[tor-dev] SHA-3 isn't looking so hot to me

Marsh Ray marsh at extendedsubset.com
Fri Nov 4 16:07:22 UTC 2011

On 11/04/2011 08:01 AM, Robert Ransom wrote:
> On 2011-11-03, Jon Callas<joncallas at me.com>  wrote:
>> However, the safe, sane thing to do is use SHA-256.
> SHA-256 sucks unnecessarily on 64-bit processors.  Our fast relays are
> 64-bit.

It may be worth mentioning the newly-standardized SHA-512/256 here. This 
is not a new function, it's "SHA-2". I.e., its SHA-512 with a unique IV 
and output truncated to 256 (or 224) bits.
> http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf

SHA-512 is based on 64 bit integer operations and seems to run a bit 
faster than SHA-256 on 64 bit processors. It looks quite competitive 
with even the SHA-3 candidates and no less conservative for security.

Of course, whether or not it's better to be faster on 32-bit CPUs or 
64-bit CPUs is another interesting discussion. Given the complex cache 
and bus organization on modern chips, my guess is that a design decision 
like CELL_LEN=512 is likely to have as much of an effect on overall 
throughput as a difference of a half-dozen clocks per byte in the hash 

- Marsh

More information about the tor-dev mailing list