Hacker News new | past | comments | ask | show | jobs | submit login

I can certainly see why you'd say SHA3 is 32x more different than SHA2 than SHA2 is from SHA1! SHA2 is closely related to SHA1, and SHA3 isn't. Like, I get what SHA3 is. :)

As for your points about anticipated benefits of the SHA2 message schedule: isn't part of the point of SHA2 that it's more ARX-y? Which is basically what makes the Shattered line of attacks not viable?

I think we're in the same place in terms of recommendations! Except: I don't know that "the SHA1 attacks could generalize" is all that valid a concern? Regardless, the "why" of this is super interesting and I don't think anyone has broken it down super clearly (I'm not doing it by myself; I don't have the chops).




isn't part of the point of SHA2 that it's more ARX-y?

I don't know that the NSA has ever published the internal discussions which resulted in SHA2, but I always thought the primary design purpose of SHA2 was to produce larger hashes (and thus avoid the 2^80 birthday attack on SHA1).

Except: I don't know that "the SHA1 attacks could generalize" is all that valid a concern?

It's not, now. It was in 2005/2006. Remember there wasn't just one SHA1 attack; there was a whole series of them. (And I'm guessing the NSA was particularly concerned given that some of the attacks were discovered by Chinese researchers.)


I lost 30 minutes trying to track down the same thing (any kind of official rationale for SHA2, or even contemporaneous public comment for 180-2) and yeah, my understanding as well is that the high-level design goal was hashes that had parity with AES.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: