
Ron Rivest on why MD6 was withdrawn from the SHA-3 contest at NIST - soundsop
http://groups.csail.mit.edu/cis/md6/OFFICIAL_COMMENT_MD6_2009-07-01.txt
======
scscsc
It seems to be a very classy withdrawal. I wonder how much the other
candidates satisfy the two 'suggestions'.

~~~
omail
You echo Bruce Schneier's sentiments.

<http://www.schneier.com/blog/archives/2009/07/md6.html>

------
jacquesm
In case anybody is interested, the md6 reference implementation is here:
[http://groups.csail.mit.edu/cis/md6/code/md6_c_code-2009-04-...](http://groups.csail.mit.edu/cis/md6/code/md6_c_code-2009-04-15.zip)
, this was the one submitted to NIST and has now apparently been withdrawn.

------
neilc
Note that this is not identical to withdrawing MD6 from the "SHA-3 contest" --
they are just not entering the next round of the contest, because they haven't
figured out how to prove the resistance of MD6 to differential attacks while
making it as efficient as NIST require.

<http://groups.csail.mit.edu/cis/md6/>

------
ars
Why not submit it on a provisional basis? i.e. full rounds, and let it be
slow.

Would NIST reject it outright?

