A collection of crypto performance measurements

It’s happened many times in my career, including as recent as circa late 2016. I encounter a fairly new codebase that is actively using MD5 for some purpose. When I inquire about the choice of MD5, I hear a well-meaning software engineer say:

We chose MD5 for data integrity because it’s the fastest.

Not only is MD5 insecure for such security usages, but even the legacy notion of it being the fastest hashing algorithm is suspect given how the latest CPUs include feature sets which, when combined with newer 64-bit algorithm designs, simply challenge everything we once knew about crypto performance on particular systems.

In fact, it’s become unintuitive to really say what’s the optimal choice for certain systems. Crypto performance has varying characteristics and tradeoffs depending upon whether we are talking about a 64-bit x86 Xeon server, a 32-bit ARM mobile device, or an 8-bit microcontroller. On some systems, SHA-512 can outperform MD5 and SHA1; on other systems, that’s not the case.

So how do we know what those tradeoffs are? If we have to pick single target algorithm to support a diverse ecosystem of device types (think: a service used by desktops + mobile + IoT), what’s the right balanced choice that gives us the best available security with reasonable performance by the meekest device in the ecosystem?

I often need to make these types of cryptographic engineering choices and tradeoffs. And while it’s easy to shortcut and go with the typical socialized understanding (“MD5 is fastest”, “ECC is best for constrained devices”, etc.), I like to have data/evidence to support or disqualify choices for my particular applied context. Thus I wind up performing, collecting, and consulting lots of different cryptographic measurements (benchmarks) on lots of different platforms, to understand in-the-field operation and make the best choice for the situation at hand.

Since the data results are highly useful, contain some surprises, and are overall eye-opening, I thought I would share the data. You can find my ongoing stash of cryptographic measurement data on Github.

The goal of this collection of data is to:

  • How the latest optimized algorithms perform on modern hardware systems with advantageous CPU instructions/feature sets
  • Challenge the “legacy status quo” regarding strong algorithms being slower than weaker algorithms
  • Make informed choices on the best-fit algorithm for applications exclusively on a specific platform vs. balanced choice for a mixed cross-platform ecosystem
  • Provide measurable comparisons to illustrate the additional cost (if any!) in choosing stronger cryptographic implementations for products (like IoT) looking to maintain a survivable, strong security posture for many (5-10) years

I should mention the intent is not to necessarily compare different cryptographic library implementations for the same algorithm, since over time the main/popular libraries tend to normalize on the best known implementation. I’m also avoiding narrow-purpose benchmark tools like SUPERCOP, instead prefering measurements taken from practical cryptographic libraries/implementations that real-world applications would typically use.

Hopefully, with the right data (this data!), software and device producers will make better informed choices towards stronger/future-proof security. We need to stop using decade old crypto in stuff that must last the next decade; instead, consider the incremental costs to push choices as far forward in the security spectrum as possible.

December 28, 2016 Tags: crypto