Dear Johannes,
if ever there was a SHA-2 competition, it must have been held inside
NSA:-) But maybe you are confusing with the SHA-3 competition. In any
case, when considering SHA-2 vs SHA-3 for usage in git, you may have a
look at arguments we give in the following blogpost:
https://keccak.team/2017/open_source_crypto.html
Kind regards,
Joan Daemen
On 29/09/17 15:17, Johannes Schindelin wrote:
Hi Gilles,
On Tue, 19 Sep 2017, Gilles Van Assche wrote:
On 19/09/17 00:16, Johannes Schindelin wrote:
SHA-256 got much more cryptanalysis than SHA3-256 […].
I do not think this is true.
Please read what I said again: SHA-256 got much more cryptanalysis
than SHA3-256.
Indeed. What I meant is that SHA3-256 got at least as much cryptanalysis
as SHA-256. :-)
Oh? I got the opposite impression... I got the impression that *everybody*
in the field banged on all the SHA-2 candidates because everybody was
worried that SHA-1 would be utterly broken soon, and I got the impression
that after this SHA-2 competition, people were less worried?
Besides, I would expect that the difference in age (at *least* 7 years by
my humble arithmetic skills) to make a difference...
I never said that SHA3-256 got little cryptanalysis. Personally, I
think that SHA3-256 got a ton more cryptanalysis than SHA-1, and that
SHA-256 *still* got more cryptanalysis. But my opinion does not count,
really. However, the two experts I pestered with questions over
questions left me with that strong impression, and their opinion does
count.
OK, I respect your opinion and that of your two experts. Yet, the "much
more" part of your statement, in particular, is something that may
require a bit more explanations.
I would also like to point out the ubiquitousness of SHA-256. I have been
asked to provide SHA-256 checksums for the downloads of Git for Windows,
but not SHA3-256...
And this is a practically-relevant thing: the more users of an algorithm
there are, the more high-quality implementations you can choose from. And
this becomes relevant, say, when you have to switch implementations due to
license changes (*cough, cough looking in OpenSSL's direction*). Or when
you have to support the biggest Git repository on this planet and have to
eek out 5-10% more performance using the latest hardware. All of a sudden,
your consideration cannot only be "security of the algorithm" any longer.
Having said that, I am *really* happy to have SHA3-256 as a valid fallback
option in case SHA-256 should be broken.
Ciao,
Johannes