[tor-dev] SHA-3 isn't looking so hot to me
Marsh Ray
marsh at extendedsubset.com
Fri Nov 4 16:07:22 UTC 2011
On 11/04/2011 08:01 AM, Robert Ransom wrote:
> On 2011-11-03, Jon Callas<joncallas at me.com> wrote:
>> However, the safe, sane thing to do is use SHA-256.
>
> SHA-256 sucks unnecessarily on 64-bit processors. Our fast relays are
> 64-bit.
It may be worth mentioning the newly-standardized SHA-512/256 here. This
is not a new function, it's "SHA-2". I.e., its SHA-512 with a unique IV
and output truncated to 256 (or 224) bits.
> http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf
SHA-512 is based on 64 bit integer operations and seems to run a bit
faster than SHA-256 on 64 bit processors. It looks quite competitive
with even the SHA-3 candidates and no less conservative for security.
Of course, whether or not it's better to be faster on 32-bit CPUs or
64-bit CPUs is another interesting discussion. Given the complex cache
and bus organization on modern chips, my guess is that a design decision
like CELL_LEN=512 is likely to have as much of an effect on overall
throughput as a difference of a half-dozen clocks per byte in the hash
function.
- Marsh
More information about the tor-dev
mailing list