Hi Gilles, On Mon, 18 Sep 2017, Gilles Van Assche wrote:
> > SHA-256 got much more cryptanalysis than SHA3-256 […]. > > I do not think this is true. Please read what I said again: SHA-256 got much more cryptanalysis than SHA3-256. I never said that SHA3-256 got little cryptanalysis. Personally, I think that SHA3-256 got a ton more cryptanalysis than SHA-1, and that SHA-256 *still* got more cryptanalysis. But my opinion does not count, really. However, the two experts I pestered with questions over questions left me with that strong impression, and their opinion does count. > Keccak/SHA-3 actually got (and is still getting) a lot of cryptanalysis, > with papers published at renowned crypto conferences [1]. > > Keccak/SHA-3 is recognized to have a significant safety margin. E.g., > one can cut the number of rounds in half (as in Keyak or KangarooTwelve) > and still get a very strong function. I don't think we could say the > same for SHA-256 or SHA-512… Again, I do not want to criticize SHA3/Keccak. Personally, I have a lot of respect for Keccak. I also have a lot of respect for everybody who scrutinized the SHA2 family of algorithms. I also respect the fact that there are more implementations of SHA-256, and thanks to everybody seeming to demand SHA-256 checksums instead of SHA-1 or MD5 for downloads, bugs in those implementations are probably discovered relatively quickly, and I also cannot ignore the prospect of hardware support for SHA-256. In any case, having SHA3 as a fallback in case SHA-256 gets broken seems like a very good safety net to me. Ciao, Johannes
