[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] SHA-3 isn't looking so hot to me




On 11/04/2011 08:01 AM, Robert Ransom wrote:
On 2011-11-03, Jon Callas<joncallas@xxxxxx>  wrote:
However, the safe, sane thing to do is use SHA-256.

SHA-256 sucks unnecessarily on 64-bit processors.  Our fast relays are
64-bit.

It may be worth mentioning the newly-standardized SHA-512/256 here. This is not a new function, it's "SHA-2". I.e., its SHA-512 with a unique IV and output truncated to 256 (or 224) bits.
http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf

SHA-512 is based on 64 bit integer operations and seems to run a bit faster than SHA-256 on 64 bit processors. It looks quite competitive with even the SHA-3 candidates and no less conservative for security.

Of course, whether or not it's better to be faster on 32-bit CPUs or 64-bit CPUs is another interesting discussion. Given the complex cache and bus organization on modern chips, my guess is that a design decision like CELL_LEN=512 is likely to have as much of an effect on overall throughput as a difference of a half-dozen clocks per byte in the hash function.

- Marsh
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev