On Fri, Apr 13, 2012 at 9:50 AM, Marsh Ray <ma...@extendedsubset.com> wrote: > > But now SHA-2 takes a 50% performance hit on messages of 55 bytes and shorter.
Good point. > So something like IPsec AH would see around a 66% loss in performance if its > bottleneck were actually the authentication (estimating from a handy packet > capture). Is that actually its bottleneck? According to ¹ sha-256 for short messages (64 bytes) costs about 150 cycles per byte on ARM, around 50 cpb on x86_64. So if the HASH_d approach doubles the cost, that's ~16000 cycles per packet instead of ~8000 on ARM, ~5000 cycles per packet instead of ~2500 on x86_64. How many packets per second do your traces call for? But anyway, yes, I wouldn't hesitate to use any old length-extension-vulnerable hash function like SHA-256 in HMAC! If you're talking about using a different hash function in your HMAC in your IPsec AH, what about using a different MAC entirely, like say Poly1305-AES? :-) Regards, Zooko ¹ http://bench.cr.yp.to/results-hash.html _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography