I’ve got two pieces about the state of modern crypto wars! The current dialog is about hash functions SHA-2 versus SHA-3. They also talk about some other competing functions like BLAKE and KangarooTwelve, but in the interest of sanity I’m going to stick to SHA-2 and SHA-3. These are both NIST-published standards, and NIST standards are generally the bar used by .. well, everyone.
It requires some context, however: there are currently six versions of SHA-2, published in 2001:
- SHA-256: an algorithm A that breaks down data into 32-bit words and outputs a 256 bit hash signature (digest)
- SHA-224: SHA-256, but with the 256-bit output digest truncated to be 224 bits
- SHA-512: an algorithm A that breaks down data into 64-bit words and outputs a 512 bit digest
- SHA-384: SHA-512, but with the 512-bit digest truncated to 384 bits
- SHA-512/256: an algorithm B that generates a 512-bit digest which is then truncated to 256 bits
- SHA-512/224: SHA-512/256, but with the 512-bit digest truncated to 224 bits
If the naming schemes seem like a confusing mess, well, yes, they are a confusing mess. SHA-2 is still considered secure for almost all purposes, but the list of theoretical and very limited practical attacks is growing over the years, and so there’s an ongoing discussion of what comes after. Importantly, most attacks focus on algorithm A variants #1-4 up there. #5 and #6 are still considered very secure, rather than mostly secure. There are circles in the crypto world that think that large-scale SHA-2 attacks will never be practical, just to give you an idea of how concerned most people are about jumping to a new standard (they’re not, yet).
Enter SHA-3 (published in 2015): SHA-3 has a bunch of possible implementations that I’m not going to go into, but the general takeaway is that SHA-3 is generally slower than SHA-2 but is also secure against the attacks that have been shown against some SHA-2 variants.
Earlier this week, Adam Langley of Google wrote a blog post titled “Maybe Skip SHA-3“. He makes some good points, and this is the tl;dr of his argument:
David Wong, of Cryptographic Services, posted a rebuttal this morning titled “Maybe you shouldn’t skip SHA-3” largely just pointing out that Google, while clearly committed to a secure internet, does have an institutional interest in speed and why that may not be the right choice for everyone else.
I only play a cryptographer on the internet, but I thought these were pretty good (albeit technical) reads. Private industry can shape public direction on cryptography in ways you might not expect. Most of my crypto knowledge comes from use and what formal training I have came out of a pretty good math book I read in college.