SHA-3 is KECCAK

Fri Jan 17 08:44:08 PST 2014

Here, let me use an analogy. Note, this analogy comes from me so 
it's not necessarily endorsed by any professional 
cryptographers... but it explains where my concerns are coming 
from.

Let's say that everyone has something very precious ... like a 
diamond. Let's imagine a multiverse. Each universe can 
"represent" an algorithm. One is for MD5, another is for SHA1 and 
so on. In each universe, there exists a planet that holds a vault 
that has your diamond. Some universes are similar to others (for 
instance, the SHA1 universe has some passing resemblance to the 
MD5 universe).

When you say "specialized hardware can be made to speed up the 
process", I think "I can visit ten planets in this universe 
looking for the vaults instead of just one at a time if I invest 
in a special ship". Can you see why this doesn't concern me in 
the slightest?

When you say "Moore's law", I think "every 18 months I can know 
which half of the remaining universe contains the diamonds". 
Again, can you see why this doesn't concern me?

The universe is _just too big_ for this stuff to matter. If you 
can't find the vaults containing the diamonds, then these things 
don't bother me nor should it bother you.

For the MD5 universe, people have found a way of discovering the 
planet the diamonds are on very quickly (something like being 
able to find which millionth of the remaining universe contains 
the diamond each attempt ... a very fast solution). They've 
overcome the challenge of finding the diamonds (collision 
resistance) and now we wonder who is going to invent the 
blowtorch capable of opening the vaults up (preimage attack). All 
any cryptographer is saying is move the diamonds you care about 
into another universe before the MD5 blowtorch is invented. It 
may never get invented (we don't have any idea whether it's 
possible or if it is possible, when it might materialize) but 
moving it into another universe where the diamonds haven't even 
been found yet is simply safer. Ideally you don't want a universe 
that is too similar (such as MD5 and SHA1) because it might make 
the planet easier to be found. Also note that despite their 
similarities, no planets with diamonds have been found in the 
SHA1 universe. Yet still cryptographers are recommending moving 
on to SHA2 for new projects. Just food for thought.

Plus knowing which planet the diamond is on is dangerous enough 
since it can be used in certain circumstances to do some 
nefareous things (already showed the example where someone can 
lie about a prediction for the future). It's only in special 
circumstances, but ignoring subtleties isn't recommended in 
cryptography since people almost always figure out a way to use 
things incorrectly.

To summarize, do not use MD5 intending it to be secure against 
attackers. Just don't. I'd also like to say that you really 
shouldn't suggest to anyone that it's a reasonable approach 
either. Obviously, I can't force you to, but do know that 
generally people (not just me) are going to argue against you on 
this, so you can save yourself a lot of trouble by just never 
mentioning MD5 as being acceptable again. At this point I think 
there's been enough discussion on the matter that exceptionally 
few will wander into this topic and be mislead into accepting MD5 
for security purposes, so I'm going to retire from this 
discussion. If you use MD5 for its "security", just remember this 
for later: You were warned™. (Also, remember that people have 
been saying "Don't use MD5" since 1996, so when you do get bit by 
it, not only "You were warned" but "you are 20 years out of date, 
find a new job because you're fired" is also likely)