On Tue, Apr 13, 2021 at 09:58:56PM +0300, Sergey Matveev wrote: > *** Markus Wichmann [2021-04-13 20:17]: > >Y'know, while we're bikeshedding, why not just use SHA-3? > > Answer is: https://www.imperialviolet.org/2017/05/31/skipsha3.html
I don't care about the speed of a hash function. Speed of a hash function matters only in two cases: Doing lots of hashing (e.g. password cracking or bitcoin mining), or hashing large files. I don't hash large files often enough for speed to matter, I think bitcoin mining is pollution, and in case of password cracking, having a slower hash function is an advantage for me, as I would be on the side of the defenders. > and answer for that: > https://cryptologie.net/article/400/maybe-you-shouldnt-skip-sha-3/ > SHA3 is good, but "offers no compelling advantage over SHA2 and brings > many costs". SHA2 is not so bad. I am not a cryptographer. From what I understand about SHA-3, it offers a better HMAC function (the whole padding thing is not needed anymore, since hash extension attacks are not possible). I am dependent on the advice of cryptographers for the selection of hashing algorithms. Cryptographers had a big old competition over the "best" hashing algorithm (and I realize that multidimensional optimization is, in general, impossible), and in 2012, Keccak (in a 64-bit variant) won. Now of course, since then, nine years have passed, and newer developments have not seen such a competition. But I lack the skills to evaluate any of the other possibilities for anything except speed, which is the one thing I don't care about. So until SHA-4 comes along, or another comparable competition, I will stick to SHA-3. And I will continue to advocate for its use exclusively over SHA-2 to keep the zoo of hash functions small. SHA-3 should be used for its HMAC property alone, and it is adequate for all other tasks, so there is also no reason to keep SHA-2 around. Ciao, Markus
