On Sat, 2009-07-04 at 10:39 -0700, Hal Finney wrote:
Rivest:
Thus, while MD6 appears to be a robust and secure cryptographic
hash algorithm, and has much merit for multi-core processors,
our inability to provide a proof of security for a
reduced-round (and possibly tweaked) version of MD6 against
differential attacks suggests that MD6 is not ready for
consideration for the next SHA-3 round.
But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?
I think resistance to attacks (note absence of any restrictive
adjective such as differential) is a very important property
(indeed, one of the basic defining criteria) to demonstrate
in a hash algorithm. If someone can demonstrate an attack,
differential or otherwise, or show reason to believe that such
an attack may exist, then that should be sufficient grounds
to eliminate a vulnerable candidate from any standardization
competition.
In other words, the fact that MD6 can demonstrate resistance to
a class of attacks, if other candidates cannot, should stand in
its favor regardless of whether the competition administrators
say anything about proving resistance to any particular *kind*
of attacks. If that does not stand in its favor then the
competition is exposed as no more than a misguided effort to
standardize on one of the many Wrong Solutions.
Bear
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com