On Thu, 2013-08-08 at 22:21 +0200, Wouter Verhelst wrote: > On 05-08-13 02:16, Ben Hutchings wrote: > > On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote: > >> On 03-08-13 13:45, Ondřej Surý wrote: > >>> I think it's useless to upgrade to SHA512 (or SHA-3), > >> > >> It's never useless to upgrade to a stronger hash. > >> > >> The cost might outweight the benefit, yes. But that's a different matter. > > > > What makes you think these are stronger? > > Simple mathematics. > > To me, a "strong hash" is a hash for which collisions are unlikely. [...]
There is a big difference between *likelihood* of a random collision, and *difficulty* of deliberately constructing a collision. The latter case is not simple mathematics. Still, if I understand correctly, current attacks on SHA-256 and SHA-512 only improve by a few orders of magnitude over a brute force search, which does make SHA-512 much stronger. If I understand correctly, SHA-3 is a very different algorithm, but not necessarily stronger. It's probably worth designing into cryptographic hardware for the next few decades, but there's no need to start using it. I think SHA-2 (with any of the specified hash lengths) is good enough for now - it's just not going to be the weak link in authenticating Debian packages. Ben. -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity.
signature.asc
Description: This is a digitally signed message part