[Cryptography] let's kill md5sum!

Wed Jun 10 09:39:30 EDT 2015

Dear Zooko Wilcox-O'Hearn and cryptology list members,

--------------------------------------------
On Tue, 6/9/15, Zooko Wilcox-OHearn <zooko at leastauthority.com> wrote:

 I don't understand why this matters. BLAKE2 is faster than
 MD5 in
 software in most cases, currently. Future CPUs will probably
 further
 increase that.

I mean by 'uniformly faster than md5' that it should be faster on 32bit cpus
too, without simd thingy. implementators can't just simply replace md5sum with
b2sum and say to their non-crypto users: "btw, you will need to upgrade to
64bit cpus (& 64bit oses), preferably with more cores & also
neon/ssse3/sse4.1/avx/avx2 for this new b2sum to be faster than md5sum.
otherwise, it's slower. sorry."
At least, not until a few years more, when the cpus are all 64bit.

 BLAKE2 as currently specified already has a finalization
 step
 (preventing length-extension attacks) and is already faster
 than MD5
 (in most cases).

(Double/heavier) finalization here is meant to shift some of
the computational burden to a function only called once, not just to
resist the length extension attack:
 ----
               hashing     finalization
               ------------------------
 blake2b     : 12 rounds + shrinking                = 12+ rounds
 blake2x 8/12:  8 rounds + 12 rounds + shrinking    = 20+ rounds
 ----
so the total rounds are even higher than blake-512 while being much faster
than blake2b for bulk hashing (8 vs 12).

Anyway, these actually are my simple ideas on how to push chacha-based
hash function or blake to its utmost speed (closer to md4's if possible)
while attempting to retain its attack-safety, not to criticize blake2.

Best regards,
Eddyhawk