>       Thus, while MD6 appears to be a robust and secure cryptographic
>       hash algorithm, and has much merit for multi-core processors,
>       our inability to provide a proof of security for a
>       reduced-round (and possibly tweaked) version of MD6 against
>       differential attacks suggests that MD6 is not ready for
>       consideration for the next SHA-3 round.

But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to