Re: [VOTE] Timing attack safe string comparison function

From: Date: Mon, 10 Feb 2014 01:58:00 +0000
Subject: Re: [VOTE] Timing attack safe string comparison function
References: 1 2 3 4 5  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On Mon, Feb 10, 2014 at 10:15 AM, Yasuo Ohgaki <[email protected]> wrote:

> I took a benchmark. str_compare() is not timing safe. It's there for
> reference.
>
> str_siphash_compare  Elapsed: 1.389824   Iterations: 1000000 DataSize: 8
> str_xxhash32_compare Elapsed: 1.241737   Iterations: 1000000 DataSize: 8
> str_md5_compare      Elapsed: 3.029127   Iterations: 1000000 DataSize: 8
> str_byte_compare     Elapsed: 1.236183   Iterations: 1000000 DataSize: 8
> str_byte_compare2    Elapsed: 1.269901   Iterations: 1000000 DataSize: 8
> str_word_compare     Elapsed: 1.273266   Iterations: 1000000 DataSize: 8
> str_compare          Elapsed: 1.181425   Iterations: 1000000 DataSize: 8
>
> str_byte_compare() is the winner for small data.
> I'm a little surprised that str_xxhash32_compare() is the second.
> str_word_compare() is marginally slower.
>
> str_siphash_compare  Elapsed: 2.341025   Iterations: 1000000 DataSize: 128
> str_xxhash32_compare Elapsed: 1.560131   Iterations: 1000000 DataSize: 128
> str_md5_compare      Elapsed: 6.055007   Iterations: 1000000 DataSize: 128
> str_byte_compare     Elapsed: 1.799050   Iterations: 1000000 DataSize: 128
> str_byte_compare2    Elapsed: 2.163229   Iterations: 1000000 DataSize: 128
> str_word_compare     Elapsed: 1.337508   Iterations: 1000000 DataSize: 128
> str_compare          Elapsed: 1.194582   Iterations: 1000000 DataSize: 128
>
> str_word_compare() is the winner for relatively large data.
>
> It seems str_word_compare() is the way to go.
>

https://gist.github.com/yohgaki/ede544f290c6cf9fa90d

This is the benchmark script.

Regards,

--
Yasuo Ohgaki
[email protected]

Thread (54 messages)

« previous php.internals (#72425) next »