MD6
Cryptographic hash function From Wikipedia, the free encyclopedia
The MD6 Message-Digest Algorithm is a cryptographic hash function. It uses a Merkle tree-like structure to allow for immense parallel computation of hashes for very long inputs. Authors claim a performance of 28 cycles per byte for MD6-256 on an Intel Core 2 Duo and provable resistance against differential cryptanalysis.[3] The source code of the reference implementation was released under MIT license.[4]
| General | |
|---|---|
| Designers | Ronald Rivest, Benjamin Agre, Dan Bailey, Sarah Cheng, Christopher Crutchfield, Yevgeniy Dodis, Kermin Fleming, Asif Khan, Jayant Krishnamurthy, Yuncheng Lin, Leo Reyzin, Emily Shen, Jim Sukha, Eran Tromer, Yiqun Lisa Yin |
| First published | 2008 |
| Series | MD2, MD4, MD5, MD6 |
| Detail | |
| Digest sizes | Variable, 0<d≤512 bits |
| Structure | Merkle tree |
| Rounds | Variable. Default, Unkeyed=40+[d/4], Keyed=max(80,40+(d/4)) [1] |
| Best public cryptanalysis | |
| Key-recovery attack of a 14-round MD6 function in 222 operations.[2] | |
Speeds in excess of 1 GB/s have been reported to be possible for long messages on 16-core CPU architecture.[1]
In December 2008, Douglas Held of Fortify Software discovered a buffer overflow in the original MD6 hash algorithm's reference implementation. This error was later made public by Ron Rivest on 19 February 2009, with a release of a corrected reference implementation in advance of the Fortify Report.[5]
MD6 was submitted to the NIST SHA-3 competition. However, on July 1, 2009, Rivest posted a comment at NIST that MD6 is not yet ready to be a candidate for SHA-3 because of speed issues, a "gap in the proof that the submitted version of MD6 is resistant to differential attacks", and an inability to supply such a proof for a faster reduced-round version,[6] although Rivest also stated at the MD6 website that it is not withdrawn formally.[7] MD6 did not advance to the second round of the SHA-3 competition. In September 2011, a paper presenting an improved proof that MD6 and faster reduced-round versions are resistant to differential attacks[8] was posted to the MD6 website.[9]
MD6 hash test vectors
MD6("The quick brown fox jumps over the lazy dog") =
977592608c45c9923340338450fdcccc21a68888e1e6350e133c5186cd9736ee
A change in even a single bit of the message will, with overwhelming probability, result in a completely different message digest due to the avalanche effect:
MD6("The quick brown fox jumps over the lazy cog") =
85fe717a5896a085a31be5d9457b4da75a6ebc003eded96d7cb0ff1737235bba
The hash of the zero-length string is:
MD6("") = bca38b24a804aa37d821d31af00f5598230122c5bbfc4c4ad5ed40e4258f04ca
Tool
References
External links
Wikiwand - on
Seamless Wikipedia browsing. On steroids.