Comment by dspillett

Comment by dspillett 10 months ago

5 replies

View on Hacker News

> why does SHA-256 even exist when SHA-512/256 is what we should all use?

SHA-512 is more computationally costly so running that and truncating the result is slower than just running SHA-256. Where performance is key¹ and you have other protection in your protocol that mitigates extension issues, that could be a significant benefit.

IIRC SHA512 used 64-bit values throughout rather than 32 as used in SHA256, so it might actually be faster on software on modern 64-bit architectures, nullifying the above consideration on such platforms, but back when the SHA2 family were formally specified 64-bit processing was far far less common. Also if you have acceleration for SHA256 in hardware but not 512 that flips things back. Hardware support for SHA256 will be cheaper in silicon than SHA512.

----

[1] very low CPU power systems, or hashing en-mass on now powerful arrangements

NovemberWhiskey 10 months ago

>SHA-512 is more computationally costly

In fact, as you suggested later, SHA-512 is actually much less computationally expensive on 64 bit machines - it has 25% more rounds, but you can do twice the number of bytes per round.

All other things being equal (which they seldom are), you will often see a significant speed improvement with SHA-512 vs. SHA-256 on larger payloads.

Of course, I immediately tried to test this with "openssl speed" on my M1 Mac and SHA-512 is 70% slower, so I guess there's some architectural optimization there.

Reply View 4 replies
  • jaeckel 10 months ago

    The answer is: dedicated CPU instructions for SHA256 vs. software implementation of SHA512. For amd64 there's SHA-NI, for Arm there's the crypto extensions, but both only provide sha256 (at least when I last looked at their specs)

    Reply View 0 replies
  • mtndew4brkfst 10 months ago

    Can the algorithm benefit from SIMD/AVX512? Not helpful for ARM Macs, I have one too, but might be a contributing factor to lower adoption since those instructions aren't as widespread. First consumer chips in ~2017 and first AMD chips in ~2022.

    Reply View 2 replies
    • formerly_proven 10 months ago

      The 32 bit variants are accelerated via SHA-NI on most CPUs, which inverts the performance ranking again, making SHA-256 the fastest common cryptographic hash by far.

      Reply View 0 replies
    • NovemberWhiskey 10 months ago

      I did a quick check on a 2016-era Xeon E5 v4 (AVX2), and sha512 is much faster per openssl speed.

      Reply View 0 replies