switching from SHA-1 to Tiger ?

Zooko O'Whielacronx zooko at zooko.com
Tue Jul 11 12:12:04 EDT 2006 

Hal:

Thanks for the news about the planned NIST-sponsored hash function 
competition.  I'm glad to hear that it is in the works.

Yesterday I profiled my on-line data backup application [1] and 
discovered that for certain operations one third of the time is spent in 
SHA-1.  For that reason, I've been musing about the possibility of 
switching away from SHA-1.  Not to SHA-256 or SHA-512, but to Tiger.

The implementation of Tiger in Crypto++ on Opteron is more than twice as 
fast as SHA-1 and almost four times as fast as SHA-256 [2].

I hope that the hash function designers will be aware that hash 
functions are being used in more and more contexts outside of the 
traditional digital signatures and MACs.  These new contexts include 
filesystems like ZFS [3], decentralized revision control systems like 
Monotone [4], git [5], mercurial [6] and bazaar-ng [7], and peer-to-peer 
file-sharing systems such as Direct Connect, Gnutella, and Bitzi [6].

The AES competition resulted in a block cipher that was faster as well 
as safer than the previous standards.  I hope that the next generation 
of hash functions achieve something similar, because for my use cases 
speed in a hash function is more important than speed in encryption.

By the way, the traditional practice of using a hash function as a 
component of a MAC should, in my humble opinion, be retired in favor of 
the Carter-Wegman alternative such as Poly-1305 AES [7].

Regards,

Zooko

[1] http://allmydata.com/
[2] http://www.eskimo.com/~weidai/amd64-benchmarks.html
[3] http://www.opensolaris.org/os/community/zfs/
     ZFS offers the option of performing a SHA-256 on every block of data
     on every access.  The default setting is to use a non-cryptographic
     256-bit checksum instead.
[4] http://www.venge.net/monotone/
[5] http://git.or.cz/
[6] http://en.wikipedia.org/wiki/Tiger_(hash)
[7] http://cr.yp.to/mac.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list