Fredrik Thulin fredrik@thulin.net writes:
On Tue, 2012-11-27 at 14:06 +0100, Niels Möller wrote:
Cool. Why SHA512 rather than SHA256, is using it specified somewhere?
I wanted maximum speed on 64 bits CPUs without settling for SHA-1, but I won't claim this was a particularly well illuminated decision.
Makes some sense. But on the other hand, the point of pbkdf2 is to be slow (for the attacker), so selecting a faster hash function just means that you need to use a larger iteration count...
It would remove the hack of passing a 1k buffer as sha512ctx (https://github.com/fredrikt/python-ndnkdf/blob/master/ndnkdf/ndnkdf.py#L76).
The right way would be to use some configure test to get the size of that struct, I guess. (pyconfigure-0.1 was released yesterday, btw. See http://www.gnu.org/software/pyconfigure/. I haven't done any python modules since ancient versions of the gmp module, but I imagine pyconfigure could be useful if you need configure tests for your python module).
I did implement a test case that compares the output of Nettle with that of python-pbkdf2 for a number of (key, salt, iterations) though.
For lack of more authoritative test vectors, adding a couple of testvectors generated by python-pbkdf2, to the nettle testsuite would be nice.
Haven't measured. Optimizing a SHA512 implementation is really above my head, but I've heard talks about using AMD XOP instruction set to optimize SHA512 on other mailing lists...
That's a project for another day. It's some time since I wrote the C implementation, and I can't guess if a clever assembly implementation would gain a 10% or a 100% speedup compared to what gcc generates.
$ git clone https://github.com/dlitz/python-pbkdf2 $ git clone https://github.com/fredrikt/python-ndnkdf $ cd python-ndnkdf/examples $ PYTHONPATH=../../python-pbkdf2 ./pbkdf2-plot
Ok. With
$ NDNKDF_PATH=~/build/nettle-shared/.lib PYTHONPATH=../../python-pbkdf2:.. ./pbkdf2-plot
I get
PBKDF2-HMAC-SHA512 benchmark result :
N= 16 -> Python == 2 ms, Nettle == 0 ms N= 32 -> Python == 6 ms, Nettle == 0 ms N= 64 -> Python == 8 ms, Nettle == 0 ms N= 128 -> Python == 16 ms, Nettle == 0 ms N= 256 -> Python == 30 ms, Nettle == 1 ms N= 512 -> Python == 57 ms, Nettle == 2 ms N= 1024 -> Python == 114 ms, Nettle == 3 ms N= 2048 -> Python == 229 ms, Nettle == 7 ms N= 4096 -> Python == 453 ms, Nettle == 15 ms N= 8192 -> Python == 909 ms, Nettle == 30 ms N= 16384 -> Python == 1834 ms, Nettle == 59 ms
The machine has an "AMD E-350" processor, 1.6 GHz dual core (but I guess the number of cores doesn't matter here). GMP's configure refers to the cpu as "bobcat", which if I understand these things correctly is AMD's current low-end.
Regards, /Niels