oresmus
commented
7 years ago NIST says (in their current policy, dated August 5, 2015): use at least SHA-256 (in the SHA-2 family); there is no need to transition applications from SHA-2 to SHA-3.
But Bruce Schneier seems to say: use something in the SHA-3 family.
Note that the goal of "demonstrating the idea of OPSN" would not actually require perfect security, so we could even get away with using SHA-1 in an initial demo implementation. But it would "look bad", and speed is not a big issue, and I'm pretty sure we can find code for all of them, so we might as well at least do what NIST suggests. Conversely there is no big reason to do something harder than they suggest. So my tentative conclusion is to use SHA-256.
(Remember that OPSN, once fully implemented, won't force the use of any single hash by everyone... though an initial demo implementation probably will, in the sense of what it's compatible with.)
Which cryptographic hash function should the initial implementation of OPSN be based on? (I just mean for the "universal data references", i.e. links based on hashes of immutable data. (These are called "Merkle links" in IPFS.) This is an independent question from what hashes are used in any authentication or encryption that might also occur.)
Let's assume this hash needs collision resistance (not merely second-preimage resistance).