Hashing messages with lengths between 32 and 128 bytes is one of the most important practical issue (was Re: the skein hash function)

2010-07-30 Thread Paul 
Bill Stewart wrote:
Sent: Thursday, October 30, 2008 7:30 AM
To: Cryptography List
Subject: Re: the skein hash function

Snip
 So if Skein becomes popular, ASIC accelerator hardware
 may be practical for higher-speed applications.


I see another strong point for Skein:

Deterministically generated and cryptographically strong random numbers
are used in tens of NIST Approved Algorithms. They are constructed by
using an approved hash algorithm, and there, hashing is performed over
relatively short messages from 32 to 128 bytes.
Some examples where approved hash algorithms are used (directly or
indirectly):
1. Approved algorithms for digital signatures.
2. FIPS 196, Entity Authentication Using Public Key Cryptography.
3. Special Publication 800-108. Recommendation for Key Derivation Using
Pseudorandom Functions
4. SP 800-57, Part 3 Recommendation for Key Management - Part 3:
Application-Specific Key Management Guidance (especially recommendations
for selected set of applications: PKI, IPsec, TLS, S/MIME, Kerberos,
OTAR, DNSSEC and Encrypted File Systems)

Additionally millions of secure web servers are constantly producing
cryptographically strong random numbers that are generated by Fortuna or
similar algorithms where hashing is also performed over short messages
of 32 to 128 bytes.

While the performance of future SHA-3 over long messages is very
important, the performance of SHA-3 for hashing messages with lengths
between 32 and 128 bytes is even more important from practical point of
view.

Analyzing eBASH measurements for hashing messages of just 64 bytes gives
us totally different picture of the usefulness of proposed SHA-3
candidates, than the picture that we have for hashing long messages.

Take for example the measurements of the cobra system (measurements from
supercop-20100726) in 64-bit mode, AND FOR 64-byte messages (actually
measurements are very similar on all 64-bit machines).
The ranking of 14 SHA-3 candidates is:

1.  17.44   skein512
2.  18.94   bmw512
3.  21.38   bmw256
4.  23.81   blake32
5.  24.75   blake64
6.  28.31   simd256
7.  30.38   keccakc512
8.  30.56   keccak
9.  31.88   luffa256
10. 35.25   jh384
11. 35.62   jh256
12. 35.62   jh224
13. 35.62   jh512
14. 38.25   shabal512
15. 42.38   hamsi
16. 43.69   luffa384
17. 48.75   shavite3256
18. 56.25   simd512
19. 57.38   groestl256
20. 66.00   luffa512
21. 87.56   cubehash1632
22. 88.69   echo256
23. 93.56   shavite3512
24. 100.69  groestl512
25. 106.69  fugue256
26. 111.38  echo512



Regards,
-- 
  Paul
  paulcrossb...@123mail.org

-- 
http://www.fastmail.fm - Access all of your messages and folders
  wherever you are

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: the skein hash function

2008-11-01 Thread Peter Gutmann 
Bill Stewart [EMAIL PROTECTED] writes:

A quick google-look at ASICs showed a number in the range of 300K-20M gates,
so hash-trees could probably get speedups of up to 20-100x if you can keep
from becoming input-speed-bound. The 300K chips were about $6, 5M at $50 and
350MHz, which is somewhat faster than the Skein team estimate, and some of
the denser chips didn't mention price but were starting to use 45nm
technology.

I don't know about ASICs but for FPGAs you can pay in the thousands of dollars
for a single high-end device (forget Xeons, that's the market to be in), so
you don't want to set your sights too high.  My guess is they were designing
down to a price rather than up to a performance figure.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: the skein hash function

2008-10-30 Thread Bill Stewart 

Eugen Leitl and Stephan Somogyi [EMAIL PROTECTED] wrote
about the Skein hash function announcement.

http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html?1

 http://www.schneier.com/skein.html

One thing I noticed on a first read-through was
a discussion of speed for ASICs vs. general CPUs.
Their implementation on CPUs was about 4 Gbps/core,
and their estimate of ASIC speed was about 5 Gbps
using about 80K gates worth of ASIC,
and their hash-tree mode makes parallelization efficient.
Their conclusion was that ASICs don't give you
much of a speedup, but may save power or cost.

A quick google-look at ASICs showed a number
in the range of 300K-20M gates,
so hash-trees could probably get speedups of up to 20-100x
if you can keep from becoming input-speed-bound.
The 300K chips were about $6, 5M at $50 and 350MHz,
which is somewhat faster than the Skein team estimate,
and some of the denser chips didn't mention price
but were starting to use 45nm technology.
So if Skein becomes popular, ASIC accelerator hardware
may be practical for higher-speed applications.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]