At 10:39 AM -0700 7/4/09, Hal Finney wrote: >But how many other hash function candidates would also be excluded if >such a stringent criterion were applied? Or turning it around, if NIST >demanded a proof of immunity to differential attacks as Rivest proposed, >how many candidates have offered such a proof, in variants fast enough >to beat SHA-2?
Several hash candidates have proofs against differential attacks but only four with such proofs are faster than SHA-2 (Edon-R, Shabal, Cheetah and Keccak). But according to http://eprint.iacr.org/2008/511.pdf Keccak and Cheetah in 32-bit mode are not actually faster than SHA-2. C.K.F. Lin --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com