- MD6
-
MD6 General Designers Ronald Rivest, Benjamin Agre, Dan Bailey, Sarah Cheng, Christopher Crutchfield, Yevgeniy Dodis, Kermin Fleming, Asif Khan, Jayant Krishnamurthy, Yuncheng Lin, Leo Reyzin, Emily Shen, Jim Sukha, Eran Tromer, Yiqun Lisa Yin First published 2008 Series MD2, MD4, MD5, MD6 Detail Digest sizes Variable, 0<d≤512 bits Structure Merkle tree Rounds Variable. Default, Unkeyed=40+[d/4], Keyed=max(80,40+(d/4))
[1]The MD6 Message-Digest Algorithm is a cryptographic hash function. It uses a Merkle tree-like structure to allow for immense parallel computation of hashes for very long inputs. Authors claim a performance of 28 cycles per byte for MD6-256 on an Intel Core 2 Duo and provable resistance against differential cryptanalysis.[2]
Speeds in excess of 1 GB/s have been reported to be possible for long messages on 16-core CPU architecture.[1]
The design of Merkle tree is based on the claims from Intel describing the future of hardware processors with tens and thousands of cores instead of the conventional uni-core systems. With this in mind, Merkle tree hash structures exploit full potential of such hardware while being appropriate for current uni/dual core architectures.
In December 2008, a researcher at Fortify Software discovered a buffer overflow in the original MD6 hash algorithm's reference implementation. This error was later made public by professor Ron Rivest on 19 February 2009, with a release of a corrected reference implementation in advance of the Fortify Report.[3]
MD6 was submitted to the NIST SHA-3 competition. However, on July 1, 2009, Rivest posted a comment at NIST that MD6 is not yet ready to be a candidate for SHA-3 because of speed issues, a "gap in the proof that the submitted version of MD6 is resistant to differential attacks", and an inability to supply such a proof for a faster reduced-round version[4], although Rivest also stated at MD6 web site that it is not withdrawn formally.[5] MD6 did not advance to the second round of the SHA-3 competition. In September 2011, a paper presenting an improved proof that MD6 and faster reduced-round versions are resistant to differential attacks[6] was posted to the MD6 website[7].
The algorithm's first known production use was in the Conficker.B worm in December 2008;[8] the worm's authors subsequently updated Conficker with the corrected implementation once the buffer overflow vulnerability became known.[8]See also
References
- http://people.csail.mit.edu/rivest/md6_report.pdf – MD6 reference paper
- ^ a b Ronald L. Rivest et Al., The MD6 Hash Function, Crypto 2008
- ^ Ronald L. Rivest. "The MD6 hash function A proposal to NIST for SHA-3". http://people.csail.mit.edu/rivest/Rivest-TheMD6HashFunction.ppt. (Microsoft PowerPoint file)
- ^ http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf
- ^ Rivest, Ronald (July 1, 2009). "OFFICIAL COMMENT: MD6". http://groups.csail.mit.edu/cis/md6/OFFICIAL_COMMENT_MD6_2009-07-01.txt. Retrieved September 27, 2011.
- ^ Schneier, Bruce (July 1, 2009). "MD6 Withdrawn from SHA-3 Competition". http://www.schneier.com/blog/archives/2009/07/md6.html. Retrieved July 9, 2009.
- ^ Heilman, Ethan (July, 10 2011). "Restoring the Differential Resistance of MD6". http://eprint.iacr.org/2011/374. Retrieved September 27, 2011.
- ^ Heilman, Ethan (September, 2011). "Improved Differential Analysis". http://groups.csail.mit.edu/cis/md6/. Retrieved September 27, 2011.
- ^ a b http://mtc.sri.com/Conficker/addendumC/
External links
Cryptographic hash functions and message authentication codes (MACs) Common functions Functions SHA-3 finalists BLAKE · Grøstl · JH · Keccak · SkeinMAC algorithms Authenticated
encryption modesAttacks Misc. Standardization Cryptography Categories:- Cryptographic hash functions
- NIST hash function competition
- Cryptography stubs
Wikimedia Foundation. 2010.
