On Sat, 2009-07-04 at 10:39 -0700, "Hal Finney" wrote:
> Rivest:
> > Thus, while MD6 appears to be a robust and secure cryptographic
> > hash algorithm, and has much merit for multi-core processors,
> > our inability to provide a proof of security for a
> > reduced-round (and possibly tweaked) version of MD6 against
> > differential attacks suggests that MD6 is not ready for
> > consideration for the next SHA-3 round.
>
> But how many other hash function candidates would also be excluded if
> such a stringent criterion were applied? Or turning it around, if NIST
> demanded a proof of immunity to differential attacks as Rivest proposed,
> how many candidates have offered such a proof, in variants fast enough
> to beat SHA-2?
I think "resistance to attacks" (note absence of any restrictive
adjective such as "differential") is a very important property
(indeed, one of the basic defining criteria) to demonstrate
in a hash algorithm. If someone can demonstrate an attack,
differential or otherwise, or show reason to believe that such
an attack may exist, then that should be sufficient grounds
to eliminate a vulnerable candidate from any standardization
competition.
In other words, the fact that MD6 can demonstrate resistance to
a class of attacks, if other candidates cannot, should stand in
its favor regardless of whether the competition administrators
say anything about proving resistance to any particular *kind*
of attacks. If that does not stand in its favor then the
competition is exposed as no more than a misguided effort to
standardize on one of the many Wrong Solutions.
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
