Re: MD6 withdrawn from SHA-3 competition

2009-07-05 Thread Paul Hoffman
At 11:49 PM -0400 7/3/09, Steven M. Bellovin wrote:
Here's the essential paragraph:

   Thus, while MD6 appears to be a robust and secure cryptographic
   hash algorithm, and has much merit for multi-core processors,
   our inability to provide a proof of security for a
   reduced-round (and possibly tweaked) version of MD6 against
   differential attacks suggests that MD6 is not ready for
   consideration for the next SHA-3 round.

At 10:12 AM + 7/4/09, Brandon Enright wrote:
It wasn't entirely clear to me if it really was withdrawn.  Ron Rivest
posted on behalf of the MD6 team some thoughts on MD6 performance and
specifically suggested/requested that NIST ask for submitted algorithms
to be provably resistant to differential attacks.

I agree more with Brandon than with Steve, but who knows. I read Ron's message 
as a challenge to NIST about whether or not NIST would really rely on the 
proofs. It was clear they didn't want to withdraw MD6, but that they felt like 
they had to because of the speed requirement.




--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: MD6 withdrawn from SHA-3 competition

2009-07-05 Thread Hal Finney
Rivest:
   Thus, while MD6 appears to be a robust and secure cryptographic
   hash algorithm, and has much merit for multi-core processors,
   our inability to provide a proof of security for a
   reduced-round (and possibly tweaked) version of MD6 against
   differential attacks suggests that MD6 is not ready for
   consideration for the next SHA-3 round.

But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com