MD6 withdrawn from SHA-3 competition

Ray Dillinger bear at
Mon Jul 6 17:59:46 EDT 2009

On Sat, 2009-07-04 at 10:39 -0700, "Hal Finney" wrote:
> Rivest:
> > 	Thus, while MD6 appears to be a robust and secure cryptographic
> > 	hash algorithm, and has much merit for multi-core processors,
> > 	our inability to provide a proof of security for a
> > 	reduced-round (and possibly tweaked) version of MD6 against
> > 	differential attacks suggests that MD6 is not ready for
> > 	consideration for the next SHA-3 round.
> But how many other hash function candidates would also be excluded if
> such a stringent criterion were applied? Or turning it around, if NIST
> demanded a proof of immunity to differential attacks as Rivest proposed,
> how many candidates have offered such a proof, in variants fast enough
> to beat SHA-2?

I think "resistance to attacks" (note absence of any restrictive
adjective such as "differential") is a very important property 
(indeed, one of the basic defining criteria) to demonstrate 
in a hash algorithm.  If someone can demonstrate an attack, 
differential or otherwise, or show reason to believe that such
an attack may exist, then that should be sufficient grounds 
to eliminate a vulnerable candidate from any standardization 

In other words, the fact that MD6 can demonstrate resistance to 
a class of attacks, if other candidates cannot, should stand in 
its favor regardless of whether the competition administrators 
say anything about proving resistance to any particular *kind* 
of attacks.  If that does not stand in its favor then the 
competition is exposed as no more than a misguided effort to 
standardize on one of the many Wrong Solutions.  


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list