Hi Brian, On Fri, 20 Jul 2018, brian m. carlson wrote: > On Mon, Jun 11, 2018 at 12:29:42PM -0700, Jonathan Nieder wrote: > > My understanding of the discussion so far: > > > > Keccak team encourages us[1] to consider a variant like K12 instead of > > SHA3. > > > > AGL explains[2] that the algorithms considered all seem like > > reasonable choices and we should decide using factors like > > implementation ease and performance. > > > > If we choose a Keccak-based function, AGL also[3] encourages using a > > variant like K12 instead of SHA3. > > > > Dscho strongly prefers[4] SHA-256, because of > > - wide implementation availability, including in future hardware > > - has been widely analyzed > > - is fast > > > > Yves Orton and Linus Torvalds prefer[5] SHA3 over SHA2 because of how > > it is constructed. > > I know this discussion has sort of petered out, but I'd like to see if > we can revive it. I'm writing index v3 and having a decision would help > me write tests for it. > > To summarize the discussion that's been had in addition to the above, > Ævar has also stated a preference for SHA-256 and I would prefer BLAKE2b > over SHA-256 over SHA3-256, although any of them would be fine. > > Are there other contributors who have a strong opinion? Are there > things I can do to help us coalesce around an option? Do you really want to value contributors' opinion more than cryptographers'? I mean, that's exactly what got us into this hard-coded SHA-1 mess in the first place. And to set the record straight: I do not have a strong preference of the hash algorithm. But cryprographers I have the incredible luck to have access to, by virtue of being a colleague, did mention their preference. I see no good reason to just blow their advice into the wind. Ciao, Dscho