on any cloud infrastructure we're running.
Option 2 is much leaner, and there's something nice about having the exact same C backing the haskell runtime and the cloud jit runtime, but then we'd have to figure out something else for TLS & x509 certificates.

Footnotes

  1. https://gitlab.com/weinholt/hashing has sha1 and sha2 (256/512)

  2. https://github.com/gambit/gambit/blob/3d38da6d0aba85fc97c7e00ab7ad9163f6f301cb/lib/_digest/_digest.scm has sha1 and sha2 (256 but not 512)

  3. https://code.call-cc.org/svn/chicken-eggs/release/5/sha1/trunk/

  4. https://code.call-cc.org/svn/chicken-eggs/release/5/simple-sha1/trunk/

  5. https://code.call-cc.org/svn/chicken-eggs/release/5/sha2/trunk/

  6. https://snow-fort.org/s/gmail.com/alexshinn/chibi/crypto/sha2/0.9.0/index.html

  7. https://wiki.call-cc.org/eggref/5/openssl

  8. see cryptonite_sha3.c for sha3, for example. it also includes the reference implementation of blake2, in C.

You must be logged in to vote

Replies: 1 comment

Comment options

pchiusano
Jan 19, 2023
Maintainer

@jaredly Okay, this is great research, thanks. Let's go with binding to OpenSSL for all the things. It's obviously a very mature library and if we need to depend on it anyway for TLS, seems like may as well use it for the hashing and other primitives (I'd check that it can do HMAC as well).

We can figure out how best to package and deploy it later, but it seems doable.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@jaredly @pchiusano
Morty Proxy This is a proxified and sanitized view of the page, visit original site.