SHA-3 is the latest version of the Secure Hash Algorithm, so most of us would assume that it’s the most secure. But that’s not necessarily the case.
Why?
Because SHA-2 has been deployed in the field and studied intensively for more than 20 years. SHA-3 is just 7 years old, isn’t implemented as much, and hasn’t been put through the same relentless barrage of testing.
Both SHA-2 and SHA-3 are families of algorithms, and there is a lot of nuance to them which go far beyond what we can discuss in a quick email. However, both families have proven resilient so far, and there aren’t any signs that either algorithm will be broken in the near future.
Why Isn’t SHA-3 More Secure?
When NIST began the competition to find and standardize the SHA-3 algorithm they were looking for a drop-in replacement that could make its hashing toolkit more robust.
One of the main advantages of the Keccak algorithm that became SHA-3 was that it was completely different to all of the major hash algorithms that had come before it. To get technical, the SHA-2 family, SHA-1, MD5, RIPEMD and others are designed with Merkle-Damgard construction. SHA-3 is based on sponge construction, which is very different internally.
One of the major benefits of having two completely different hash functions is that it’s unlikely that we will discover a serious attack that affects both SHA-2 and SHA-3. This means that if we do discover a serious threat to one of the algorithms, we should still be able to securely rely on the other.
We aren’t sure whether SHA-2 or SHA-3 will be the first one to be broken, but at least we have a spare. Given that it took almost a decade to standardize SHA-3, it’s important for us to have a backup that will give us time to develop a new secure hashing standard.
The final rundown: There aren’t major security reasons to switch from SHA-2 to SHA-3, but having SHA-3 kicking around is incredibly important for our long-term defense.
