On 4/22/12, Tanja Lange <[email protected]> wrote:
> In reply to the latest postings:
>
> Many submissions were faster than SHA-2 at the time of submission. Lots
> of people had fun speeding up SHA-2 -- so the competition has definitely
> led to a faster SHA-2.
>
> Also, check out
>       http://bench.cr.yp.to/graph-sha3/long.png
> to see that on CPUs Blake is faster than SHA-2; for the bigger CPUs also
> skein is faster than SHA-2, so there are efficiency benefits of the new
> hash functions. Furthermore, whichever candidate is chosen as SHA-3 will
> have a bigger security margin than SHA-2.
>       

SUPERCOP is one of my favorite web sites. Kudos to you and Dan for the
great job.
Indeed Blake and Skein are faster than SHA-2, but NOT SIGNIFICANTLY.

MD5 is SIGNIFICANTLY faster than SHA-2, and terribly broken. Several
other candidates (including CubeHash) are significantly faster than
SHA-2 and they were "broken" with attacks requesting 2^170, 2^200,
2^380, 2^480 hash evaluations.

So, on one hand we will have SHA-3 that is NOT significantly faster
than SHA-2, and on the other hand we have expert opinions like that of
Bart Preneel saying in his talk given at the Twelfth International
Conference on Information and Communications Security ICICS 2010:
"Now, we have learned that an improved MD design should include the
following parts: Salt + Output transformation + Counter + Wide pipe."

That is my sole point in this thread: I expect this gained knowledge
to be used by other "rivals" of NIST, in order to endorse hash
standards that will be as safe as SHA-3, but SIGNIFICANTLY faster than
SHA-3.

Regards,
David Adamson Jr
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to