Rivest: > Thus, while MD6 appears to be a robust and secure cryptographic > hash algorithm, and has much merit for multi-core processors, > our inability to provide a proof of security for a > reduced-round (and possibly tweaked) version of MD6 against > differential attacks suggests that MD6 is not ready for > consideration for the next SHA-3 round.
But how many other hash function candidates would also be excluded if such a stringent criterion were applied? Or turning it around, if NIST demanded a proof of immunity to differential attacks as Rivest proposed, how many candidates have offered such a proof, in variants fast enough to beat SHA-2? Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
