[tor-dev] SHA-3 isn't looking so hot to me

[Zooko O'Whielacronx]

For what it is worth, I would probably prefer Poly1305-AES over HMAC
if I were needing message integrity. I don't know if I would prefer
Poly1305-AES over using an integrated-integrity mode like GCM.


On Wed, Nov 2, 2011 at 2:20 AM, Markku-Juhani O. Saarinen
<mjos at reveresecurity.com> wrote:
>
> As a hash function researcher I would personally select SHA-512 with
> digest truncated to required number of bits as an interim solution.
> SHA-512/256 tends to be faster than SHA-256 in software.

I like this suggestion because it seems very safe.

However, it isn't the full story to say that SHA-512 tends to be
faster than SHA-256 in software. That's true for 64-bit chips, but
untrue for 32-bit.

According to [1], while SHA-512 requires only about 2/3 as many CPU
cycles as SHA-256 on a powerful Sandy Bridge server chip ("sandy0"),
it requires 4 times as many CPU cycles on a 32-bit ARM ("gcc33"). As
I've argued recently on this list, it might not matter whether hashing
your 4096-byte packet on one core of a powerful server (sandy0) takes
15 μsec (SHA-512) or 22 μsec (SHA-256), but it might matter whether
hashing it on a cheap, power-efficient embedded chip (gcc33) takes
120μsec (SHA-256) or 481 μsec (SHA-512).

On the other hand, maybe ~500 μsec time spent hashing per packet is
good enough on Freedom Boxes, smart phones, and ARM servers [2], and
the added safety of SHA-512/256 vs. SHA-256 would be worth it.

Regards,

Zooko

[1] http://bench.cr.yp.to/results-hash.html
[2] http://www.pcworld.com/article/242946/calxedas_chip_boosts_arms_server_fight_with_intel.html