MD6 bows out gracefully from SHA-3 Competition

Ron Rivest has withdrawn MD6 from the NIST SHA-3 competition running. In an email to a NIST mailing list he commented:

“We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward.”

It seems the reasoning is that in order for MD6 to be fast enough to compete against the other submissions the designers have to reduce the number of rounds down to 30-40. Alas at those rounds the algorithm loses its proofs of resistance to differential attacks. Commenting that:

“Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round.”

This seems to be a quite graceful exit from the process by Ron Rivest especially as there are no attacks against MD6, meanwhile other candidates for SHA-3 have been seriously broken and their submitters are attempting to keep up the pretence that they are not.