[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 vs. SHA-1, Performance & Pedigree

        For those interested in the pedigree of SHA1, you should
know that Professor Rivest, the inventor of MD5, was also involved 
with the review/creation of SHA1.  There are academic papers 
available that compare the two hash functions and make it clear that 
they have very similar design principles.  SHA1 uses five rounds of 
an MD5 like round function to produce five 32 bit blocks, whereas 
MD5 uses four rounds to produce four 32 bit blocks.
The new feature of SHA1 is an expansion step before the five 
rounds.  It is a simple linear feedback shift register expansion 
that mixes all the bits of the input block.  The difference 
between SHA0 and SHA1 is a change in the LSFR to ensure that each 
bit position in the expansion depends on each position of the 
        For those who worry about weaknesses in MD5 please note 
that IPSec uses the HMAC transform not raw MD5.  For those who 
think 128 bits is too small, then SHA1's 160 is a nice step up.
        For those who care about performance here are the numbers
from the BSAFE 3.0 crypto toolkit on various platforms.  The tests 
are run on very large input blocks.  The speeds are in megabytes 
per second.

                Digest Performance in MegaBytes per Second

          Pentium P5     Power Mac    SPARC 4     DEC Alpha
            90 MHz        80 MHz      110 MHz      200 MHz

MD5         13.1          3.1         5.1          8.5

SHA1         2.5          1.2         2.0          3.3

        The number for the pentium is particularly high because
extensive work was done to optimize the algorithm for the
dual integer pipeline of the pentium.  The rest are compiled
from C code with speed optimization turned on.

                --Bob Baldwin
                  RSA Data Security Inc.