[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

ianG iang at iang.org
Mon Mar 24 09:59:41 EDT 2014

On 23/03/2014 21:36 pm, Jerry Leichter wrote:

(good points snipped)

> MD5 was published in 1992 and was considered broken by 2004 - 12 years.  SHA-1 was published in 1995 but by 2005 - 10 years later - was considered to be weak.  An almost-practical attack was published in 2011.  SHA-2 was published in 2001 but was under suspicion by 2012 or so - 13 years.  Based on this history, it would be prudent to assume a maximum practical lifetime for a cryptographic hash function to be around 15 years.

Ahem - SHA0 was also in there, and lasted about a month?  Brings the
batting average down a bit.


> These numbers are actually quite shockingly low when you think about them.  There is certainly a degree of "infant mortality" in new cryptographic algorithms - you certainly want them to "bake in" for, say, 3 years of public visibility before you rely on them.  That leaves a practical lifetime for block ciphers of about 22 years, for hash functions of about 12 years.  That's long relative to laptop or server CPU lifetimes, but quite short relative to protocol lifetimes - and very uncomfortable relative to embedded CPU lifetimes.

Also, rather short in terms of PKI times, where root keys are desired
out to 30 years.

Signature times for (hopeful) digital signing protocols look out to 30
years, as do evidentiary things I've heard about.  However, signature
schemes can be bolstered by storage/archiving, so the archive becomes
the diviner of disputes.  This is why CAs archive all their certs...

Another consideration is that protocols typically do not rely nearly as
much on their hashes as other components.  Especially if you avoid
collision effects.


More information about the cryptography mailing list