On 4/22/12, Tanja Lange <[email protected]> wrote: > In reply to the latest postings: > > Many submissions were faster than SHA-2 at the time of submission. Lots > of people had fun speeding up SHA-2 -- so the competition has definitely > led to a faster SHA-2. > > Also, check out > http://bench.cr.yp.to/graph-sha3/long.png > to see that on CPUs Blake is faster than SHA-2; for the bigger CPUs also > skein is faster than SHA-2, so there are efficiency benefits of the new > hash functions. Furthermore, whichever candidate is chosen as SHA-3 will > have a bigger security margin than SHA-2. >
SUPERCOP is one of my favorite web sites. Kudos to you and Dan for the great job. Indeed Blake and Skein are faster than SHA-2, but NOT SIGNIFICANTLY. MD5 is SIGNIFICANTLY faster than SHA-2, and terribly broken. Several other candidates (including CubeHash) are significantly faster than SHA-2 and they were "broken" with attacks requesting 2^170, 2^200, 2^380, 2^480 hash evaluations. So, on one hand we will have SHA-3 that is NOT significantly faster than SHA-2, and on the other hand we have expert opinions like that of Bart Preneel saying in his talk given at the Twelfth International Conference on Information and Communications Security ICICS 2010: "Now, we have learned that an improved MD design should include the following parts: Salt + Output transformation + Counter + Wide pipe." That is my sole point in this thread: I expect this gained knowledge to be used by other "rivals" of NIST, in order to endorse hash standards that will be as safe as SHA-3, but SIGNIFICANTLY faster than SHA-3. Regards, David Adamson Jr _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
