[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Mar 23 22:15:09 EDT 2014

Bill Frantz <frantz at pwpconsult.com> writes:

>I am of the opinion that crypto algorithms (and most other software) are like
>wine, best aged a bit. It takes a while for the community to beat on an
>algorithm before one can have any degree of trust in it. (I originally wrote
>"faith" instead of "trust" and perhaps faith is the right word.) After a
>while, the issues are better known. The really good news is that the analysis
>techniques continue to be refined and people know about more things to
>examine. (But I still expect that algorithms will continue to fall to new
>Consider for example DES. It has been closely studied since its publication
>in 1977, over 35 years ago. Yes it has problems: weak keys, 56 bit key
>length, slow in software, etc., but they are known problems with known fixes,
>such as 3DES. I really don't expect new surprises with DES, but see above
>about new insights.

+1.  I generally won't use a new algorithm until it passes the five-year test,
meaning it's been five years since its introduction without any flaws found.
Remember how, after Rijndael was chosen as the AES winner and everyone was
falling over themselves in their rush to make everything use the shiny new
algorithm, there were a series of papers published on various algebraic
aspects of AES that looked like they could lead to a break if the analysis was
moved forward another step or two.  That step was never found, but it would
have been a major catastrophe if it had, while anyone who stuck with 3DES for
awhile longer would have been perfectly safe.

>In the area of hashes, I feel less confidence. I'm not convinced that the
>analysis techniques are as mature, and I'm not sure we even have a good
>handle on the right questions to ask.

The SHA-3 competition has actually lead to a somewhat odd situation in which,
due to the new analysis techniques introduced for that, we now know that SHA-2
is actually quite strong (not to mention faster, and already widely deployed).
This is limiting the rush to SHA-3 in a manner that wasn't present for AES.


More information about the cryptography mailing list