Re: [PATCH] sha256: add support for Nettle

["brian m. carlson" <sandals@crustytoothpaste.net>]

[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]

On 2022-07-06 at 09:23:18, Jeff King wrote:
> On Wed, Jul 06, 2022 at 10:45:06AM +0200, Ævar Arnfjörð Bjarmason wrote:
> 
> > Would it be viable / at all sane to embed the part of the library we
> > need in our sources, similar to what we do for sha1dc? Or perhaps it's
> > not worth it at all...
> 
> I doubt it's worth it. It's a big library with tons of algorithms, most
> of which we won't need. And the implementation has lots of asm and
> platform-specific knobs. I wouldn't want to try extracting any of that
> from their autoconf file, nor putting (more) autoconf inside our
> repository.

Yeah, it requires doing a CPUID check on different platforms to
determine which CPU to use at runtime.  Depending on platform, CPUID
isn't always available, and sometimes you end up needing to use a
different method, which we wouldn't want to port here.

If we just want a basic option, we have that in the block SHA-256
algorithm, which is probably no better or worse than Nettle's
implementation.

> For sha1dc, I think including a vendored copy was important for us
> making it the default, and we wanted to do that for the security
> implications. A 12% speedup is OK to leave on the able for the default
> build, and people can easily link against the system libnettle if they
> care enough. And other linkable implementations are in the same boat;
> openssl is even faster than libnettle on my machine.

Right.  I'm not surprised that OpenSSL is faster here, and that's
expected, since OpenSSL tends to outperform other libraries.  Even with
SHA-NI extensions, it's slightly faster still (1.415 s vs. 1.529 s for a
2 GB file), but I'm sure with a small amount of tuning Nettle could
catch up, because it's essentially the same instructions.

For block SHA-256, the time taken for the same file is 7.296 seconds, so
the performance improvement is substantial if you have the extensions
(and maybe even if you don't since both Nettle and OpenSSL have SIMD
implementations as well). That's why I wanted to send this patch: I'd
like to see if Debian can link against libnettle in the future,
especially since it's already in at least some binaries due to GnuTLS.

For SHA-1 DC, we definitely want it to be the default for security, so
vendoring a copy matters.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]