SHA-256 vs SHA512/256

[Manlio Perillo]

For a project I need to identify a file by the hash of its contents, as it is done in git.

I was planning to use SHA-256, however after a quick search I found that SHA512/256 is faster when implemented on a 64bit processor.

I confirmed this by running the benchmarks in go 1.6.

The performance gain is about 1.6.  I have not checked the performance lost on a 32bit processor.

It seems that SHA-512/256 is the best choice, since it is faster on modern hardware, and it should have at least the same security properties compared to SHA-256.

Any contraindications?

Thanks  Manlio

[Matt Silverlock]

SHA-512/256 is great on 64-bit and avoids length extension attacks (by nature of being truncated). 

[Dave Cheney]

Be aware that there is no assembly implementation of sha512 for anything outside amd64, the other platforms use a generic pure go implementation.

lucky(~/go/src/crypto/sha512) % env GOARCH=386 go test -bench=. -run=XXX 

BenchmarkHash8Bytes-4     300000              3679 ns/op           2.17 MB/s

BenchmarkHash1K-4          50000             29850 ns/op          34.30 MB/s

BenchmarkHash8K-4          10000            214474 ns/op          38.20 MB/s

PASS

ok      crypto/sha512   5.116s

lucky(~/go/src/crypto/sha512) % go test -bench=. -run=XXX 

BenchmarkHash8Bytes-4    2000000               723 ns/op          11.06 MB/s

BenchmarkHash1K-4         300000              5100 ns/op         200.75 MB/s

BenchmarkHash8K-4          50000             35552 ns/op         230.42 MB/s

PASS

ok      crypto/sha512   5.991s

[joh...@gmail.com]

Tried SHA3?

[Manlio Perillo]

Il giorno domenica 13 marzo 2016 01:40:30 UTC+1, Dave Cheney ha scritto:

Be aware that there is no assembly implementation of sha512 for anything outside amd64, the other platforms use a generic pure go implementation.

Thanks.  SHA256 do have assembly support for 386.

Some shared hosting servers may have 386 arch for compatibility reason.

Can I assume that there is no plan for assembly support for SHA512?

Manlio

[Manlio Perillo]

No.

* The wikipedia page has no info about performances:

   https://en.wikipedia.org/wiki/SHA-3

* it is not part of the standard library (well, not really a problem)

* the benchmarks of golang.org/x/crypto/sha3 are not compatible(?) with the ones in crypto/sha512,

  so I can't compare the performances. It seems however that it is only 1.3 slower, without assembly support.

This is the output of the benchmarks:

BenchmarkPermutationFunction-4 3000000       535 ns/op 373.78 MB/s

BenchmarkSha3_512_MTU-4        200000     11074 ns/op 121.90 MB/s

BenchmarkSha3_384_MTU-4        200000      7970 ns/op 169.38 MB/s

BenchmarkSha3_256_MTU-4        200000      6328 ns/op 213.31 MB/s

BenchmarkSha3_224_MTU-4        200000      6034 ns/op 223.72 MB/s

BenchmarkShake128_MTU-4        300000      5103 ns/op 264.53 MB/s

BenchmarkShake256_MTU-4        300000      5518 ns/op 244.63 MB/s

BenchmarkShake256_16x-4         20000     80665 ns/op 203.11 MB/s

BenchmarkShake256_1MiB-4           300   4234132 ns/op 247.65 MB/s

BenchmarkSha3_512_1MiB-4           200   7943524 ns/op 132.00 MB/s

What is the reason why the benchmarks of x/crypto use a different metric compared to standard crypto?

Manlio

[Manlio Perillo]

Il giorno domenica 13 marzo 2016 17:10:51 UTC+1, Manlio Perillo ha scritto:

No.

* The wikipedia page has no info about performances:

   https://en.wikipedia.org/wiki/SHA-3

* it is not part of the standard library (well, not really a problem)

* the benchmarks of golang.org/x/crypto/sha3 are not compatible(?) with the ones in crypto/sha512,

  so I can't compare the performances. It seems however that it is only 1.3 slower, without assembly support.

SHA3/256 is a bit faster (1.1x) than SHA256 on amd64, but it is a *lot*  slower (3x) on 386.

Manlio

[Dave Cheney]

If you are able to contribute a 386 implementation that would be most appreciated. 386 may be dead on the server, but is still alive and well on the desktop, tablet and all of intel's iot efforts.