Curt Sampson
Sep 1, 2018 · 1 min read

It’s not clear to me that SHA-3 is as resistant to quantum attacks as SHA-2, as you seem to imply in the article. As summarized in Wikipedia:

It has been shown that the Merkle–Damgård construction, as used by SHA-2, is collapsing and, by consequence, quantum collision-resistant,[38] but for the sponge construction used by SHA-3, the authors provide proofs only for the case that the block function f is not efficiently invertible; Keccak-f[1600], however, is efficiently invertible, and so their proof does not apply.