MD6 withdrawn from SHA-3 competition

Hal Finney hal at
Sat Jul 4 13:39:21 EDT 2009

> 	Thus, while MD6 appears to be a robust and secure cryptographic
> 	hash algorithm, and has much merit for multi-core processors,
> 	our inability to provide a proof of security for a
> 	reduced-round (and possibly tweaked) version of MD6 against
> 	differential attacks suggests that MD6 is not ready for
> 	consideration for the next SHA-3 round.

But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list