[Cryptography] let's kill md5sum!

Zooko Wilcox-OHearn zooko at leastauthority.com
Mon Jun 8 14:31:28 EDT 2015 

On Mon, Jun 8, 2015 at 4:55 PM, Ryan Carboni <ryacko at gmail.com> wrote:
>
> "substantially faster"
> BLAKE2 has been optimized for modern architectures. Has Tiger?

The version of Tiger benchmarked on
http://bench.cr.yp.to/results-hash.html is Wei Dai's implementation
from Crypto++ (https://github.com/mmoss/cryptopp/blob/5a55f26b5e07e5effdbefe00df3a0588a11bfbf0/src/tiger.cpp).
It has optimized assembly and SSE2. I don't know for sure if there
could be further optimizations to Tiger, but I would be surprised if
anyone could squeeze better than 10% more speed out of it.


> And how much is substantial?

Look into http://bench.cr.yp.to/results-hash.html for full details,
but on some machines and some variants of BLAKE2, it is 2X as
efficient as Tiger.


> And when the security margin has been exhausted after two decades of
> cryptanalysis...

BLAKE (the immediate ancestor of BLAKE2) came out in 2008, and during
the SHA-3 competition BLAKE was probably subjected to more
cryptanalysis than Tiger has been in its entire 20-year life.

As you know, Keccak was the winner of the SHA-3 contest, and one
reason that it was the winner was that it was the target of extensive
cryptanalysis during the competition. But, in the opinion of NIST,
BLAKE was the target of even *more* cryptanalysis than Keccak:

“Keccak received a significant amount of cryptanalysis, although not
quite the depth of analysis applied to BLAKE.”—NIST's Third-Round
Report of the SHA-3 Cryptographic Hash Algorithm Competition

(If you're interested in my story about how in the SHA-3 contest,
BLAKE got higher marks from NIST than Keccak got, see my slides from
ACNS 2013 — https://blake2.net/acns/slides.html — and my blog post —
https://leastauthority.com/blog/BLAKE2-harder-better-faster-stronger-than-MD5.html
.)

Subsequent cryptanalysis of BLAKE2 is consistent with the belief that
BLAKE2 succeeded in its goal of optimizing performance without
substantially reducing the security margin: https://blake2.net/#cr .

And, of course, the core of BLAKE and BLAKE2 is based on from ChaCha,
which has been extensively cryptanalyzed both by itself and in the
form of its immediate ancestor Salsa20 in the eStream competition
(http://en.wikipedia.org/wiki/Salsa20), and which is now being
standardized for TLS
(http://en.wikipedia.org/wiki/Salsa20#ChaCha20_adoption).

The bottom line is that BLAKE2, BLAKE, ChaCha, and Salsa20 have been
quite extensively studied, and they all exhibit a very large security
margin. No cryptanalysis has come anywhere close to breaking more than
few rounds of any of them.


Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
https://LeastAuthority.com — Freedom matters.

More information about the cryptography mailing list