For what it is worth, I would probably prefer Poly1305-AES over HMAC if I were needing message integrity. I don't know if I would prefer Poly1305-AES over using an integrated-integrity mode like GCM.
On Wed, Nov 2, 2011 at 2:20 AM, Markku-Juhani O. Saarinen mjos@reveresecurity.com wrote:
As a hash function researcher I would personally select SHA-512 with digest truncated to required number of bits as an interim solution. SHA-512/256 tends to be faster than SHA-256 in software.
I like this suggestion because it seems very safe.
However, it isn't the full story to say that SHA-512 tends to be faster than SHA-256 in software. That's true for 64-bit chips, but untrue for 32-bit.
According to [1], while SHA-512 requires only about 2/3 as many CPU cycles as SHA-256 on a powerful Sandy Bridge server chip ("sandy0"), it requires 4 times as many CPU cycles on a 32-bit ARM ("gcc33"). As I've argued recently on this list, it might not matter whether hashing your 4096-byte packet on one core of a powerful server (sandy0) takes 15 μsec (SHA-512) or 22 μsec (SHA-256), but it might matter whether hashing it on a cheap, power-efficient embedded chip (gcc33) takes 120μsec (SHA-256) or 481 μsec (SHA-512).
On the other hand, maybe ~500 μsec time spent hashing per packet is good enough on Freedom Boxes, smart phones, and ARM servers [2], and the added safety of SHA-512/256 vs. SHA-256 would be worth it.
Regards,
Zooko
[1] http://bench.cr.yp.to/results-hash.html [2] http://www.pcworld.com/article/242946/calxedas_chip_boosts_arms_server_fight...