The MD6 hash function (rough notes)

Dustin D. Trammell dtrammell at bpointsys.com
Fri Aug 22 11:16:59 EDT 2008


On Thu, 2008-08-21 at 10:26 -0700, "Hal Finney" wrote:
> Ron Rivest presented his (along with a dozen other people's) new hash,
> MD6, yesterday at Crypto.

---8<---(snip)---8<---

> He also presented a number of cryptanalytic results. There is provable
> security against differential cryptanalysis, by virtue of the large number
> of rounds; also security against side channels. A SAT solver and another
> technique could only do something with about 11 rounds, versus the 100+
> rounds in the function. The tree structure is also shown to preserve
> strong properties of the compression function.
> 
> Overall it seemed very impressive. The distinctive features are the tree
> structure, very wide input blocks, and the enormous number of rounds.
> The cryptanalysis results were favorable. However Adi Shamir stood up
> and expressed concern that his new Cube attack might apply. Rivest seemed
> confident that the degree of MD6 would be several thousand, which should
> be safe from Shamir's attack, but time will tell.

I came across this paper today while searching for more information:

http://groups.csail.mit.edu/cis/theses/crutchfield-masters-thesis.pdf

It's titled 'Security Proofs for the MD6 Hash Function Mode of
Operation' by Christopher Yale Crutchfield (certified by Ronald L.
Rivest).  I thought it might be of interest to the followers of this
thread.

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20080822/14d4078b/attachment.pgp>


More information about the cryptography mailing list