Hi, Gilles Van Assche wrote: > Hi Johannes, >> SHA-256 got much more cryptanalysis than SHA3-256 […]. > > I do not think this is true. Keccak/SHA-3 actually got (and is still > getting) a lot of cryptanalysis, with papers published at renowned > crypto conferences [1]. > > Keccak/SHA-3 is recognized to have a significant safety margin. E.g., > one can cut the number of rounds in half (as in Keyak or KangarooTwelve) > and still get a very strong function. I don't think we could say the > same for SHA-256 or SHA-512… I just wanted to thank you for paying attention to this conversation and weighing in. Most of the regulars in the git project are not crypto experts. This kind of extra information (and e.g. [2]) is very useful to us. Thanks, Jonathan > Kind regards, > Gilles, for the Keccak team > > [1] https://keccak.team/third_party.html [2] https://public-inbox.org/git/91a34c5b-7844-3db2-cf29-411df5bcf886@xxxxxxxxxxx/