MD6 withdrawn from SHA-3 competition

Steven M. Bellovin smb at
Fri Jul 3 23:49:39 EDT 2009

On Thu, 2 Jul 2009 20:51:47 -0700
"Joseph Ashwood" <ashwood at> wrote:

> --------------------------------------------------
> Sent: Wednesday, July 01, 2009 4:05 PM
> Subject: MD6 withdrawn from SHA-3 competition
> > Also from Bruce Schneier, a report that MD6 was withdrawn from the
> > SHA-3 competition because of performance considerations.
> I find this disappointing. With the rate of destruction of primitives
> in any such competition I would've liked to see them let it stay
> until it is either broken or at least until the second round. A quick
> glance at the SHA-3 zoo and you won't see much left with no attacks.
> It would be different if it was yet another M-D, using AES as a
> foundation, blah, blah, blah, but MD6 is a truly unique and
> interesting design.
> I hope the report is wrong, and in keeping that hope alive, the MD6
> page has no statement about the withdrawl.

The report is quite correct.  Rivest sent a note to NIST's hash forum
mailing list (
announcing the withdrawal.  Since a password is necessary to access the
archives (anti-spam?), I don't want to post the whole note, but Rivest
said that they couldn't improve MD6's performance to meet NIST's
criteria (at least as fast as SHA-2); the designers of MD6 felt that
they could not manage that and still achieve provable resistance to
differential attacks, and they regard the latter as very important.
Here's the essential paragraph:

	Thus, while MD6 appears to be a robust and secure cryptographic
	hash algorithm, and has much merit for multi-core processors,
	our inability to provide a proof of security for a
	reduced-round (and possibly tweaked) version of MD6 against
	differential attacks suggests that MD6 is not ready for
	consideration for the next SHA-3 round.

		--Steve Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list