how fast are hash functions d j bernstein university of
play

How fast are hash functions? D. J. Bernstein University of Illinois - PDF document

Apr 30, 2023 •467 likes •1.14k views

How fast are hash functions? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 in cooperation with IST2002507932 ECRYPT Depends on the volume of data being hashed. For small data volumes can often see big costs for

  1. How fast are hash functions? D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498 in cooperation with IST–2002–507932 ECRYPT

  2. Depends on the volume of data being hashed. For small data volumes can often see big costs for finalization, block padding, etc. Depends on the CPU. e.g. hashing 1000 bytes with OpenSSL SHA–512: 118366 cycles on a Pentium 3, 16822 cycles on an Athlon 64.

  3. Depends on the hash function. What is the fastest function (given a CPU and data volume)?

  4. Depends on the hash function. What is the fastest function (given a CPU and data volume)? “Surely a broken function.”

  5. Depends on the hash function. What is the fastest function (given a CPU and data volume)? “Surely a broken function.” What is the fastest function that hasn’t been broken?

  6. Depends on the hash function. What is the fastest function (given a CPU and data volume)? “Surely a broken function.” What is the fastest function that hasn’t been broken? What is the fastest function for which half the rounds haven’t been broken?

  7. Experience shows that slower functions attract much less interest. The fastest functions are the most tempting cryptanalytic targets. If they survive scrutiny then they are favored by users. e.g.: AES selected Rijndael; eSTREAM SW selected HC-128, Rabbit, Salsa20/12, Sosemanuk.

  8. Does hash speed really matter? Usually it doesn’t! Most computers aren’t flooded with cryptographic operations. Can afford many more rounds. Some computers are flooded, but is hashing the real issue?

  9. Does hash speed really matter? Usually it doesn’t! Most computers aren’t flooded with cryptographic operations. Can afford many more rounds. Some computers are flooded, but is hashing the real issue? “Yes: I’m using HMAC-MD5 on every packet, including denial-of-service forgeries. I can’t afford HMAC-SHA-256!” That’s an obsolete application. We have faster non-hash MACs that inspire more confidence.

  10. Better example: “This computer is busy verifying public-key signatures.” My favorite example: Internet DNS security (currently nonexistent) would need DNS caches to verify signatures on every packet. These caches are centralized, hard to split, and often very heavily loaded. Hashing, even for short packets, can easily dominate the time for signature verification!

  11. Measuring what users will see Look back at 1999.03 Bassham “NIST’s Efficiency Testing for Round1 AES Candidates.” Remember CRYPTON? Fastest cipher in NIST’s tables! Fastest cipher in NIST’s graphs! 720 cycles key setup. 669 cycles encrypt. NIST’s numbers for Rijndael: 6787 cycles key setup. 809 cycles encrypt.

  12. Quite different figures in 1999 Schneier–Kelsey–Whiting– Wagner–Hall–Ferguson “AES performance comparisons.” Faster CRYPTON encryption: 955 cycles key setup. 345 cycles encrypt. But much faster Rijndael: 850 cycles key setup. 291 cycles encrypt.

  13. Users who care about speed will use the faster Rijndael software, not the painfully slow software that NIST tested. So the painfully slow software was discarded, and NIST’s tests were disregarded. 1999.10 NIST: “CRYPTON is : : : slower than either Rijndael or Twofish on most platforms.”

  14. 1999 Schneier–Kelsey–Whiting– Wagner–Hall–Ferguson: “Performance is only important in assembly language. : : : Any application which has speed as a requirement will code the encryption algorithm in assembly. : : : Optimized assembly implementations of AES will be available on the Internet. If performance is critical, it will be in assembly.”

  15. I still see some speed papers saying that a “fair comparison” of algorithms means a comparison of speeds of novice student implementations in Java. That’s “fair”? No. It’s idiotic. Or dishonest: “We couldn’t compete, so we rewrote the competition to slow it down.” Benchmarks, just like users, should focus on the fastest implementations available. Designers with slow software should try to speed it up.

  16. The importance of automation During the AES competition, Biham and Knudsen proposed a 2 ˆ security margin. NIST decided on (1 + › ) ˆ . But NIST refused to consider reduced-round Serpent etc. “Changing the number of rounds would impact the large amount of performance analysis from Rounds 1 and 2. All performance data for the modified algorithm would need to be either estimated or performed again.”

  17. 2004: eSTREAM called for stream-cipher submissions implementing a particular API. Received > 30 submissions from 97 cryptographers. De Canni` ere published software to time the submissions. Software has been run on dozens of different CPUs. Designers have seen results, provided faster implementations of the submissions. Timings were easily updated.

  18. 2006, joint work with Lange: eBATS (ECRYPT Benchmarking of Asymmetric Systems). DH; signatures; encryption. New benchmarking software: much more data collected, improved portability, etc. As in eSTREAM benchmarking, anyone can submit new software or improve existing software. > 20 submissions so far, providing > 100 pub-key systems. All submissions are then measured on many computers.

  19. Today’s announcement: eBASH (ECRYPT Benchmarking of All Submitted Hashes). Anyone can submit a new hash function or a new implementation of an old function. We’ll measure all the software on many CPUs. Benchmarking software has been further improved: e.g., automatic ABI stratification, separating 32-bit compilers from 64-bit compilers on amd64 etc. Suggestions? Talk to us!

  20. What eBASH does Currently we’re measuring time to hash 0 bytes, time to hash 1 byte, time to hash 2 bytes, : : : time to hash 8192 bytes. Aligned input and output. Typical for speed-oriented applications but maybe we should also measure unaligned. Currently 1 core, 1 thread. No hint of speedups from massively parallel computation of, e.g., tree-structured hashes.

  21. Measurement machines run Linux, BSD, Solaris, etc. on a wide variety of CPUs. Largest machine contributor: NMI Build and Test Laboratory at the University of Wisconsin. We’re experimenting with ARMs but haven’t included any yet. Currently no 8-bit CPUs. No FPGAs. No ASICs. Will hardware benchmarking be stuck forever in the dark ages?

  22. For each hash function, currently trying 796 combinations of C compilers + compiler options. Measurements of the function use the compiler + option that hashes 1536 bytes most efficiently. “Have to write in C?” No; can use C++ or asm. Need other options? Tell us!

  23. eBASH API examples The eBASH software has two files that measure the OpenSSL SHA512 software. hash/sha512/openssl/hash.c : #include <openssl/sha.h> void crypto_hash_sha512_openssl( unsigned char *out, const unsigned char *in, unsigned long long inlen) { SHA512(in,inlen,out); }

  24. hash/sha512/openssl/hash.h : #include <openssl/opensslv.h> #define CRYPTO_hash_\ sha512_openssl_VERSION \ OPENSSL_VERSION_TEXT #define CRYPTO_hash_\ sha512_openssl_BYTES \ 64 Version is optional; copied to database of timings.

  25. Integrating Whirlpool: hash/whirlpool/ref has two files copied from Whirlpool reference code; hash.h defining BYTES as 64; and an easy 19-line hash.c built from the lower-level functions in the reference code. hash/whirlpool/checksum (also optional) contains an expected hash output. Any compiled code that fails to produce this output is left out of the measurements.

  26. Examples of easy graphs to draw WARNING : These graphs currently include only a few hash-function implementations. If you have a faster implementation, sorry—it isn’t in these graphs. Advertise it by submitting it to eBASH! We’ll easily update benchmarks, graphs, etc.

  27. MD5 cycles on orpheus , x86 architecture, Pentium 3 672: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  28. MD5 cycles on fireball , x86 arch, Pentium 4 f12: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  29. MD5 cycles on nmi-0056 , x86 arch, Xeon f41: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  30. MD5 cycles on thoth , x86 arch, Athlon: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  31. MD5 cycles on katana , x86 arch, Core 2 Duo: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  32. MD5 cycles on nmi-0104 , x86 arch, Pentium D f64: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  33. MD5 cycles on nmi-0020 , ia64 arch, Itanium II: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  34. MD5 cycles on gggg , ppc32 arch, PowerPC G4 7410: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  35. MD5 cycles on nmi-0056 , amd64 arch, Xeon f41: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  36. MD5 cycles on katana , amd64 arch, Core 2 Duo: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  37. MD5 cycles on nmi-0104 , amd64 arch, Pentium D f64: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  38. MD5 cycles on mace , amd64 arch, Athlon 64 X2: 6000 5000 4000 3000 2000 1000 0 0 200 400 600 800 1000

  39. MD5 cycles/byte on orpheus , x86 architecture, Pentium 3 672: 100 10 1 10 0 10 1 10 2 10 3 10 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication

Short-output universal hash functions &amp; their use in fast and secure data authentication Long Nguyen and Bill Roscoe Oxford University Department of Computer Science -almost universal hash functions (UHF) Definition : given R is the set

515 views • 22 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and Nicolas Sendrier Part I General Facts about Hash Functions The Merkle-Damg ard construction D Padding + length n n n o o o i i i s s

393 views • 25 slides
Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

ECRYPT Hash Workshop 2007 Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit, and Nicolas Sendrier The Original FSB Hash Function [Augot, Finiasz, Sendrier - Mycrypt 05] Based on the Merkle-Damg

303 views • 19 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers,

On the design of When we design message-authentication codes hash functions, stream ciphers, and other secret-key primitives, D. J. Bernstein should we use University of Illinois at Chicago integer multiplication? AES uses 32 32 32

1.76k views • 149 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar &amp; Pelzl. &amp; Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency

This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency

8/8/2018 This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency Journal Clubs Recent Important Papers Faculty Suggestion Douglas C. Bauer, MD Guiding Principles Departments of Medicine and

249 views • 13 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2

LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2

1 LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2 Law, Land Rights, and Revenue 1. Generation and extraction of revenue from land 2. Role of law and legal institutions Documents Case

654 views • 31 slides
Welcome! Check your audio connection to be sure your speakers are on and the volume is up.

Welcome! Check your audio connection to be sure your speakers are on and the volume is up.

Welcome! Check your audio connection to be sure your speakers are on and the volume is up. Archive recording, presentation slides, resources, and CEU form are available at: www.schoolnutrition.org/webinars @SchoolLunch

588 views • 23 slides
Stability Problems for Black Holes Gustav Holzegel Imperial College, London March 26th, 2014

Stability Problems for Black Holes Gustav Holzegel Imperial College, London March 26th, 2014

Stability Problems for Black Holes Gustav Holzegel Imperial College, London March 26th, 2014 Frontiers in Dynamical Gravity Cambridge 1 Two Problems Problem 1: Prove linear and non-linear stability of Schwarzschild and Kerr. Problem 2:

392 views • 16 slides
SHPE Sacramento State SHPE California State University, Sacramento AGENDA Announcements

SHPE Sacramento State SHPE California State University, Sacramento AGENDA Announcements

General Meeting SHPE Sacramento State SHPE California State University, Sacramento AGENDA Announcements Whiting Turner Changing Lives; Empowering Communities; Impacting the World 2 2 Changing Lives; Empowering Communities;

346 views • 7 slides
Welcome! The 82 nd CHHSM Annual Gathering! 2020 CHHSM 82nd Annual Gathering: Justice and Grace

Welcome! The 82 nd CHHSM Annual Gathering! 2020 CHHSM 82nd Annual Gathering: Justice and Grace

Welcome! The 82 nd CHHSM Annual Gathering! 2020 CHHSM 82nd Annual Gathering: Justice and Grace Together Thank You to the Annual Gathering Task Force! Alice Graham Lisa Key Beth Long-Higgins Mary Whiting Cindy Bumb

681 views • 29 slides

More recommend