[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

[Bear]

On Sun, 2014-03-23 at 06:16 +0000, dj at deadhat.com wrote:

> 
> Count me as one of the engineers who have to pick a hash function to
> implement. I have that problem right now.
> 
> #1. I do not care about speed because I implement my stuff in hardware and
> regardless of the efficiency of the algorithm I can throw the necessary
> number of gates at the problem to make it run at whatever speed is
> required.
> 
> #2. I do care about security. Shipping insecure crypto is not an option.
> 
> #3. I do care about being able to publicly and honestly justify the
> reasons for whatever selection is made.

Right now there are very few things that come with a very good reason 
to trust them.  

After NSA/Snowden revelations about how standards bodies are targeted
for interference and caused to fail, one can no longer point at a 
standards body and cite it as a reason to trust.

That leaves you with two options; first, there is the opinion of working
professionals, and that still comes down to "why trust this professional
over that one?"  Second, there is mathematical proof.  

The problem with mathematical proofs at least so far is that to 
the extent we can cite meaningful mathematical proofs, we usually 
can cite them only about a few primitives whose performance is abysmal. 

If you truly don't care about speed, there are solutions such as 
Blum-Blum-Shub for stream ciphers, which have a profound proof backing
them up in terms of security.  But even in hardware, I think you have to
care more than that. 

Still, the future may be different.  It may turn out that nothing 
we know about now *except* that unwieldy, finicky set of provably-hard 
functions is actually truly hard.

Bear