On Fri, Jun 16, 2017 at 12:41 AM, brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: > On Thu, Jun 15, 2017 at 02:59:57PM -0700, Adam Langley wrote: >> (I was asked to comment a few points in public by Jonathan.) >> >> I think this group can safely assume that SHA-256, SHA-512, BLAKE2, >> K12, etc are all secure to the extent that I don't believe that making >> comparisons between them on that axis is meaningful. Thus I think the >> question is primarily concerned with performance and implementation >> availability. >> >> I think any of the above would be reasonable choices. I don't believe >> that length-extension is a concern here. >> >> SHA-512/256 will be faster than SHA-256 on 64-bit systems in software. >> The graph at https://blake2.net/ suggests a 50% speedup on Skylake. On >> my Ivy Bridge system, it's about 20%. >> >> (SHA-512/256 does not enjoy the same availability in common libraries however.) >> >> Both Intel and ARM have SHA-256 instructions defined. I've not seen >> good benchmarks of them yet, but they will make SHA-256 faster than >> SHA-512 when available. However, it's very possible that something >> like BLAKE2bp will still be faster. Of course, BLAKE2bp does not enjoy >> the ubiquity of SHA-256, but nor do you have to wait years for the CPU >> population to advance for high performance. > > SHA-256 acceleration exists for some existing Intel platforms already. > However, they're not practically present on anything but servers at the > moment, and so I don't think the acceleration of SHA-256 is a > something we should consider. Whatever next-gen hash Git ends up with is going to be in use for decades, so what hardware acceleration exists in consumer products right now is practically irrelevant, but what acceleration is likely to exist for the lifetime of the hash existing *is* relevant. So I don't follow the argument that we shouldn't weigh future HW acceleration highly just because you can't easily buy a laptop today with these features. Aside from that I think you've got this backwards, it's AMD that's adding SHA acceleration to their high-end Ryzen chips[1] but Intel is starting at the lower end this year with Goldmont which'll be in lower-end consumer devices[2]. If you read the github issue I linked to upthread[3] you can see that the cryptopp devs already tested their SHA accelerated code on a consumer Celeron[4] recently. I don't think Intel has announced the SHA extensions for future Xeon releases, but it seems given that they're going to have it there as well. Have there every been x86 extensions that aren't eventually portable across the entire line, or that they've ended up removing from x86 once introduced? In any case, I think by the time we're ready to follow-up the current hash refactoring efforts with actually changing the hash implementation many of us are likely to have laptops with these extensions, making this easy to test. 1. https://en.wikipedia.org/wiki/Intel_SHA_extensions 2. https://en.wikipedia.org/wiki/Goldmont 3. https://github.com/weidai11/cryptopp/issues/139#issuecomment-264283385 4. https://ark.intel.com/products/95594/Intel-Celeron-Processor-J3455-2M-Cache-up-to-2_3-GHz