Hi Linus, On Wed, 13 Sep 2017, Linus Torvalds wrote: > On Wed, Sep 13, 2017 at 6:43 AM, demerphq <demerphq@xxxxxxxxx> wrote: > > > > SHA3 however uses a completely different design where it mixes a 1088 > > bit block into a 1600 bit state, for a leverage of 2:3, and the excess > > is *preserved between each block*. > > Yes. And considering that the SHA1 attack was actually predicated on > the fact that each block was independent (no extra state between), I > do think SHA3 is a better model. > > So I'd rather see SHA3-256 than SHA256. SHA-256 got much more cryptanalysis than SHA3-256, and apart from the length-extension problem that does not affect Git's usage, there are no known weaknesses so far. It would seem that the experts I talked to were much more concerned about that amount of attention than the particulars of the algorithm. My impression was that the new features of SHA3 were less studied than the well-known features of SHA2, and that the new-ness of SHA3 is not necessarily a good thing. You will have to deal with the fact that I trust the crypto experts' opinion on this a lot more than your opinion. Sure, you learned from the fact that you had been warned about SHA-1 already seeing theoretical attacks in 2005 and still choosing to hard-wire it into Git. And yet, you are still no more of a cryptography expert than I am. Ciao, Dscho
