MD6 withdrawn from SHA-3 competition

Paul Hoffman paul.hoffman at
Sat Jul 4 14:59:01 EDT 2009

At 11:49 PM -0400 7/3/09, Steven M. Bellovin wrote:
>Here's the essential paragraph:
>	Thus, while MD6 appears to be a robust and secure cryptographic
>	hash algorithm, and has much merit for multi-core processors,
>	our inability to provide a proof of security for a
>	reduced-round (and possibly tweaked) version of MD6 against
>	differential attacks suggests that MD6 is not ready for
>	consideration for the next SHA-3 round.

At 10:12 AM +0000 7/4/09, Brandon Enright wrote:
>It wasn't entirely clear to me if it really was withdrawn.  Ron Rivest
>posted on behalf of the MD6 team some thoughts on MD6 performance and
>specifically suggested/requested that NIST ask for submitted algorithms
>to be "provably resistant to differential attacks".

I agree more with Brandon than with Steve, but who knows. I read Ron's message as a challenge to NIST about whether or not NIST would really rely on the proofs. It was clear they didn't want to withdraw MD6, but that they felt like they had to because of the speed requirement.

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list