[woodruffw]

SHA-2 uses a Merkle-Damgard construction like SHA-1 does, but is not widely believed to be vulnerable to the same attacks. SHA-3 was developed and standardized in part to mitigate future breaks in SHA-2, but those breaks have (so far) not materialized[1].

TL;DR: If all you need is a fast cryptographic digest, SHA-2 is still the gold standard. If you care about length-extension attacks, SHA-3's construction prevents them. If you're hashing passwords, you should use a KDF instead.

[1]: https://www.imperialviolet.org/2017/05/31/skipsha3.html

[magicalhippo]

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

[woodruffw]

I was referring to the full family! SHA-512/256 is indeed a good choice, and should be (nearly) identical in terms of performance characteristics.

[hoppla]

Looked at a 6 byte hash today. Modifying the hash or the data attached to it made the API respond with an error saying untrusted input. The data is an encrypted blob and the hash protects it from being tampered with.

My guess is that it’s a truncated md5(secret + data) or hmac. Either way, with a sufficient long a secret, I won’t be able to guess it (offline), and because of the truncation, length extensions also out of the question.

With only 48 bits of entropy, I can’t shake the feeling that there are practical attacks I have not considered.