On Thu, 2 Jul 2009 20:51:47 -0700 "Joseph Ashwood" <ashw...@msn.com> wrote:
> -------------------------------------------------- > Sent: Wednesday, July 01, 2009 4:05 PM > Subject: MD6 withdrawn from SHA-3 competition > > > Also from Bruce Schneier, a report that MD6 was withdrawn from the > > SHA-3 competition because of performance considerations. > > I find this disappointing. With the rate of destruction of primitives > in any such competition I would've liked to see them let it stay > until it is either broken or at least until the second round. A quick > glance at the SHA-3 zoo and you won't see much left with no attacks. > It would be different if it was yet another M-D, using AES as a > foundation, blah, blah, blah, but MD6 is a truly unique and > interesting design. > > I hope the report is wrong, and in keeping that hope alive, the MD6 > page has no statement about the withdrawl. The report is quite correct. Rivest sent a note to NIST's hash forum mailing list (http://csrc.nist.gov/groups/ST/hash/email_list.html) announcing the withdrawal. Since a password is necessary to access the archives (anti-spam?), I don't want to post the whole note, but Rivest said that they couldn't improve MD6's performance to meet NIST's criteria (at least as fast as SHA-2); the designers of MD6 felt that they could not manage that and still achieve provable resistance to differential attacks, and they regard the latter as very important. Here's the essential paragraph: Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com