   The SHA-3 standard was released by NIST in August of this year. I'm
   wondering if anyone has done the math on how long until we should no
   longer consider it pretty secure enough-ish.
   For comparison, here's the 2012 maths for SHA-1:
   [1]https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html

     On a NIST-sponsored hash function [2]mailing list, Jesse Walker
     (from Intel; also a member of the [3]Skeinteam) did some
     back-of-the-envelope calculations to estimate how long it will be
     before we see a practical collision attack against SHA-1. I'm
     reprinting his analysis here, so it reaches a broader audience.
     According to [4]E-BASH, the cost of one block of a SHA-1 operation
     on already deployed commodity microprocessors is about 2^14 cycles.
     If [5]Stevens' attack of 2^60 SHA-1 operations serves as the
     baseline, then finding a collision costs about 2^14 * 2^60 ~
     2^74cycles.
     A core today provides about 2^31 cycles/sec; the state of the art is
     8 = 2^3 cores per processor for a total of 2^3 * 2^31 =
     2^34 cycles/sec. A server typically has 4 processors, increasing the
     total to 2^2 * 2^34 = 2^36 cycles/sec. Since there are about
     2^25 sec/year, this means one server delivers about 2^25 * 2^36 =
     2^61 cycles per year, which we can call a "server year."
     There is ample evidence that Moore's law will continue through the
     mid 2020s. Hence the number of doublings in processor power we can
     expect between now and 2021 is:
     3/1.5 = 2 times by 2015 (3 = 2015 - 2012)
     6/1.5 = 4 times by 2018 (6 = 2018 - 2012)
     9/1.5 = 6 times by 2021 (9 = 2021 - 2012)
     So a commodity server year should be about:
     2^61 cycles/year in 2012
     2^2 * 2^61 = 2^63 cycles/year by 2015
     2^4 * 2^61 = 2^65 cycles/year by 2018
     2^6 * 2^61 = 2^67 cycles/year by 2021
     Therefore, on commodity hardware, Stevens' attack should cost
     approximately:
     2^74 / 2^61 = 2^13 server years in 2012
     2^74 / 2^63 = 2^11 server years by 2015
     2^74 / 2^65 = 2^9 server years by 2018
     2^74 / 2^67 = 2^7 server years by 2021
     Today Amazon rents compute time on commodity servers for about $0.04
     / hour ~ $350 /year. Assume compute rental fees remain fixed while
     server capacity keeps pace with Moore's law. Then, since log[2](350)
     ~ 8.4 the cost of the attack will be approximately:
     2^13 * 2^8.4 = 2^21.4 ~ $2.77M in 2012
     2^11 * 2^8.4 = 2^19.4 ~ $700K by 2015
     2^9 * 2^8.4 = 2^17.4 ~ $173K by 2018
     2^7 * 2^8.4 = 2^15.4 ~ $43K by 2021
     A collision attack is therefore well within the range of what an
     organized crime syndicate can practically budget by 2018, and a
     university research project by 2021.
     Since this argument only takes into account commodity hardware and
     not instruction set improvements (e.g., ARM 8 specifies a SHA-1
     instruction), other commodity computing devices with even greater
     processing power (e.g., GPUs), and custom hardware, the need to
     transition from SHA-1 for collision resistance functions is probably
     more urgent than this back-of-the-envelope analysis suggests.
     Any increase in the number of cores per CPU, or the number of CPUs
     per server, also affects these calculations. Also, any improvements
     in cryptanalysis will further reduce the complexity of this attack.
     The point is that we in the community need to start the migration
     away from SHA-1 and to SHA-2/SHA-3 now.

References

   1. https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
   2. http://csrc.nist.gov/groups/ST/hash/email_list.html
   3. http://www.schneier.com/skein.html
   4. http://bench.cr.yp.to/ebash.html
   5. http://2012.sharcs.org/slides/stevens.pdf