[cryptography] Fwd: NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

CodesInChaos codesinchaos at gmail.com
Wed Oct 3 06:17:52 EDT 2012


I for one am not happy with the choice. It's slower in software than
blake or skein, and on ARM it's even slower than SHA-2.

I'm not convinced that using a construction that's significantly
different from MD gains us much. The constructions are often provably
secure, so we only need to care about the quality of the compression
function. To my amateur eyes, keccak doesn't look stronger than blake
or skein.

I also think the "it's different" argument is overplayed. SHA-3 should
stand for itself. Many applications will choose one hash-function, and
not hash their data with both SHA-2 and SHA-3. They get broken if that
one hash is broken, and SHA-2 and SHA-3 being different doesn't really
help them much. I think it's nice to have different constructions on
stand-by, but would have chosen the one that seems best on its own,
disregarding how similar it is to SHA-2.



More information about the cryptography mailing list