
SHA-3 shows secure hash functions are possible. But can we build fast ones? - vgnet
https://plus.google.com/108313527900507320366/posts/4ZPRdvpzBTJ
======
gte910h
Don't you want hash functions to be slow to prolong their lifespan?

~~~
jacques_chester
You've misunderstood the two key requirements of a hashing function.

The first is to be _secure_. It should produce irreversible, unpredictable
changes to at least half of the bits in the output string if one bit of input
is changed.

The second is to be _fast_. Hash functions are typically used to produce
_authentication_ of various pieces of original data. Each such unit of data
might be small; hashes should not add an unacceptable overhead to
communications, for example.

By contrast, key-derivation functions _should_ be slow, because they have a
different threat profile. Using a hash function for key-derivation purposes is
a mistake.

~~~
saurik
The problem I have with this simplification is that if I can brute force your
hash (which is a feasible attack vector as computers get faster: people even
sit around brute forcing MD5 nowadays, thanks to some mathematical attacks
that reduce some of its strength), then I can spoof your "authentication". If
you have two 128-bit hash algorithms, and one is fundamentally twice as slow
as the other, it is effectively a 129-bit hash in comparison.

~~~
jacques_chester
You don't see hashes with, say, thousands of rounds because it's just too
slow.

Hash algorithms always exist in tension between security and speed. Because
authentication is their purpose, not secrecy.

