Date: Fri, 16 Dec 2016 12:57:44 -0800 From: Tom Herbert <tom@...bertland.com> To: George Spelvin <linux@...encehorizons.net> Cc: "Jason A. Donenfeld" <Jason@...c4.com>, Andi Kleen <ak@...ux.intel.com>, "David S. Miller" <davem@...emloft.net>, David Laight <David.Laight@...lab.com>, "Daniel J . Bernstein" <djb@...yp.to>, Eric Biggers <ebiggers3@...il.com>, Hannes Frederic Sowa <hannes@...essinduktion.org>, Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>, kernel-hardening@...ts.openwall.com, Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...capital.net>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, "Theodore Ts'o" <tytso@....edu>, vegard.nossum@...il.com Subject: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF On Fri, Dec 16, 2016 at 12:41 PM, George Spelvin <linux@...encehorizons.net> wrote: > Tom Herbert wrote: >> Tested this. Distribution and avalanche effect are still good. Speed >> wise I see about a 33% improvement over siphash (20 nsecs/op versus 32 >> nsecs). That's about 3x of jhash speed (7 nsecs). So that might closer >> to a more palatable replacement for jhash. Do we lose any security >> advantages with halfsiphash? > > What are you testing on? And what input size? And does "33% improvement" > mean 4/3 the rate and 3/4 the time? Or 2/3 the time and 3/2 the rate? > Sorry, that is over an IPv4 tuple. Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz. Recoded the function I was using to look like more like 64 bit version and yes it is indeed slower. > These are very odd results. On a 64-bit machine, SipHash should be the > same speed per round, and faster because it hashes more data per round. > (Unless you're hitting some unexpected cache/decode effect due to REX > prefixes.) > > On a 32-bit machine (other than ARM, where your results might make sense, > or maybe if you're hashing large amounts of data), the difference should > be larger. > > And yes, there is a *significant* security loss. SipHash is 128 bits > ("don't worry about it"). hsiphash is 64 bits, which is known breakable > ("worry about it"), so we have to do a careful analysis of the cost of > a successful attack. > > As mentioned in the e-mails that just flew by, hsiphash is intended > *only* for 32-bit machines which bog down on full SipHash. On all 64-bit > machines, it will be implemented as an alias for SipHash and the security > concerns will Just Go Away. > > The place where hsiphash is expected to make a big difference is 32-bit > x86. If you only see 33% difference with "gcc -m32", I'm going to be > very confused.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.