sha-512 vs sha-3?

Question

Does the new SHA-3 Keccak hashing algorithm offer any benefits from SHA-512?

"Even worse, none of the SHA-3 candidates is significantly better. When SHA-3 is announced, I'm going to recommend that, unless the improvements are critical to their application, people stick with the tried and true SHA-512. At least for a while."

Source: http://www.theregister.co.uk/2012/09/25/sha_3_hash_contest/

with an emphasis on "probably" - no one actually knows which one is harder to break... — user16986, Feb 09 '13 at 21:19
@nealmcb's answer on the linked question details the reasons for Keccak very well. — Rory Alsop, Feb 09 '13 at 21:53
The duplicate question is not a duplicate. Perhaps the answer there is useful, but I don't think closure is appropriate unless it's the same _question_. — Duncan Jones, Feb 27 '19 at 09:14

score 4 · Answer 1 · answered Feb 09 '13 at 21:42

Since SHA-512 has stood the test of time, the argument Schneier is making is essentially:

There is nothing wrong with SHA-512, it has not proven insecure (even though it looked like it may be 7 years ago)
All the new systems proposed as SHA-3 are at best only very slightly smaller or faster than SHA-512, and that speed up doesn't justify the risk of pushing out something new and relatively untested (wrt a decade or so of SHA-512)

New systems are a pretty big deal, since they often have implications for the next round of hardware, recommendations that inform audits and compliance testing, etc. - so there needs to be a pretty high bar to clear between major versions of a major standard.

sha-512 vs sha-3?

1 Answers1