On Sun, Jul 25, 2021 at 11:23 AM Ulrich Mueller <u...@gentoo.org> wrote: > > We can reiterate when there are indications that SHA512 would be broken. > (Then again, the same applies to BLAKE2B.)
Unless both are broken at the same time you'd also have the advantage of not having to try to scramble to figure out whether anything was compromised. I get that typically hash functions are first broken in a way that makes them very difficult to exploit, but that isn't some sort of guarantee. In the very unlikely event that somebody comes up with a preimage attack against one of the functions, it would be even more unlikely that an attack would be devised against both. Sure, we're talking about low risks here, but we're also talking about low cost and security. When security is this cheap, why not have it? I mean, if people didn't care about this stuff they wouldn't bother migrating off of md5, and you'd have critical software like source code control using broken hashes like sha1. -- Rich
