
The review of Hash2 by Peter Dimov and Christian Mazakas begins
Christopher's Review. DISCLAIMER: I know the review manager. I highly respect Matt as a person and through his open-source work. Furthermore, I work in a dedicated fashion with Matt on new, potentially upcoming Boost-like projects. I do not receive any open-source money. I operate as a self-funded, independent researcher in FOSS. Here is my review of the proposed Boost.Hash2 - What is your evaluation of the design? Exceptional. It is clean with terse, well-deocumented code. The design addresses a sorely neglected area in C/C++ programming and makes strong, decisive strides to move forward. - What is your evaluation of the implementation? It's simply fantastic. And I will qualify this further below. - What is your evaluation of the documentation? It is fine and I could use the library immediately within about 3 minutes. - What is your evaluation of the potential usefulness of the library? Do you already use it in industry? The library is highly useful. At the moment, it lacks some of the extreme quality aspects that my industrial area would mandate. But it is not far off from becoming a viable secure component. I'd be willing to work toward improving it with the authors. What I'd like to see short-term: * Handle enhanced compiler warnings. * Include a subset of NIST testing. * Fuzzing run(s) on some hashes in CI. * I think SHA-3 is worthy of inclusion. - Did you try to use the library? With which compiler(s)? Did you have any problems? Yes. I performed a whole slew of PC-based tests with the standard vanilla compiler crew including GCC, VC, clang in a few versions. Given the (already) extremely well-tested functionality of Hash2, there were no problems. But here comes the fun part. When I studied the implementation it seemed highly portable. So I put it onto several embedded bare-metal systems. The code compiled and ran on 32-bit microcontrollers and even ran on an 8-bit controller. Rarely do we find such portability and quality in Boost-proposed libraries, or anywhere for that matter. Kudos on a job well done! I can provide ROM-sizes and microsecond run-time comparisons if needed. - How much effort did you put into your evaluation? A glance? A quick reading? In-depth study? An in-depth study. - Are you knowledgeable about the problem domain? Over the decades, my "day-job" has involved delivery of hundreds of millions of high-volume, safety-critical devices, mostly having some kind of crypto in them. I think I'm somewhat knowledgeable in this area. I've had determining roles including library author, library client, security auditor and also specified the commercial acquisition of numerous libraries and silicon vendor crypto-accelerators. Ensure to explicitly include with your review: ACCEPT, REJECT, or CONDITIONAL ACCEPT (with acceptance conditions). I vote to unconditionaly ACCEPT Hash2. Thank you to the authors forthis seminal work and bold step forward. Thanks Matt for managing this rich and lively review. Kind regards, Christopher Kormanyos On Tuesday, December 10, 2024 at 02:56:10 PM GMT+1, Matt Borland via Boost <boost@lists.boost.org> wrote:
I have read over the documentation for the Hash2 library, and what follows are my notes.
Peter, thank you for the documentation review. I always find these beneficial. Matt _______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost