I'm also not clear on what the chart claims is going on with RIPEMD-160.
This would be if one cares about how violently you fall if SHA-2 is broken more, but I think you should care.
Another way to look at it is, not needing HMAC is a feature of SHA-3.
In any case: SHA-2 --- in any of its variants --- remains strong. JP Aumasson, one of the Blake2 designers, is fond of saying that SHA-2 will probably never be broken algorithmically.
[1]: Assuming you're running on a 64-bit platform...
You can concatenate hash functions, so you get at least the best security from both. But the question is: Why would you want to do any such thing? Just choose one of them. Both are safe.
I almost wish SHA-3 had been a dual pick between a fast software hash and a fast hardware hash. As it stands, Keccak being so slow in software is majorly limiting IMO. The more interesting aspect of SHA-3 is the sponge, so you can really turn Keccak into an entire swiss-army knife of crypto tools, if you know what you're doing.
But as it stands, if I have to pick a modern hash, I almost always pick BLAKE2 instead of SHA-3, primarily because I rarely need the sponge design and also because it's dramatically faster in software. Stuff like this is really important on my Cortex-M4...
> Explain why a simple collision attack is still useless, it's really the second pre-image attack that counts
Why is this the "non-expert reaction?" It's correct, right?
And why go to the trouble of making a timeline with "Broken" and "Collision found" without a "Second pre-image found"?
I'm genuinely puzzled (and have asked it here on HN before [1]), but I unfortunately suspect that an honest answer lies somewhere along these lines: "Second pre-images are a hell of lot more difficult to find than collisions, so if we waited around for a second pre-image to be found we'd never get to dance around like headless chickens and talk about really scary shit (which typically requires a second pre-image) as 'now practical'. That would make the whole field a lot less sexy, and cut into our 'expert' consulting fees..."
1. https://news.ycombinator.com/item?id=13729492
EDIT: I'm of course not advocating staying with SHA-1. There's absolutely no good reason to. Even years ago when I was last involved in choosing a cryptographic hash function (even truncated) SHA-256 was obviously a much better choice.
People who understand things well enough will know what first collision means, so can moderate their response.
Others who are less familiar with the ridiculous levels of subtlety around this sort of thing are better off being given the simple message that sha1 is now legacy in all cases. Helps to avoid mistakes.
I'm more surprised though at the resentful attitude towards the actual truth (in the non-alternative sense): collisions are useless in many cases and the necessary second pre-image is much more difficult to find.
At least in a forum like HN I'd expect intellectual honesty to prevail.
EDIT: Removed the incorrect example out of pure shame! :P
https://z.cash/technology/history-of-hash-function-attacks.h...
Specifically the section 'When collision attacks do matter' and the referenced write-up at
But isn't the real lesson here that X.509 is flawed?
Also, as the linked article says:
> The bottom line is that no widely-studied hash function has ever succumbed to a (second-)pre-image attack except for one.
And there are signatures that are provably resistant to collisions, shouldn't we move to such signatures?
Isn't it rather obvious that no third party can attack this system even if they can create an SHA-256 collision?
Sure, you can dream up some weird scenario where someone could set up two servers with different RSA public keys that would hash to the same value, so that the client could be fooled into connecting to one when it thought it was connected to the other. But to me it seems quite obvious that that's outside the treat model / irrelevant.
Sure, there is broken, and then even-more broken, but SHA-1 is already, for most practical purposes, useless.
There's no excuse for staying with SHA1 at this point.
[3] Google spent 6500 CPU years and 110 GPU years to convince everyone we need to stop using SHA-1 for security critical applications
I still see things that use 2-digit years, twenty years after the last millennium bug should have been fixed.
