Daniel Loebenberger: > - The construction of SHA3 differs considerably from the SHA2 > constructions > - SHA3's design principles are far better understood than the ones of > SHA2.
I hear you, but you are missing the point. > - A possible migration away from SHA2 will be > faster when including SHA3 in OpenBSD now if it should happen that major > cryptanalytic advances attacking SHA2 pop up in the future. You are arguing for cryptographic algorithm agility. That is a concept the OpenBSD project has become increasingly critical of, because it adds complexity and code size for questionable gain. SHA-2 is baked into numerous protocols. Off the top of my head: * signify(1) * all non-legacy SSH key exchange and authentication methods * all non-legacy TLS cipher suites and certificates For all of those, a switchover to SHA-3 would require defining new protocol variants and then deploying them throughout the ecosystem. Having a SHA-3 implementation in libc is a rather small part of the overall effort. And there is no practical algorithm agility until you get to the point where you already HAVE deployed the new protocol variants. SHA-3 may be better, but so far SHA-2 is good enough. Algorithm agility is a questionable goal. So let me repeat the question: What do you want to USE your SHA-3 implementation for? -- Christian "naddy" Weisgerber na...@mips.inka.de
