On 11/04/2011 08:01 AM, Robert Ransom wrote:
On 2011-11-03, Jon Callasjoncallas@me.com wrote:
However, the safe, sane thing to do is use SHA-256.
SHA-256 sucks unnecessarily on 64-bit processors. Our fast relays are 64-bit.
It may be worth mentioning the newly-standardized SHA-512/256 here. This is not a new function, it's "SHA-2". I.e., its SHA-512 with a unique IV and output truncated to 256 (or 224) bits.
http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf
SHA-512 is based on 64 bit integer operations and seems to run a bit faster than SHA-256 on 64 bit processors. It looks quite competitive with even the SHA-3 candidates and no less conservative for security.
Of course, whether or not it's better to be faster on 32-bit CPUs or 64-bit CPUs is another interesting discussion. Given the complex cache and bus organization on modern chips, my guess is that a design decision like CELL_LEN=512 is likely to have as much of an effect on overall throughput as a difference of a half-dozen clocks per byte in the hash function.
- Marsh