The MD6 Message-Digest Algorithm is a cryptographic hash function. It uses a Merkle tree-like structure to allow for immense parallel computation of hashes for very long inputs. Authors claim a performance of 28 cycles per byte for MD6-256 on an Intel Core 2 Duo and provable resistance against differential cryptanalysis.[3] The source code of the reference implementation was released under MIT license.[4]
Speeds in excess of 1 GB/s have been reported to be possible for long messages on 16-core CPU architecture.[1]
In December 2008, Douglas Held of Fortify Software discovered a buffer overflow in the original MD6 hash algorithm's reference implementation. This error was later made public by Ron Rivest on 19 February 2009, with a release of a corrected reference implementation in advance of the Fortify Report.[5]
MD6 was submitted to the NIST SHA-3 competition. However, on July 1, 2009, Rivest posted a comment at NIST that MD6 is not yet ready to be a candidate for SHA-3 because of speed issues, a "gap in the proof that the submitted version of MD6 is resistant to differential attacks", and an inability to supply such a proof for a faster reduced-round version,[6] although Rivest also stated at the MD6 website that it is not withdrawn formally.[7] MD6 did not advance to the second round of the SHA-3 competition. In September 2011, a paper presenting an improved proof that MD6 and faster reduced-round versions are resistant to differential attacks[8] was posted to the MD6 website.[9]
MD6 hash test vectors
MD6("The quick brown fox jumps over the lazy dog") =
977592608c45c9923340338450fdcccc21a68888e1e6350e133c5186cd9736ee
A change in even a single bit of the message will, with overwhelming probability, result in a completely different message digest due to the avalanche effect:
MD6("The quick brown fox jumps over the lazy cog") =
85fe717a5896a085a31be5d9457b4da75a6ebc003eded96d7cb0ff1737235bba
The hash of the zero-length string is:
MD6("") = bca38b24a804aa37d821d31af00f5598230122c5bbfc4c4ad5ed40e4258f04ca
Tool
References
- ^ a b Ronald L. Rivest; et al. "The MD6 Hash Function" (PDF). Archived from the original (PDF) on 2017-08-12. Retrieved 2024-01-29.
- ^ Aumasson, Jean-Philippe; Dinur, Itai; Meier, Willi; Shamir, Adi (2009). "Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium". Fast Software Encryption. Vol. 5665. Berlin, Heidelberg: Springer Berlin Heidelberg. p. 1–22. doi:10.1007/978-3-642-03317-9_1. ISBN 978-3-642-03316-2.
- ^ Ronald L. Rivest. "The MD6 hash function A proposal to NIST for SHA-3". Archived from the original on 2020-11-09. Retrieved 2008-10-07. (Microsoft PowerPoint file)
- ^ readme.txt
- ^ "Fortify-SHA-3-Report" (PDF). Archived from the original (PDF) on 2012-02-22.
- ^ Rivest, Ronald (July 1, 2009). "OFFICIAL COMMENT: MD6". Retrieved September 27, 2011.
- ^ Schneier, Bruce (July 1, 2009). "MD6 Withdrawn from SHA-3 Competition". Retrieved July 9, 2009.
- ^ Heilman, Ethan (July 10, 2011). "Restoring the Differential Resistance of MD6". Retrieved September 27, 2011.
- ^ Heilman, Ethan (September 2011). "Improved Differential Analysis". Retrieved September 27, 2011.
External links
| |||||||||||||||||||||||||||||
You must be logged in to post a comment.