Re: SHA-2 based HMAC algorithm...

[nisse%lysator.liu.se@localhost (Niels Möller)]

"denis bider (Bitvise)" <ietf-ssh2%denisbider.com@localhost> writes:

> On the other hand, if someone is going to chose HMAC-SHA2-512, they are 
> likely chosing it for the bigger numbers over HMAC-SHA2-256.

Not necessarily. On 64-bit hardware, sha512 can be faster than sha256
(in my implementation, I get 18 cycles/byte for sha256, and 12
cycles/byte for sha512, benchmarked on an intel core2. And 8
cycles/byte for sha1).

I was bit surprised when I first noticed this. Without any deep
analysis, I think it simply works like this: the compression function
takes more time for sha512 than sha256 (30% slower in my benchmarks),
but then it processes twice as many input bytes.

> I'm not seeing how the larger key size hurts.

I guess it's no big problem, just a few more bytes to generate from the
"raw" session key. I was asking for a motivation, since I thought you
might have had some reason, besides the annoying incompatibility, to
complain on the existing implementations using 16 byte or 20 byte hmac
keys for hmac-sha256%ssh.com@localhost). To me it would make some sense to stick
to a 20 byte (160 bit) key for all hmac-sha2 variants.

But if there's no more compelling motivation than "that's what other
protocols are doing", I guess I will have to be satisfied with that.

Regard,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.