On Tue 2015-08-11 09:21:07 -0400, Peter Gutmann wrote:
What's the clear need for -512? By which I mean a demonstrated practical need
for a hash size of 64 bytes, not a hypothesised need given an imaginary
attack. I can see a need for SHA-256 (to replace SHA-1), but for something
like SHA3-512 all I can see are downsides (compared to SHA2-256).
Is your concern CPU time or bandwidth (network/storage) or something
else?
If it's CPU time: on some architectures SHA-512 implementations are
faster than SHA-256 implementations (except for digests of very short
messages):
0 dkg@alice:~$ openssl speed sha512 sha256
Doing sha256 for 3s on 16 size blocks: 9475191 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 5366754 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 2344003 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 715128 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 96700 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 7094449 sha512's in 3.00s
Doing sha512 for 3s on 64 size blocks: 7048926 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 2764993 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 972785 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 136283 sha512's in 3.00s
OpenSSL 1.0.2d 9 Jul 2015
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
-fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
-Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha256 50534.35k 114490.75k 200021.59k 244097.02k 264055.47k
sha512 37837.06k 150377.09k 235946.07k 332043.95k 372143.45k
0 dkg@alice:~$
extra speed is hardly a downside. :)
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp