
Lifetimes of cryptographic hash functions - JoshTriplett
https://valerieaurora.org/hash.html
======
btrask
Zooko Wilcox privately showed some data at the Decentralized Web Summit
suggesting that if you extend these results with newer data, the apparent
pattern changes: up until around SHA-1, hash algorithms would eventually
break, but since SHA-256, we "figured out how to build them right" and now
they can be expected to last "forever."

I don't know if his conclusion is right, and unfortunately he hasn't published
it, but it at least seems plausible to me. A cryptographic hash function
shouldn't be a ticking time bomb if you have the right theoretical basis.

------
nabla9
>If you are using compare-by-hash to generate addresses for data that can be
supplied by malicious users, you should have a plan to migrate to a new hash
every few years. ..

I'm not a crypto expert, but it seems to me that the field is maturing and you
can expect a plateau where hash functions like sha-256 or sha3-256 will be
around for a long time. 256-bit key length is large enough to resist even
quantum computers if the algorithm is OK.

~~~
JoshTriplett
I don't think it makes sense to make assumptions about what the landscape will
look like years from now. (And note that SHA-256 already has a strength-
reduction published.)

Better to write your code _today_ to assume that you may need to swap out the
hash function later. Not _that_ hard; just treat it as opaque, and design your
protocols and storage formats to allow migrating to a new hash in the future.

