Paul Hoffman wrote:
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
When in 2012 the winner of the
NIST SHA-3 competition will be known, and everybody will start
using it (so that according to Peter's estimates, by 2018 half
of the implementations actually uses it), do we then have enough
redundancy?

No offense, Benne, but are serious? Why would "everybody" even consider it? 
Give what we know about the design of SHA-2 (too little), how would we know whether SHA-3 
is any better than SHA-2 for applications such as digital certificates?

In specific, if most systems have implemented the whole SHA-2 family by the 
time SHA-3 is settled, and then there is a problem found in SHA-2/256, I would 
argue that it is probably much more prudent to change to SHA-2/384 than to 
SHA-3/256. SHA-2/384 will most likely be much than to SHA-3/256, but it will 
have had significantly more study.

Can you state the assumptions for why you think that moving to SHA384 would be safe if SHA256 was considered vulnerable in some way please.

SHA256,384,512 are a suite all built on the same basic algorithm construction. Depending on how SHA256 fell the whole suite could be vulnerable irrespective of the digest length or maybe it won't be.

Until we know how the SHA3 digest is actually constructed the same could even be true of that.

I don't think it depends at all on who you trust but on what algorithms are available in the protocols you need to use to run your business or use the apps important to you for some other reason. It also very much depends on why the app uses the crypto algorithm in question, and in the case of digest/hash algorithms wither they are key'd (HMAC) or not.

--
Darren J Moffat

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to