Hi, On Thu, 14 Sep 2017, demerphq wrote: > On 14 September 2017 at 17:23, Johannes Schindelin > <Johannes.Schindelin@xxxxxx> wrote: > > > > SHA-256 has been hammered on a lot more than SHA3-256. > > Last year that was even more true of SHA1 than it is true of SHA-256 > today. I hope you are not deliberately trying to annoy me. I say that because you seemed to be interested enough in cryptography to know that the known attacks on SHA-256 *today* are unlikely to extend to Git's use case, whereas the known attacks on SHA-1 *in 2005* were already raising doubts. So while SHA-1 has been hammered on for longer than SHA-256, the latter came out a lot less scathed than the former. Besides, you are totally missing the point here that the choice is *not* between SHA-1 and SHA-256, but between SHA-256 and SHA3-256. After all, we would not consider any hash algorithm with known problems (as far as Git's usage is concerned). The amount of scrutiny with which the algorithm was investigated would only be a deciding factor among the remaining choices, yes? In any case, don't trust me on cryptography (just like I do not trust you on that matter). Trust the cryptographers. I contacted some of my colleagues who are responsible for crypto, and the two who seem to disagree on pretty much everything agreed on this one thing: that SHA-256 would be a good choice for Git (and one of them suggested that it would be much better than SHA3-256, because SHA-256 saw more cryptanalysis). Ciao, Johannes
