0

1- Why SHA2 has SHA224, SHA256, SHA384 and SHA512 variants?

2- Can we say SHA512 more secure than SHA256?

3- Symmetric ciphers use at most 2^256 security level and I saw on the internet people saying how impossible to reach that then Why SHA2 has a SHA 512 variant? Do we need 2^512 security level? İsn't it overkill?

4- İs SHA 512 meant for post quantum world? If it's meant for post quantum world, Why does it not popular? because AES256 already in use by encrypted messengers, password managers.. etc. but I've seen their security whitepapers when it comes to SHA2 most of them use SHA256 instead of SHA512.

5- so if we don't need 512 bit security, Why all the state of the art hash algorithms(e.g. BLAKE2, Skein, Grostl, JH, Keccak) have 512 bit variants?

6- Let's say there's a key derivation function that uses Skein 256 as a underlying hash function, Would it be still secure in a post quantum world? or Would it be better to use Skein 512? to ask it another way, Why Argon2 settled on using BLAKE2b 512 instead of BLAKE2s 256?

1 Answers1

4

  1. The main reasons for that are efficiency (shorter bits generally need lesser computational power) and security (more bits generally imply higher security. A third reason regarding the real world is: Systems are build for a specific bit length, which implies, that variations may be needed. This is the general statement. For a more detailed explanation regarding SHA see this and this post.

  2. In general, SHA-512 is considered more secure than SHA-256 in the context of cryptographic hash functions. The primary reason for this is the difference in their output sizes and the resistance to collision attacks. But there are not only relevant aspects in terms of security, the technical side (specifically interesting for use cases) is also different. SHA256 works with 32 bit, SHA512 bit blocks. Depending on the hardware and the use case, this can also influence the efficiency. See this for more details on efficiency, this for security and this for a use case.

  3. Empirically gained practical experience leaves some room for discussion, which is not necessarily scientifically based. The problem is that it is difficult to make precise statements for practice. Every system, every use case, etc. is different. My rule of thumb is that 128 bit (symmetric scheme and 256 bit hash functions) can be considered secure for personal use. But 256 or even 512 may be relevant for other usecases, e.g. military use. But regarding my rule of thumb you could call 512 bit security overkill for personal use.

  4. The problem with hash functions and symmetric cryptography in the post quantum domain is the Grover algorithm. Simplified, it delivers an attack that lowers the bit security by a logarithmic factor. Therefore, symmetric cryptography is not affected so much, since the key length can simply be doubled. For hash functions there is an algorithm from Brassard, which breaks the whole thing even more efficiently. I.e. a 256 bit hash function is not PQ secure to the same extent as a 256 symmetric encryption. Instead of the 2nd root, the 3rd root is added. I.e. the bit number must be selected still more highly, why one can say that SHA512 is rather for PQ (but not only, evenly because of the already mentioned other design decisions). For more see this

  5. There is a saying: Better to have and not need than to need and not have.

  6. As mentioned above: It depends.

Titanlord
  • 2,812
  • 13
  • 37