MD6 withdrawn from SHA-3 competition

Brandon Enright bmenrigh at
Sat Jul 4 06:12:02 EDT 2009

On Thu, 2 Jul 2009 20:51:47 -0700 or thereabouts "Joseph Ashwood"
<ashwood at> wrote:

> Sent: Wednesday, July 01, 2009 4:05 PM
> Subject: MD6 withdrawn from SHA-3 competition
> > Also from Bruce Schneier, a report that MD6 was withdrawn from the
> > SHA-3 competition because of performance considerations.
> I find this disappointing. With the rate of destruction of primitives
> in any such competition I would've liked to see them let it stay
> until it is either broken or at least until the second round. A quick
> glance at the SHA-3 zoo and you won't see much left with no attacks.
> It would be different if it was yet another M-D, using AES as a
> foundation, blah, blah, blah, but MD6 is a truly unique and
> interesting design.
> I hope the report is wrong, and in keeping that hope alive, the MD6
> page has no statement about the withdrawl.
>                     Joe 

It wasn't entirely clear to me if it really was withdrawn.  Ron Rivest
posted on behalf of the MD6 team some thoughts on MD6 performance and
specifically suggested/requested that NIST ask for submitted algorithms
to be "provably resistant to differential attacks".

The logic was that MD6 is slow because the high number of rounds is
needed in their proof.  They won't tweak/submit a version that doesn't
meet this requirement of theirs and based on the current contest
requirements, they can't be competitive speed-wise without losing their
proof of resistance to differential attacks.  Unless the contest
changes to require such a proof, there is no point in moving MD6


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list