On Mon, 21 Sep 2015 11:13, simon(_at_)josefsson(_dot_)org said:
Regarding which hash to use, SHA-256 is probably the simplest choice
From a practicallity and consensus point of view. Are there any strong
reasons to favor something else?
I see also several reasons to favor SHA-256:
- SHA-2 has shown no weaknesses during the SHA-3 competition.
- SHA-256 is the commonly used hash algorithm for OpenPGP messages and
keys and thus available in all code bases.
- Although not an issue for fingerprints, SHA-3 is slower than SHA-2.
- On embedded systems SHA-512 has a substantially performance penalty
over SHA-256.
Given that modern ECC requires a larger than 256 bit hash, I am not sure
whether the next point is valid:
- If we would go for a newer hash algorithm, all implementations would
need to support SHA-256 (and SHA-1) anyway to support existing keys
and allow verification of existing signatures. Also decryption of
symmetrically encrypted messages may require SHA-256 for the S2K.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp