secure hash modes for rijndael
Pete Chown
Pete.Chown at skygate.co.uk
Tue Apr 3 04:53:46 EDT 2001
Jeroen C. van Gelderen wrote:
> Pete Chown wrote:
> > On the subject of these hash functions... I looked at some benchmark
> > figures and SHA-256 is not substantially faster than Rijndael-256 with
> > Davies-Meyer.
> Could you give a URL for the benchmarks you looked at?
I used Brian Gladman's benchmarks for Rijndael, at:
http://www.gladman.uk.net/
I think the SHA-256 benchmarks were just posted to Coderpunks or
something like that -- they seemed slow, which got me interested in
doing a comparison. So I don't have a URL, sorry. It was the ia32
architecture.
> On the ia32 architecture however the difference is quite immense [1]:
>
> BeeCrypt 2.0.0, gcc-2.95.3, Mandrake Linux 7.[0|1], PIII 800, 4096 RAM
> SHA-1 : 39.00 MB/sec
> SHA-256 : 18.60 MB/sec
According to Brian Gladman, Rijndael-256 takes 305 cycles to set up a
new key for encryption, and 374 cycles to encrypt one block. This is
on a Pentium Pro, not a Pentium III, but the figures should be similar
to a first approximation.
This suggests that one hash step takes 876 cycles or 1.095uS on your
processor. Each step hashes 32 bytes giving a figure of ~36mS/Mb, or
~~27.9 Mb/S. So actually this would be rather worse than SHA-1 but
rather better than SHA-256...
Actually there is another flaw in these figures. Gladman benchmarked
the candidates based on the AES requirements of 128-bit blocks.
However, for this we need the special Rijndael mode with 256-bit
blocks as well as 256-bit keys. It is possible that that may distort
the figures too.
Given the amount of analysis that has gone into AES, I think this hash
function probably has reasonable security. Interestingly there have
been far more successful attacks on hash functions than block ciphers.
Damaging attacks have been found on both MD4 and MD5. It might be
that we could get better hash functions by using a block cipher rather
than an MD4-style compression function.
--
Pete
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list