Hi all, Sorry for late commentary... On Thu, Sep 14, 2017 at 08:45:35PM +0200, Johannes Schindelin wrote: > On Wed, 13 Sep 2017, Linus Torvalds wrote: > > On Wed, Sep 13, 2017 at 6:43 AM, demerphq <demerphq@xxxxxxxxx> wrote: > > > SHA3 however uses a completely different design where it mixes a 1088 > > > bit block into a 1600 bit state, for a leverage of 2:3, and the excess > > > is *preserved between each block*. > > > > Yes. And considering that the SHA1 attack was actually predicated on > > the fact that each block was independent (no extra state between), I > > do think SHA3 is a better model. > > > > So I'd rather see SHA3-256 than SHA256. Well, for what it's worth, we need to be aware that SHA3 is *different*. In crypto, "different" = "bugs haven't been found yet". :-P And SHA2 is *known*. So we have a pretty good handle on how it'll weaken over time. > SHA-256 got much more cryptanalysis than SHA3-256, and apart from the > length-extension problem that does not affect Git's usage, there are no > known weaknesses so far. While I think that statement is true on it's face (particularly when including post-competition analysis), I don't think it's sufficient justification to chose one over the other. > It would seem that the experts I talked to were much more concerned about > that amount of attention than the particulars of the algorithm. My > impression was that the new features of SHA3 were less studied than the > well-known features of SHA2, and that the new-ness of SHA3 is not > necessarily a good thing. The only thing I really object to here is the abstract "experts". We're talking about cryptography and integrity here. It's no longer sufficient to cite anonymous experts. Either they can put their thoughts, opinions and analysis on record here, or it shouldn't be considered. Sorry. Other than their anonymity, though, I do agree with your experts assessments. However, whether we chose SHA2 or SHA3 doesn't matter. Moving away from SHA1 does. Once the object_id code is in place to facilitate that transition, the problem is solved from git's perspective. If SHA3 is chosen as the successor, it's going to get a *lot* more adoption, and thus, a lot more analysis. If cracks start to show, the hard work of making git flexible is already done. We can migrate to SHA4/5/whatever in an orderly fashion with far less effort than the transition away from SHA1. For my use cases, as a user of git, I have a plan to maintain provable integrity of existing objects stored in git under sha1 while migrating away from sha1. The same plan works for migrating away from SHA2 or SHA3 when the time comes. thx, Jason.