[zokier]

> It's easy to find sound recommendations for which algorithms are well-studied and essentially safe; it's less easy to find guides that compare and contrast algorithms along nuanced axes like computational cost, interoperability, security margin or adaptability.

I might be hugely mistaken, but isn't the current situation that almost all of the "essentially safe" hash functions are good enough for almost all uses? I understand that the amount of choice can lead to analysis paralysis, but sensible solution generally is just pick one (possibly the one that has a reasonable implementation most readily available) and move on. Sure, the almost randomly picked algorithm might not ideal on all possible metrics, but perfect is the enemy of good.

[dsacco]

Yes, this is precisely my point. "Safe" is a binary property in cryptography. But developers don't have much to go on, so even if they follow best practices they often interpret differentiating metrics as variances in "safety", when in actuality those things are only relevant for computational cost, implementation difficulty, adaptability and interoperability.

In general if you provide people with a list of possibilities and say, "Yeah, any of these is fine", they're not going to literally choose one at random. They're going to search a bit and read about differences between the algorithms, and unless they spend a lot of time reading about the respective properties of each algorithm they might eventually say something like, "Argon2 is safer than bcrypt."

"Safer" is a misnomer. There are meaningful reasons to choose one algorithm over another, but these generally boil down to performance impact, implementation time and how easy it is to shoot yourself in the foot with implementation.

This matters because people seek understanding, and if you don't provide a satisfiable amount they might draw erroneous conclusions that have a meaningful non-security impact. For example, you most likely don't need to be using AES256. People like to, because 256 > 128. But seriously - you probably don't need to. The impulse to just use the bigger number leads to decision making based on signaling more than real security, and has a meaningful reduction in things like usability and performance.

To rephrase my point here - "safe" is safe enough, and there should probably be better education on the peripheral implementation metrics for cryptographic algorithms, because you're far more likely to run up your AWS bill or inadvertently screw up your security by e.g. choosing a complex cryptographic algorithm with a huge security margin versus a simple one with a "good enough" security margin. If we're not able to provide more education about what to actually look for when discriminating between algorithms, then we need to find a way to decouple certain metrics from the perception of "safety", like key size.

For a real world example of this, look at the advertising with things like "bank-grade" or "military-grade" security which are heavily associated with phrases like "128-bit" or "256-bit." Sometimes a developer will see that AES128 is used and think to themselves, "I'll use 256 and be even safer!", all the while the public is slowly taught to associate safety with ever larger bit sizes. Then when a legitimately superior ECC algorithm comes out that uses 224 bit keys, people cling to RSA because they can use a 2048 bit key size and 2048 > 224.

[zokier]

When I said good enough, I meant good enough on all aspects, including non-safety related. I mean it is somewhat difficult to imagine that someones project would fail because they picked the "wrong" hash function or encryption algorithm from the "essentially safe" ones.