concerning the question who needs SHA3, we do not agree that SHA3 should
be skipped as a standard. As cryptographers we sincerely believe that
the SHA3 design is superior to the one of SHA256 also due to the process
it was created. We believe that an efficient implementation will trigger
increased use of the standard and hope that its user base will grow
quickly once the commands are simply there.

For the discussion, find here some additional arguments in favor of

- The construction of SHA3 differs considerably from the SHA2
constructions (which covers all variants). Cryptanalytic progress for
SHA2 can destroy all variants at once, but will probably not affect

- SHA3's design principles are far better understood than the ones of
SHA2. The invention of sponge functions is in our opinion one of the
greatest inventions in hash-function design over the past few years. It
is simple and brilliant, and the generic properties of the construction
have appealing properties. - A possible migration away from SHA2 will be
faster when including SHA3 in OpenBSD now if it should happen that major
cryptanalytic advances attacking SHA2 pop up in the future. - The claim
that we now "know" how to build secure hash functions in general seems
problematic. To break a function, substantial cryptanalytic effort must
be made. It is not clear how much of this effort was put in the
presumably secure "newer" functions. - The argument that SHA3 is slow
does at least not apply to the reference code we used: The current
implementation of sha3-256 is indeed [slightly] faster on our machine
than the one of sha256.

Best regards,
Daniel, Stefan and Alexander

Reply via email to