Re: MD6 withdrawn from SHA-3 competition

2009-07-07 Thread Chen Ke-Fei Lin
At 10:39 AM -0700 7/4/09, Hal Finney wrote:
But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?

Several hash candidates have proofs against differential attacks but only
four with such proofs are faster than SHA-2 (Edon-R, Shabal, Cheetah and
Keccak).
But according to http://eprint.iacr.org/2008/511.pdf
Keccak and Cheetah in 32-bit mode are not actually faster than SHA-2.

C.K.F. Lin

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: MD6 withdrawn from SHA-3 competition

2009-07-07 Thread Josh Rubin
Paul Hoffman wrote:
 At 10:39 AM -0700 7/4/09, Hal Finney wrote:
   
 But how many other hash function candidates would also be excluded if
 such a stringent criterion were applied? Or turning it around, if NIST
 demanded a proof of immunity to differential attacks as Rivest proposed,
 how many candidates have offered such a proof, in variants fast enough
 to beat SHA-2?
 

 The more important question, and one that I hope gets dealt with, is
 what is a sufficient proof. We know what proofs are, but we don't have
 a precise definition. We know what a proof should look like, sort
 of. Ron and his crew have their own definition, and they can't make
 MD6 work within that definition. But that doesn't mean that NIST
 wouldn't have accepted the fast-enough MD6 with a proof from someone
 else. 

Mathematicians have a precise definition of what a proof is, thanks to
logicians like David Hilbert and Kurt Goedel. But people in all
disciplines have a terrible time formulating problems, and remembering
the conditions under which a statement was proved. They also quote
theorems incorrectly, and errors propagate through the less
well-reviewed parts of the literature.

--
Josh Rubin
jlru...@gmail.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com