Paul Hoffman wrote:
At 10:39 AM 0700 7/4/09, Hal Finney wrote:
But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered such a proof, in variants fast enough
to beat SHA2?
The more important question, and one that I hope gets dealt with, is
what is a sufficient proof. We know what proofs are, but we don't have
a precise definition. We know what a proof should look like, sort
of. Ron and his crew have their own definition, and they can't make
MD6 work within that definition. But that doesn't mean that NIST
wouldn't have accepted the fastenough MD6 with a proof from someone
else.
Mathematicians have a precise definition of what a proof is, thanks to
logicians like David Hilbert and Kurt Goedel. But people in all
disciplines have a terrible time formulating problems, and remembering
the conditions under which a statement was proved. They also quote
theorems incorrectly, and errors propagate through the less
wellreviewed parts of the literature.

Josh Rubin
jlru...@gmail.com

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com