Paul Hoffman wrote: > At 10:39 AM -0700 7/4/09, Hal Finney wrote: > >> But how many other hash function candidates would also be excluded if >> such a stringent criterion were applied? Or turning it around, if NIST >> demanded a proof of immunity to differential attacks as Rivest proposed, >> how many candidates have offered such a proof, in variants fast enough >> to beat SHA-2? >> > > The more important question, and one that I hope gets dealt with, is > what is a sufficient proof. We know what proofs are, but we don't have > a precise definition. We know what a proof should look like, sort > of. Ron and his crew have their own definition, and they can't make > MD6 work within that definition. But that doesn't mean that NIST > wouldn't have accepted the fast-enough MD6 with a proof from someone > else.

Mathematicians have a precise definition of what a proof is, thanks to logicians like David Hilbert and Kurt Goedel. But people in all disciplines have a terrible time formulating problems, and remembering the conditions under which a statement was proved. They also quote theorems incorrectly, and errors propagate through the less well-reviewed parts of the literature. -- Josh Rubin jlru...@gmail.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com