[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

Jerry Leichter leichter at lrw.com
Mon Mar 24 19:20:35 EDT 2014 

On Mar 24, 2014, at 2:35 PM, Zooko Wilcox-OHearn <zooko at leastauthority.com> wrote:
>>>> […] SHA-2 was published in 2001 but was under suspicion by 2012 or so - 13 years.  Based on this history, it would be prudent to assume a maximum practical lifetime for a cryptographic hash function to be around 15 years.
> 
> I'm compiling a history of such things, and I have SHA-2 as published
> in 2002 in FIPS 180-2 ¹. Is there an earlier publication of SHA-2 that
> I could reference? Thanks.
I pulled the data from Wikipedia, the reference of choice of all lazy writers.  :-)  It refers to the draft of FIPS 180-2 as being published in 2001, but gives no further details.

SHA-2 is actually patented (http://worldwide.espacenet.com/publicationDetails/originalDocument;jsessionid=8D508BF78F94ED53220DEB5170302D72.espacenet_levelx_prod_3?CC=US&NR=2002122554A1&KC=A1&FT=D&ND=&date=20020905&DB=&locale=en_EP)  The application for the patent was filed on March 5, 2001.

> And by the way, I'd name Tiger as the champion hash function:
> published in 1996 ², deployed in the real world ³, widely studied ⁴,
> and we still don't know of any way to break it. On top of all that it
> is almost twice as efficient (in software on 64-bit CPUs) as some
> others such as SHA-2 or RIPEMD-160, which makes its longevity all the
> more noteworthy. (Because there is a trade-off between CPU efficiency
> and safety in hash functions.)
> 
> RIPEMD-160 is another candidate for champion: also published in 1996
> ⁵, widely studied ⁶ , used in practice, and no known weaknesses —
> except that its output size is a little too short for the 21st
> century. If only it had been RIPEMD-192 instead of RIPEMD-160 then it
> would look at least as good as Tiger looks today.
One of the things we in computer science in general have been very bad at is understanding, or even keeping track of, our own history.

While it's hardly ideal, the best way we have to estimate the longevity of our artifacts it to look at the history of related artifacts.  CS tends to view every new advance as ab initio - all that old crud is now obsolete and not worth thinking about.  I was quite shocked at myself for never having thought about how long cryptosystems past had actually survived in the real world.  I probably could not have given a reasonable quick estimate for any of these.

Of course, the push for "standards" - and particular the push for *one* standard algorithm of each class - tends to push those that didn't make it to the top out of the picture.  That makes it even harder to learn from the mistakes - and successes - of the past.

I'd love to see your history published.  It will be a valuable reference.

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140324/82535e48/attachment.bin>

More information about the cryptography mailing list