This web site provides information about MD6, including a copy of the materials that were submitted to NIST. This site is organized chronologically, with the most recent material first.
New results to reestablish the differential resistance of MD6 and
extend previous analysis to prove that MD6 is resistant to
differential cryptanalysis, doubling the number of rounds in the
security margin for which MD6 is proven secure against differential
attacks. The paper is avaliable
The source code can be found here and on Ethan's github account here. Ethan can be contacted at
On July 1, 2009, we posted this comment to NIST regarding MD6.
It should be fairly self-explanatory,
but the following points may be worth noting:
We have prepared a revised version of our MD6 NIST submission package. This revision corrects two coding errors in the previous version (i.e., in the 2009-01-15 version). Thanks to Piotr Krysiuk and R. L. Vaughn for reporting these errors to us!
This revision does not affect any of the results reported in the original document, but it does affect the KAT/MCT results we previously submitted; new versions of these results are included in this revised MD6 package. Some users of the earlier MD6 code may also be affected; depending on the MD6 interface utilized, results inconsistent with the MD6 specification may be obtained. More details are available in the changelist.
Yevgeniy Dodis, Leo Reyzin, Ronald L. Rivest, and Emily Shen presented their paper, Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Application to MD6 at the 2009 Fast Software Encryption Conference (Leuven, Feb. 23, 2009).
Some figures were accidentally left out of the revised MD6 report submission to NIST. We have posted another revised version of the MD6 report including these figures.
We have submitted a revised version of MD6 to NIST. The revision corrects a buffer overflow error present in the original version. Many thanks to Doug Held and Fortify for discovering and helping us correct this issue.
This revision does not affect any of the results reported in the original document. More details are available in the changelist.
The MD6 submission package is available here.
A hardware implementation is available on OpenCores.
The first public presentation of MD6 was made on 9/20/08 at the Crypto'08 conference, where Prof. Rivest gave an invited talk on MD6.
His powerpoint slides are here.
The Master's thesis of Christopher Crutchfield, entitled "Security Proofs for the MD6 Mode of Operation," is available here.