### Re: MD6 withdrawn from SHA-3 competition

At 10:39 AM -0700 7/4/09, Hal Finney wrote: But how many other hash function candidates would also be excluded if such a stringent criterion were applied? Or turning it around, if NIST demanded a proof of immunity to differential attacks as Rivest proposed, how many candidates have offered such a proof, in variants fast enough to beat SHA-2? The more important question, and one that I hope gets dealt with, is what is a sufficient proof. We know what proofs are, but we don't have a precise definition. We know what a proof should look like, sort of. Ron and his crew have their own definition, and they can't make MD6 work within that definition. But that doesn't mean that NIST wouldn't have accepted the fast-enough MD6 with a proof from someone else. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: MD6 withdrawn from SHA-3 competition

On Sat, 2009-07-04 at 10:39 -0700, Hal Finney wrote: Rivest: Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round. But how many other hash function candidates would also be excluded if such a stringent criterion were applied? Or turning it around, if NIST demanded a proof of immunity to differential attacks as Rivest proposed, how many candidates have offered such a proof, in variants fast enough to beat SHA-2? I think resistance to attacks (note absence of any restrictive adjective such as differential) is a very important property (indeed, one of the basic defining criteria) to demonstrate in a hash algorithm. If someone can demonstrate an attack, differential or otherwise, or show reason to believe that such an attack may exist, then that should be sufficient grounds to eliminate a vulnerable candidate from any standardization competition. In other words, the fact that MD6 can demonstrate resistance to a class of attacks, if other candidates cannot, should stand in its favor regardless of whether the competition administrators say anything about proving resistance to any particular *kind* of attacks. If that does not stand in its favor then the competition is exposed as no more than a misguided effort to standardize on one of the many Wrong Solutions. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com