02 July 2009, 15:03

MD6 hash algorithm withdrawn from SHA-3 competition

The MD6 development team has withdrawn its hash algorithm from NIST's SHA-3 competition. On an NIST mailing list, Ron 'The R in RSA' Rivest wrote, "We suggest that MD6 is not yet ready for the next SHA-3 round." Rivest states that the reason the algorithm has been withdrawn is that, in order to perform quickly enough, the number of rounds would have to be reduced to between 30 and 40. It is not known if the reduced round variant is less resistant to differential attacks but But the current proofs of resilience against differential crypto attacks for the 80-round version do not hold for the reduced version.

MD6 had been one of the favourites to succeed the aging SHA-2 hash family, but was always hampered by its relative slowness. In the opinion of security expert Bruce Schneier, proofs of security for algorithms are overrated anyway. On his blog, he describes the withdrawal as "classy, especially given the fact that there are no attacks on it" and notes that none of the other SHA-3 candidates have furnished proofs of resistance. He also points out that some of the submissions for the SHA-3 competition, in contrast to MD6, have already been cracked, with the authors merely "trying to pretend that no one has noticed."

This is by no means the end of the line for MD6. Even if its withdrawal means that it is no longer in the running to be crowned as the official SHA-3 standard in 2012, developers are still free to use it for checksums and digital signatures. Furthermore, it is not unusual to sign a document or file with hash values from multiple algorithms to improve security. The currently widely-used MD5 and SHA-1 functions are both, on their own, considered weak; in combination, however, they are able to see off any of the known attacks against each individual algorithm.

See Also: