On 1/9/2014 9:34 AM, Peter Gutmann wrote: > What extra security does -512 give you that -256 doesn't? I mean actual > security against real threats, rather than just "it has a bigger number so it > must be better"? According to NIST SP 800-57, only SHA-512 can provide a security strength of 256 bits, while SHA-256 can only provide 128 bits. I am not an expert on crypto, but at least it is what it said.
> SHA-512 certainly leads to a loss in performance when used as a MAC > and you have to attach 64 bytes of MAC to a ten-byte payload. I just did a google search again. One analysis is that SHA-256 and SHA-512 have block size of 32 bits and 64 bits respectively. On 64-bit processor, the arithmetic operations can be performed in the same number of clock cycles as either 32-bit or 64-bit operations. Therefore, when working on a 64-bits message, SHA-256 requires two block operations (each performing 64 iterations of arithmetic operations). SHA-512 requires only one block operations (performing 80 iterations of arithmetic operations). It also estimate that when performing operations on 64 bit (8 bytes) message, SHA-512 is about 17% faster and performance levels out with message size of 4096 bits (512 bytes) at about 53% faster. > In addition the > need to have 64-bit op support makes SHA-512 suck on 32-bit systems, which is > most of the embedded world. Yes, this is a real concern Man _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
