SHA256 is a full NIST standard.
Its just suspect because it is based on the SHA1/Md5 technology amd
likely to be replaced
Yep, in particular, it's the use of invertible combining functions that have
group structure in the inner loop. The entire family has this in common.
But such weaknesses cut both ways. The properties of this inner loop are well
understood. If, say, we replace the existing operation with a quasigroup
operation (as Gligloroski et al have proposed), we eliminate the existing
attacks but are we sure we haven't introduced a new one in the process?
This is even more of a problem for entirely different designs. Are we sure that
Whirlpool, or Tiger, or FORK-256, or any of the numerous other hashes that have
been proposed won't fall to some entirely new attack? The answer, of course, is
that we don't know until people have analyzed the designs extensively. But if
the past is any indication, most of them will be found to have exploitable
flaws sooner rather than later.
SHA-256 is quite simply the hash people have the most confidence in for now.
Hopefully some day a practical hash function with provable collision resistance
will emerge. (Such functions exist but currently they are too slow to use.)
NOTE WELL: This list operates according to