Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 See also 2 References 3 External links

MD6

●فارسی ●Français ●Русский ●Українська ●中文 Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

MD6
General
Designers	Ronald Rivest, Benjamin Agre, Dan Bailey, Sarah Cheng, Christopher Crutchfield, Yevgeniy Dodis, Kermin Fleming, Asif Khan, Jayant Krishnamurthy, Yuncheng Lin, Leo Reyzin, Emily Shen, Jim Sukha, Eran Tromer, Yiqun Lisa Yin
First published	2008
Series	MD2, MD4, MD5, MD6
Detail
Digest sizes	Variable, 0<d≤512 bits
Structure	Merkle tree
Rounds	Variable. Default, Unkeyed=40+[d/4], Keyed=max(80,40+(d/4)) ^[1]
Best public cryptanalysis
Key-recovery attack of a 14-round MD6 function in 2²² operations.^[2]

The MD6 Message-Digest Algorithm is a cryptographic hash function. It uses a Merkle tree-like structure to allow for immense parallel computation of hashes for very long inputs. Authors claim a performance of 28 cycles per byte for MD6-256 on an Intel Core 2 Duo and provable resistance against differential cryptanalysis.^[3] The source code of the reference implementation was released under MIT license.^[4]

Speeds in excess of 1 GB/s have been reported to be possible for long messages on 16-core CPU architecture.^[1]

In December 2008, Douglas Held of Fortify Software discovered a buffer overflow in the original MD6 hash algorithm's reference implementation. This error was later made public by Ron Rivest on 19 February 2009, with a release of a corrected reference implementation in advance of the Fortify Report.^[5]

MD6 was submitted to the NIST SHA-3 competition. However, on July 1, 2009, Rivest posted a comment at NIST that MD6 is not yet ready to be a candidate for SHA-3 because of speed issues, a "gap in the proof that the submitted version of MD6 is resistant to differential attacks", and an inability to supply such a proof for a faster reduced-round version,^[6] although Rivest also stated at the MD6 website that it is not withdrawn formally.^[7] MD6 did not advance to the second round of the SHA-3 competition. In September 2011, a paper presenting an improved proof that MD6 and faster reduced-round versions are resistant to differential attacks^[8] was posted to the MD6 website.^[9]

The hash of the zero-length string is:

MD6("") = bca38b24a804aa37d821d31af00f5598230122c5bbfc4c4ad5ed40e4258f04ca

References[edit]

^ ^a ^b Ronald L. Rivest; et al. "The MD6 Hash Function" (PDF). Archived from the original (PDF) on 2017-08-12. Retrieved 2024-01-29.

^ Aumasson, Jean-Philippe; Dinur, Itai; Meier, Willi; Shamir, Adi (2009). "Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium". Fast Software Encryption. Vol. 5665. Berlin, Heidelberg: Springer Berlin Heidelberg. p. 1–22. doi:10.1007/978-3-642-03317-9_1. ISBN 978-3-642-03316-2.

^ Ronald L. Rivest. "The MD6 hash function A proposal to NIST for SHA-3". Archived from the original on 2020-11-09. Retrieved 2008-10-07. (Microsoft PowerPoint file)

^ readme.txt

^ "Fortify-SHA-3-Report" (PDF). Archived from the original (PDF) on 2012-02-22.

^ Rivest, Ronald (July 1, 2009). "OFFICIAL COMMENT: MD6". Retrieved September 27, 2011.

^ Schneier, Bruce (July 1, 2009). "MD6 Withdrawn from SHA-3 Competition". Retrieved July 9, 2009.

^ Heilman, Ethan (July 10, 2011). "Restoring the Differential Resistance of MD6". Retrieved September 27, 2011.

^ Heilman, Ethan (September 2011). "Improved Differential Analysis". Retrieved September 27, 2011.

External links[edit]

MD6 website
- MD6 reference paper

v t e Cryptographic hash functions and message authentication codes
List Comparison Known attacks
Common functions	MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2
SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)
Other functions	BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool
Password hashing/ key stretching functions	Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt
General purpose key derivation functions	HKDF KDF1/KDF2
MAC functions	CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC
Authenticated encryption modes	CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB
Attacks	Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack
Design	Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction
Standardization	CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA
Utilization	Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=MD6&oldid=1225795491" Categories: ●Cryptographic hash functions ●NIST hash function competition Hidden categories: ●Articles with short description ●Short description matches Wikidata ●This page was last edited on 26 May 2024, at 19:32 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view