[Python-Dev] New hash algorithms: SHA3, SHAKE, BLAKE2, truncated SHA512

Donald Stufft donald at stufft.io
Fri May 27 06:01:40 EDT 2016 

> On May 27, 2016, at 12:54 AM, Raymond Hettinger <raymond.hettinger at gmail.com> wrote:
> 
> 
>> On May 25, 2016, at 3:29 AM, Christian Heimes <christian at python.org> wrote:
>> 
>> I have three hashing-related patches for Python 3.6 that are waiting for
>> review. Altogether the three patches add ten new hash algorithms to the
>> hashlib module: SHA3 (224, 256, 384, 512), SHAKE (SHA3 XOF 128, 256),
>> BLAKE2 (blake2b, blake2s) and truncated SHA512 (224, 256).
> 
> Do we really need ten?  I don't think the standard library is the place to offer all variants of hashing.  And we should avoid getting in a cycle of "this was just released by NIST" and "nobody uses that one anymore".  Is any one of them an emergent best practice (i.e. starting to be commonly used in network protocols because it is better, faster, stronger, etc)?
> 
> Your last message on https://bugs.python.org/issue16113 suggests that these aren't essential and that there is room for debate about whether some of them are standard-library worthy (i.e. we will have them around forever).
> 


I think that adding sha3 here is a net positive. While there isn’t a huge amount of things using it today, that’s largely because it’s fairly new— It’s a NIST standard so it won’t be long until things are using it. It would be surprising to me to be able to use sha1 and sha2 from the standard library, but not sha3.

SHAKE is really just SHA3 with some additional tweaks to the parameters. I think if you’re adding SHA3 it’s pretty easy to also add these, though I don’t think that it’s as important as adding SHA3 itself.

BLAKE2 is an interesting one, because while SHA3 is a NIST standard (so it’s going to gain adoption because of that), BLAKE2 is at least as strong as SHA3 but is better in many ways, particularly in speed— it’s actually faster than MD5 while being as secure as SHA3. This one I think is a good one to have in the standard library as well because it is all around a really great hash and a lot of things are starting to be built on top of it. In particularly I’d like to use this in PyPI and pip- but I can’t unless it’s in the standard library.

—
Donald Stufft

More information about the Python-Dev mailing list