In message <[EMAIL PROTECTED]>, Bram Coh
en writes:
>On Mon, 4 Dec 2000, Bram Cohen wrote:
>>
>> [SHA-2 looks pretty good. What's your problem with it? --Perry]
>
>It's slow. It's fast enough for most applications, but then again so is
>3DES - either you care about speed or you don't, and if you do, SHA2 just
>doesn't rank up there with Rijndael.
>
What is your need for the hash function? I *thought* that this thread
was about converting pass phrases to keys, for which speed is
unimportant. If you're concerned about integrity checks a la HMAC --
yes, there's an issue, but it's bigger than just a good hash function.
Briefly, the folks who want to do really high-speed crypto in hardware
need new modes of operation. Feedback modes are not amenable to
parallel operation, so they can't be speeded up too much. Some people
suggest counter mode; apart from operational problems (there are not
improbable usage failure modes that gut its security), there are no
corresponding MAC functions that can run that fast. What is needed is
either a very fast, parallelizable MAC function, or a high-speed,
combined encryption/integrity mode of operation. There are proposals
on the table for that latter.
--Steve Bellovin
