Lead Architect:

Ronald L. Rivest


The MD6 Hash Algorithm

The MD6 hash algorithm is a cryptographic hash algorithm developed at MIT by a team led by Professor Ronald L. Rivest in response to the call for proposals for a SHA-3 cryptographic hash algorithm by the National Institute of Standards and Technology.

This web site provides information about MD6, including a copy of the materials that were submitted to NIST. This site is organized chronologically, with the most recent material first.

9-2011Ethan Heilman's improved differential analysis

New results to reestablish the differential resistance of MD6 and extend previous analysis to prove that MD6 is resistant to differential cryptanalysis, doubling the number of rounds in the security margin for which MD6 is proven secure against differential attacks. The paper is avaliable here. The source code can be found here and on Ethan's github account here. Ethan can be contacted at ethan@geographicslab.org.

7-03-2009Official comment on MD6

On July 1, 2009, we posted this comment to NIST regarding MD6.

It should be fairly self-explanatory, but the following points may be worth noting:

  • We are not withdrawing our submission; NIST is free to select MD6 for further consideration in the next round if it wishes. But at this point MD6 doesn't meet our own standards for what we believe should be required of a SHA-3 candidate, and we suggest that NIST might do better looking elsewhere. In particular, we feel that a minimum "ticket of admission" for SHA-3 consideration should be a proof of resistance to basic differential attacks, and we don't know how to make such a proof for a reduced-round MD6.
  • Furthermore, we may be able to "resuscitate" MD6 via some clever innovation in our proof methodology, or some clever "tweak" that would allow a proof to go through. We'll let NIST know if we find something. But we are not particularly optimistic.
  • We do not know of any effective attacks on MD6, even for MD6 with substantial reductions in the number of rounds. But absence of evidence of weaknesses is not evidence of absence of weaknesses; this is why we feel strongly that provable resistance to at least basic differential attacks should be a firm requirement for SHA-3 candidates.
  • 4-15-2009Revised NIST submission package

    We have prepared a revised version of our MD6 NIST submission package. This revision corrects two coding errors in the previous version (i.e., in the 2009-01-15 version). Thanks to Piotr Krysiuk and R. L. Vaughn for reporting these errors to us!

    This revision does not affect any of the results reported in the original document, but it does affect the KAT/MCT results we previously submitted; new versions of these results are included in this revised MD6 package. Some users of the earlier MD6 code may also be affected; depending on the MD6 interface utilized, results inconsistent with the MD6 specification may be obtained. More details are available in the changelist.

    2-23-2009FSE Paper

    Yevgeniy Dodis, Leo Reyzin, Ronald L. Rivest, and Emily Shen presented their paper, Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Application to MD6 at the 2009 Fast Software Encryption Conference (Leuven, Feb. 23, 2009).

    2-21-2009MD6 Report Correction

    Some figures were accidentally left out of the revised MD6 report submission to NIST. We have posted another revised version of the MD6 report including these figures.

    1-15-2009Revised NIST submission

    We have submitted a revised version of MD6 to NIST. The revision corrects a buffer overflow error present in the original version. Many thanks to Doug Held and Fortify for discovering and helping us correct this issue.

    This revision does not affect any of the results reported in the original document. More details are available in the changelist.

    10-2008 NIST submission

    The MD6 submission package is available here.

    A hardware implementation is available on OpenCores.

    9-20-2008 Crypto'08 slides

    The first public presentation of MD6 was made on 9/20/08 at the Crypto'08 conference, where Prof. Rivest gave an invited talk on MD6.

    His powerpoint slides are here.

    6-2008Crutchfield's thesis

    The Master's thesis of Christopher Crutchfield, entitled "Security Proofs for the MD6 Mode of Operation," is available here.