At 11:49 PM -0400 7/3/09, Steven M. Bellovin wrote:
Here's the essential paragraph:
Thus, while MD6 appears to be a robust and secure cryptographic
hash algorithm, and has much merit for multi-core processors,
our inability to provide a proof of security for a
reduced-round (and possibly tweaked) version of MD6 against
differential attacks suggests that MD6 is not ready for
consideration for the next SHA-3 round.
At 10:12 AM + 7/4/09, Brandon Enright wrote:
It wasn't entirely clear to me if it really was withdrawn. Ron Rivest
posted on behalf of the MD6 team some thoughts on MD6 performance and
specifically suggested/requested that NIST ask for submitted algorithms
to be provably resistant to differential attacks.
I agree more with Brandon than with Steve, but who knows. I read Ron's message
as a challenge to NIST about whether or not NIST would really rely on the
proofs. It was clear they didn't want to withdraw MD6, but that they felt like
they had to because of the speed requirement.
--Paul Hoffman, Director
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com