Hi, concerning the question who needs SHA3, we do not agree that SHA3 should be skipped as a standard. As cryptographers we sincerely believe that the SHA3 design is superior to the one of SHA256 also due to the process it was created. We believe that an efficient implementation will trigger increased use of the standard and hope that its user base will grow quickly once the commands are simply there.
For the discussion, find here some additional arguments in favor of SHA3: - The construction of SHA3 differs considerably from the SHA2 constructions (which covers all variants). Cryptanalytic progress for SHA2 can destroy all variants at once, but will probably not affect SHA3. - SHA3's design principles are far better understood than the ones of SHA2. The invention of sponge functions is in our opinion one of the greatest inventions in hash-function design over the past few years. It is simple and brilliant, and the generic properties of the construction have appealing properties. - A possible migration away from SHA2 will be faster when including SHA3 in OpenBSD now if it should happen that major cryptanalytic advances attacking SHA2 pop up in the future. - The claim that we now "know" how to build secure hash functions in general seems problematic. To break a function, substantial cryptanalytic effort must be made. It is not clear how much of this effort was put in the presumably secure "newer" functions. - The argument that SHA3 is slow does at least not apply to the reference code we used: The current implementation of sha3-256 is indeed [slightly] faster on our machine than the one of sha256. Best regards, Daniel, Stefan and Alexander