[142624] in cryptography@c2.net mail archive
RE: MD5 considered harmful today, SHA-1 considered harmful
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Sun Jan 18 08:47:11 2009
In-Reply-To:
<7DF2365FF07C0E4E89419D65CCC93C9E014AEA3B3377@EXCHANGE11.campus.tue.nl>
Date: Sat, 17 Jan 2009 12:03:57 -0800
To: <cryptography@metzdowd.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
>When in 2012 the winner of the
>NIST SHA-3 competition will be known, and everybody will start
>using it (so that according to Peter's estimates, by 2018 half
>of the implementations actually uses it), do we then have enough
>redundancy?
No offense, Benne, but are serious? Why would "everybody" even consider it? Give what we know about the design of SHA-2 (too little), how would we know whether SHA-3 is any better than SHA-2 for applications such as digital certificates?
In specific, if most systems have implemented the whole SHA-2 family by the time SHA-3 is settled, and then there is a problem found in SHA-2/256, I would argue that it is probably much more prudent to change to SHA-2/384 than to SHA-3/256. SHA-2/384 will most likely be much than to SHA-3/256, but it will have had significantly more study.
It all depends on who you trust and why.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
