[tor-dev] SHA-3 isn't looking so hot to me (was: Draft sketch document with ideas for future crypto ops)

Watson Ladd watsonbladd at gmail.com
Tue Nov 1 19:36:03 UTC 2011

On Tue, Nov 1, 2011 at 12:46 PM, Zooko O'Whielacronx <zooko at zooko.com> wrote:
> On Tue, Nov 1, 2011 at 9:30 AM, Marsh Ray <marsh at extendedsubset.com> wrote:
> > I too have been following the development of SHA-3 and will toss in my 2c here.

> Although the SHA-3 designers have indeed tried to optimize for that, I
> think SHA-256 is actually still better. See Fig. 17 of
> http://eprint.iacr.org/2009/510.pdf .

Its wonderful that you provided references, and even told me what
diagram to look for.
But figure 17 has every finalist other then Skein outperforming SHA2
in hardware (last column is bits per second), and that was optimizing
for speed. In the case of Keccak, that performance is impressively
greater. Its possible at the 512 level these reverse, but I don't see
that in there.
Watson Ladd

> Below my signature is just me quoting a few of the points you made. :-)
> Regards,
> Zooko
> > Agreed, SHA-3 will fix some problems. Some of these things we've been
> > working around so long that they seem normal.
>> > There's sometimes also a benefit of being with the current NIST
> > recommendation. I suspect more users will migrate off of SHA-1 to SHA-3 than
> > they will to SHA-2.
>> > NIST may eventually 'deprecate' SHA-2 in favor of SHA-3 due to just the
> > length extension issue. Which is not to say that I think there's a real
> > problem using SHA-2 correctly, only that you may end up having to explain
> > repeatedly why it's not a problem.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the tor-dev mailing list