Myth: MD5 is faster than SHA-1 - Journal of Omnifarious
Nov. 5th, 2008
11:36 am - Myth: MD5 is faster than SHA-1
MD5 is broken. It no longer satisfies one of the basic properties of a hash function. It is possible to find two values that have the same hash relatively simply and quickly. People say that this is a fairly trivial weakness and that there are many things MD5 can still be used for. They are wrong. It is very hard to accurately analyze exactly where and when the lack of that particular property can bite you. But still people persist in saying MD5 is fine, and we should continue to use it because it's faster. But the idea that it's faster is a myth.
OK, so it's not a total myth. On paper MD5 should be faster than SHA-1. It's simpler and requires fewer operations to computer. But in practice it often isn't faster.
Where I work we tested MD5 and SHA-1 from OpenSSL on several different platforms. SHA-1 was actually faster on most of them. OpenSSL has assembly optimized versions of both algorithms for many platforms. But the assembly optimized versions of SHA-1 were consistently faster.
I do not know exactly why this is. But I do have a guess. My guess is that everybody who actually knows enough to do significant work on cryptography algorithm implementations knows that MD5 is broken and should no longer be used for anything, no matter what excuse. And so they don't spend much time trying to tweak the assembly optimized versions of MD5 and instead concentrate their efforts on the much stronger (but still slightly broken) SHA-1. So those versions end up faster.
So please people, stop using MD5. And replace it everywhere it's used. It's broken, and pretending you can do the analysis to know that its brokenness isn't going to affect you is foolish arrogance. There is no excuse but inertia. The "but it's faster" excuse no longer flies.
![[mood icon]](https://www.livejournal.com/img/mood/growf/pengies/determined.gif)
You know, you'd think so wouldn't you? But I keep hearing the stupidest arguments in favor of MD5 in various situations.
Sorry but I don't agree. MD5 vs SHA speed comparisons
Using Ruby's Digest::MD5.hexdigest is faster than Digest::SHA1.hexdigest
Crypto algorithm benchmarking also says MD5 is faster - http://www.cryptopp.com/benchmarks.html
Re: Sorry but I don't agree. MD5 vs SHA speed comparisons
For an optimal implementation you are correct. But in the OpenSSL library, which is pretty widely used, SHA1 has received a great deal more optimization effort than MD5 and is faster on many platforms.
Anyway, SHA-1 is looking kind of shaky these days too; the goverment is holding a competition to come up with a replacement (much like the one that produced AES from Rijndael back in '99).
Competition
I knew about that. :-)
I'm not so sure about SHA-1 vs. MD5 implementation. You might be right. But I checked the changelog for OpenSSL and the SHA-1 stuff generally had a much more recent modification date than the MD5 stuff. So I took that as partial support for my hypothesis.
Edited at 2008-11-07 09:32 am (UTC)