On Thu, 2008-08-21 at 10:26 -0700, "Hal Finney" wrote: > Ron Rivest presented his (along with a dozen other people's) new hash, > MD6, yesterday at Crypto.
---8<---(snip)---8<--- > He also presented a number of cryptanalytic results. There is provable > security against differential cryptanalysis, by virtue of the large number > of rounds; also security against side channels. A SAT solver and another > technique could only do something with about 11 rounds, versus the 100+ > rounds in the function. The tree structure is also shown to preserve > strong properties of the compression function. > > Overall it seemed very impressive. The distinctive features are the tree > structure, very wide input blocks, and the enormous number of rounds. > The cryptanalysis results were favorable. However Adi Shamir stood up > and expressed concern that his new Cube attack might apply. Rivest seemed > confident that the degree of MD6 would be several thousand, which should > be safe from Shamir's attack, but time will tell. I came across this paper today while searching for more information: http://groups.csail.mit.edu/cis/theses/crutchfield-masters-thesis.pdf It's titled 'Security Proofs for the MD6 Hash Function Mode of Operation' by Christopher Yale Crutchfield (certified by Ronald L. Rivest). I thought it might be of interest to the followers of this thread. -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.
Description: This is a digitally signed message part