On Sat, 2009-07-04 at 10:39 -0700, "Hal Finney" wrote: > Rivest: > > Thus, while MD6 appears to be a robust and secure cryptographic > > hash algorithm, and has much merit for multi-core processors, > > our inability to provide a proof of security for a > > reduced-round (and possibly tweaked) version of MD6 against > > differential attacks suggests that MD6 is not ready for > > consideration for the next SHA-3 round. > > But how many other hash function candidates would also be excluded if > such a stringent criterion were applied? Or turning it around, if NIST > demanded a proof of immunity to differential attacks as Rivest proposed, > how many candidates have offered such a proof, in variants fast enough > to beat SHA-2?
I think "resistance to attacks" (note absence of any restrictive adjective such as "differential") is a very important property (indeed, one of the basic defining criteria) to demonstrate in a hash algorithm. If someone can demonstrate an attack, differential or otherwise, or show reason to believe that such an attack may exist, then that should be sufficient grounds to eliminate a vulnerable candidate from any standardization competition. In other words, the fact that MD6 can demonstrate resistance to a class of attacks, if other candidates cannot, should stand in its favor regardless of whether the competition administrators say anything about proving resistance to any particular *kind* of attacks. If that does not stand in its favor then the competition is exposed as no more than a misguided effort to standardize on one of the many Wrong Solutions. Bear --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com