ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] SHA3 algorithm ids.

2015-08-11 11:14:30
from [Daniel Kahn Gillmor] [Permanent Link] 
On Tue 2015-08-11 09:21:07 -0400, Peter Gutmann wrote:

What's the clear need for -512?  By which I mean a demonstrated practical need
for a hash size of 64 bytes, not a hypothesised need given an imaginary
attack.  I can see a need for SHA-256 (to replace SHA-1), but for something
like SHA3-512 all I can see are downsides (compared to SHA2-256).


Is your concern CPU time or bandwidth (network/storage) or something
else?

If it's CPU time: on some architectures SHA-512 implementations are
faster than SHA-256 implementations (except for digests of very short
messages):

0 dkg@alice:~$ openssl speed sha512 sha256
Doing sha256 for 3s on 16 size blocks: 9475191 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 5366754 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 2344003 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 715128 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 96700 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 7094449 sha512's in 3.00s
Doing sha512 for 3s on 64 size blocks: 7048926 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 2764993 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 972785 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 136283 sha512's in 3.00s
OpenSSL 1.0.2d 9 Jul 2015
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 
-fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 
-Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256           50534.35k   114490.75k   200021.59k   244097.02k   264055.47k
sha512           37837.06k   150377.09k   235946.07k   332043.95k   372143.45k
0 dkg@alice:~$ 

extra speed is hardly a downside. :)

   --dkg

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] SHA3 algorithm ids., Werner Koch
Next by Date:  Re: [openpgp] SHA3 algorithm ids., Daniel Kahn Gillmor
Previous by Thread:  Re: [openpgp] WWhy or why not SHA{2, 3}-512 (was: SHA3 algorithm ids), Phillip Hallam-Baker
Next by Thread:  Re: [openpgp] SHA3 algorithm ids., Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]