On Thu, 2008-08-21 at 10:26 -0700, "Hal Finney" wrote:
> Ron Rivest presented his (along with a dozen other people's) new hash,
> MD6, yesterday at Crypto.


> He also presented a number of cryptanalytic results. There is provable
> security against differential cryptanalysis, by virtue of the large number
> of rounds; also security against side channels. A SAT solver and another
> technique could only do something with about 11 rounds, versus the 100+
> rounds in the function. The tree structure is also shown to preserve
> strong properties of the compression function.
> Overall it seemed very impressive. The distinctive features are the tree
> structure, very wide input blocks, and the enormous number of rounds.
> The cryptanalysis results were favorable. However Adi Shamir stood up
> and expressed concern that his new Cube attack might apply. Rivest seemed
> confident that the degree of MD6 would be several thousand, which should
> be safe from Shamir's attack, but time will tell.

I came across this paper today while searching for more information:


It's titled 'Security Proofs for the MD6 Hash Function Mode of
Operation' by Christopher Yale Crutchfield (certified by Ronald L.
Rivest).  I thought it might be of interest to the followers of this

Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to