Hi Johannes, > SHA-256 got much more cryptanalysis than SHA3-256 […].
I do not think this is true. Keccak/SHA-3 actually got (and is still getting) a lot of cryptanalysis, with papers published at renowned crypto conferences [1]. Keccak/SHA-3 is recognized to have a significant safety margin. E.g., one can cut the number of rounds in half (as in Keyak or KangarooTwelve) and still get a very strong function. I don't think we could say the same for SHA-256 or SHA-512… Kind regards, Gilles, for the Keccak team [1] https://keccak.team/third_party.html
