There are essentially no applications where SHA2 isn't good enough.
(You could contort yourself into an argument that "SHA2 isn't good enough for protocols where you need a keyed hash without HMAC", but 1) that isn't true given SHA2-384 and 2) there really are no such protocols).
The SHA1 break doesn't threaten SHA2. The two hashes are different in a significant way that breaks the SHA1 attack.
The SHA1 break doesn't threaten SHA2. The two hashes are different in a significant way that breaks the SHA1 attack.
Hmm, I think you might be overstating this a bit. While the SHA1 attack indeed does not break SHA2, the whole reason SHA3 exists at all is that SHA1 and SHA2 are similar enough in their structure that we were worried that the methods used in the SHA1 break could be extended to attack SHA2.
So far the answer seems to be no, but it was a serious concern for a while.
How am I overstating this? (I'm asking seriously, and also working on a piece about this). For what it's worth: I'm relaying something Marc Stevens said, and a superficial read of the Shattered paper: that the key weakness in SHA1, not shared by SHA2, is a linear message schedule that makes it possible to find the differential paths the attack relies on.
Is it a serious concern among cryptographers outside of NIST?
late edit
I removed the scare quotes around "differential paths" after skimming the first Stevens paper and the Chabaud-Joux paper and confirming they were using "differential" they way I understand the term. :)
Also, I'm more confident that the message schedule is pretty central to the attack, and I guess the whole line of research that led up to it?
I guess it's a matter of how strongly you interpret the word "significant". There's absolutely a difference between SHA1 and SHA2 which results in the attack not working; but I'd personally characterize it as a minor tweak which turned out after the fact to have larger than anticipated benefits. I'd say that the difference between SHA2 and SHA3 is 32x larger than the difference between SHA1 and SHA2.
Is it a serious concern among cryptographers outside of NIST?
Today? Not really, because we've had years of research showing us that SHA2 still seems to be safe. But when the major breaks of SHA1 were happening? Absolutely. In my "everything you need to know about crypto in 1 hour" talk I explicitly said "use SHA2 but be ready to move to SHA3 if needed because the attacks on SHA1 are scary and we're worried they could generalize to SHA2 as well".
I can certainly see why you'd say SHA3 is 32x more different than SHA2 than SHA2 is from SHA1! SHA2 is closely related to SHA1, and SHA3 isn't. Like, I get what SHA3 is. :)
As for your points about anticipated benefits of the SHA2 message schedule: isn't part of the point of SHA2 that it's more ARX-y? Which is basically what makes the Shattered line of attacks not viable?
I think we're in the same place in terms of recommendations! Except: I don't know that "the SHA1 attacks could generalize" is all that valid a concern? Regardless, the "why" of this is super interesting and I don't think anyone has broken it down super clearly (I'm not doing it by myself; I don't have the chops).
isn't part of the point of SHA2 that it's more ARX-y?
I don't know that the NSA has ever published the internal discussions which resulted in SHA2, but I always thought the primary design purpose of SHA2 was to produce larger hashes (and thus avoid the 2^80 birthday attack on SHA1).
Except: I don't know that "the SHA1 attacks could generalize" is all that valid a concern?
It's not, now. It was in 2005/2006. Remember there wasn't just one SHA1 attack; there was a whole series of them. (And I'm guessing the NSA was particularly concerned given that some of the attacks were discovered by Chinese researchers.)
I lost 30 minutes trying to track down the same thing (any kind of official rationale for SHA2, or even contemporaneous public comment for 180-2) and yeah, my understanding as well is that the high-level design goal was hashes that had parity with AES.
I don't think there's an urge to move to SHA-3, certainly I didn't mean to imply that, rather the opposite. I don't think there's much discussion about SHA-4 either, outside this particular comment thread :)
There are bitcoin asics that basically SHA-256 equiv of EFF DES cracker, though they are dSHA variant but I think it can be modified to run only half the rounds.
For what applications is it not good enough, and how/why do we believe that?