Tony,
"HANSEN, TONY L" <tony(_at_)att(_dot_)com> writes:
(This is probably old info for some of you.)
From my analysis, the difference in speed between sha2-256 and
sha2-512 is directly because of the use of 32-bit arithmetic vs 64-bit
arithmetic. The algorithms are essentially identical, not counting the
underlying constants. On machines where 64-bit arithmetic is faster
than 32-bit arithmetic, sha2-512 will be faster than sha2-256. On
machines where 32-bit arithmetic is faster than 64-bit arithmetic,
sha2-256 will be faster than sha2-512.
That's nice.
I'm working on systems which are 16-bit or even 8-bit wide, with clock
speeds in the single or low-double-digit MegaHertz. Yes, I'm running
(parts of) OpenPGP in these environments. This is why I'm arguing for
SHA-256. Because sure, if you're running at 2.4GHz and you need to take
an extra million cycles you'll never notice, but if you're running at
16MHz ... OUCH.
On 8-bit or 16-bit machines,
you’re going to be emulating either 32-bit arithmetic or emulating
64-bit arithmetic; usually the 32-bit arithmetic will be faster. :-)
Exactly. So what's the actual wall-clock difference of 256 vs 512 on
an Intel 64 running at 2.2GHz? Well, just for kicks I decided to run an
openssl speed test on my laptop (Intel(R) Core(TM) i7-4800MQ CPU @
2.70GHz) and this is what I get:
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha256 79196.40k 177603.09k 319138.68k 406628.35k 438559.68k
sha512 51763.29k 206704.67k 366123.95k 555307.69k 647932.40k
As you can see, sha256 is faster on small inputs, but by 64 bytes of
input sha512 gets to be a tad faster. For what we're talking about here
we're probably between the 64 and 256 byte marks, where they look pretty
equal on this nice, cushy 2.7GHz 64-bit i7 CPU (177-319 vs 206-366
MB/sec, or kB/ms). So basically, assuming 100B of data to be hashed,
we're talking about 349-403us a 15% speed difference (only 54us
difference). I don't think anyone would notice an extra 54us.
Alas, I don't have an MSP430 at my fingertips to run a similar test, but
I suspect the difference is significantly more. For one thing the clock
speed is only around 16-24MHz, not 2.7GHz. To make the math easy, let's
call it 27MHz. So all else being equal (which it isn't, being a 16-bit
platform and not a 64-bit platform), accounting *JUST* for the clock
speed we're talking a 100x speed difference, or 5.4ms.
But of course all else ISN'T the same, so we probably are talking a good
20-50ms speed difference, which *IS* noticible. I'll see if I can get
some actual numbers on the MSP430, but I'm traveling the next couple
days and don't have my dev board with me so it might not happen quickly.
But even if we agree that the difference is only 25ms, I'd rather save
that 25ms on the MSP430 at the expense of 54us extra on a 3-year-old
Intel laptop.
Sure, if everyone is running Intel 64 I wouldn't question the choice.
If the difference between was under a millisecond I wouldn't care. But
that's not the world I'm living in, but it's the world I'd like to
deploy (parts) of OpenPGP. I'd love to have a 32-bit system running in
the GHz at my disposal.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp