[cryptography] [zfs] SHA-3 winner announced

Eugen Leitl eugen at leitl.org
Wed Oct 3 07:05:10 EDT 2012

----- Forwarded message from Sašo Kiselkov <skiselkov.ml at gmail.com> -----

From: Sašo Kiselkov <skiselkov.ml at gmail.com>
Date: Wed, 03 Oct 2012 08:22:26 +0200
To: "<zfs at lists.illumos.org>" <zfs at lists.illumos.org>
Subject: [zfs] SHA-3 winner announced
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929
Reply-To: zfs at lists.illumos.org

Hi All,

As many of you are probably aware, NIST has just announced the SHA-3
winner: Keccak. Wonderful, so now we can go ahead and implement it in
ZFS as the next-gen hash algo for dedup, right? Sadly, no. As I
predicted, NIST could, and it seems did, choose a candidate that fits
their criteria, not ours.

Keccak, you see, is slow. Mighty slow. It's comparable to and at times
even slower than the current SHA-2. See:

Of course, I already hear people object: "But, it'll become faster once
we get hardware implementations!"
Sadly, no. Here are a few reasons why the "HW FTW!" argument is invalid:

1) x86 currently lacks even an implementation of SHA-2, which is over
   a decade old, so I do not expect SHA-3 to come along any time soon.

2) The UltraSPARC T2 and higher are currently the only CPUs capable of
   running Illumos that also have the algo in hardware and they got the
   capability after 6 years from the release of the algorithm (and
   Illumos doesn't even support that, but that's another story). Even
   considering an optimistically fast design cycle, I don't expect
   SHA-3 to appear in SPARC before the T6 (considering the T5 is slated
   for release pretty soon, so feature additions to the silicon are
   currently highly unlikely), which is on track for release in
   2013/2014. My personal guess is that it's more likely to appear in
   the next release cycle after the T6, some time in 2014 or 2015.

3) Illumos runs on a wide variety of platforms, most of which will
   probably never get SHA-3 in hardware for the foreseeable future.

I know I'm going to get a lot of flack for saying so, but the hard
reality is that SHA-3 is over and that they've chosen an algorithm
that's essentially useless to ZFS. Sure it has a nice security margin,
much better than SHA-2, but we were already happy with the security
margin we had before, so what we wanted next is more speed, and sadly,
that's not something Keccak improves on.

In conclusion, I'd like to propose a course of action: mainline one (or
multiple) of the algorithms which I submitted patches for: Edon-R, BMW
or Skein. All of them have a security margin that's better than SHA-2
and much, much better performance.


Archives: https://www.listbox.com/member/archive/182191/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-6fe17e6f
Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-a25d3366
Powered by Listbox: http://www.listbox.com

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cryptography mailing list