On Fri, Oct 20, 2017 at 11:23 AM, Ulrich Mueller <u...@gentoo.org> wrote:
> >>>>> On Fri, 20 Oct 2017, Dirkjan Ochtman wrote: > > > As Hanno was saying, we'll have decades of warning before a break > > becomes practical, so I don't think this is a real concern. > > How can we be sure of that? I guess the same reasoning was applied > when MD5 and SHA1 hashes were used. > Yeah, and it actually did happen that way. Typically before preimage attacks (which are what we really care about here, as far as I understand it) happen there are several other types of attacks that will happen first, and that will provide advance warning about the level of security provided by SHA2. Cheers, Dirkjan