Thanks for the news about the planned NIST-sponsored hash function competition. I'm glad to hear that it is in the works.

Yesterday I profiled my on-line data backup application [1] and discovered that for certain operations one third of the time is spent in SHA-1. For that reason, I've been musing about the possibility of switching away from SHA-1. Not to SHA-256 or SHA-512, but to Tiger.

The implementation of Tiger in Crypto++ on Opteron is more than twice as fast as SHA-1 and almost four times as fast as SHA-256 [2].

I hope that the hash function designers will be aware that hash functions are being used in more and more contexts outside of the traditional digital signatures and MACs. These new contexts include filesystems like ZFS [3], decentralized revision control systems like Monotone [4], git [5], mercurial [6] and bazaar-ng [7], and peer-to-peer file-sharing systems such as Direct Connect, Gnutella, and Bitzi [6].

The AES competition resulted in a block cipher that was faster as well as safer than the previous standards. I hope that the next generation of hash functions achieve something similar, because for my use cases speed in a hash function is more important than speed in encryption.

By the way, the traditional practice of using a hash function as a component of a MAC should, in my humble opinion, be retired in favor of the Carter-Wegman alternative such as Poly-1305 AES [7].



[1] http://allmydata.com/
[2] http://www.eskimo.com/~weidai/amd64-benchmarks.html
[3] http://www.opensolaris.org/os/community/zfs/
    ZFS offers the option of performing a SHA-256 on every block of data
    on every access.  The default setting is to use a non-cryptographic
    256-bit checksum instead.
[4] http://www.venge.net/monotone/
[5] http://git.or.cz/
[6] http://en.wikipedia.org/wiki/Tiger_(hash)
[7] http://cr.yp.to/mac.html

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to