Hi Gilles, On Tue, 19 Sep 2017, Gilles Van Assche wrote: > On 19/09/17 00:16, Johannes Schindelin wrote: > >>> SHA-256 got much more cryptanalysis than SHA3-256 […]. > >> > >> I do not think this is true. > > > > Please read what I said again: SHA-256 got much more cryptanalysis > > than SHA3-256. > > Indeed. What I meant is that SHA3-256 got at least as much cryptanalysis > as SHA-256. :-) Oh? I got the opposite impression... I got the impression that *everybody* in the field banged on all the SHA-2 candidates because everybody was worried that SHA-1 would be utterly broken soon, and I got the impression that after this SHA-2 competition, people were less worried? Besides, I would expect that the difference in age (at *least* 7 years by my humble arithmetic skills) to make a difference... > > I never said that SHA3-256 got little cryptanalysis. Personally, I > > think that SHA3-256 got a ton more cryptanalysis than SHA-1, and that > > SHA-256 *still* got more cryptanalysis. But my opinion does not count, > > really. However, the two experts I pestered with questions over > > questions left me with that strong impression, and their opinion does > > count. > > OK, I respect your opinion and that of your two experts. Yet, the "much > more" part of your statement, in particular, is something that may > require a bit more explanations. I would also like to point out the ubiquitousness of SHA-256. I have been asked to provide SHA-256 checksums for the downloads of Git for Windows, but not SHA3-256... And this is a practically-relevant thing: the more users of an algorithm there are, the more high-quality implementations you can choose from. And this becomes relevant, say, when you have to switch implementations due to license changes (*cough, cough looking in OpenSSL's direction*). Or when you have to support the biggest Git repository on this planet and have to eek out 5-10% more performance using the latest hardware. All of a sudden, your consideration cannot only be "security of the algorithm" any longer. Having said that, I am *really* happy to have SHA3-256 as a valid fallback option in case SHA-256 should be broken. Ciao, Johannes