Hello,
Now that SHA1 is on the brink of being broken, I believe that all
Merkle–Damgård hashes should be avoided in new designs. Keccak (SHA-3)
is just better in so many ways.
Daniel
On 2015-10-09 00:48, ianG wrote:
On 6/10/2015 10:03 am, Simon Josefsson wrote:
On 30 September 2015 at 01:18, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Mon, 21 Sep 2015 11:13, simon(_at_)josefsson(_dot_)org said:
Regarding which hash to use, SHA-256 is probably the simplest
choice From a practicallity and consensus point of view. Are
there any strong reasons to favor something else?
I have a small preference to see the fingerprint algorithm match what
we believe the most popular signature (hash) algorithm will be. I've
been working with a number of embedded folks and code size can often
be a big concern. More Algorithms, More Code.
My perception is that the most popular signature hash algorithms right
now are SHA-256 and SHA-512.
Err... A few minor quibbles here about the notions of cryptographic
democracy:
1. Popularity? Why is that interesting? Surely we can do a bit better
than democracy or fashion or votes on cat pictures?
Engineering or planning, anyone?
2. The reason SHA-256 is the most popular these days is that, in the
wake of the 2004 Shandong hashquake, we've made a stunning amount of
progress in upgrading. We've almost decided against SHA1 in
certificates. We're almost serious about it. And now that freestart
collisions are chewing it down to its last 4 bits, we might actually ...
do it.
(Which is to say, popularity got us to a situation where *11* years
after the shots were fired, and 15 years after the new version was
delivered, we're still using lots and lots of SHA1. We want to improve
that with 15 year old tech?)
3. It's certainly a stunning indictment on algorithmic agility that
SHA1 is still an issue, which is another process by which popularity
makes its objective mark.
While SHA-256 and SHA-512 have somewhat
different characteristics on different platforms, I believe we are
approaching the limit of where a lot of additional comparisons are
worth the time and effort compared to just pick one of them. I'm fine
with SHA-256 for the reasons that Werner presented. Does someone
else want to promote another option? Can we get closure on this?
/Simon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp