MD6 was considered one of the favorite. However in an email posted in the NIST mailing list on the first of July, Ron Rivest (the R in RSA) had announced that he was minding that MD6 was not ready for the SHA-3 competition second round.
Differential cryptanalysis: a type of cryptanalysis which studies how the differences on the input affects the algorithm output in order to extract some information on a secret or find a weakness in the algorithm.
We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward.So what happened? The MD6 algorithm was too slow compared to the SHA-2 family algorithms and the other competitors. The computational efficiency of an algorithm is obviously an important selection criteria. In order to gain speed the MD6 team decided to reduce the number of rounds from 80 down to 40. But if the initial MD6 algorithm had a security proof against differential cryptanalysis1 Rivest and his team was not able to provide such as proof for the reduced version.
The MD6 team has worked hard to see if a reduced-round version of MD6 could be proven resistant to differential attacks. So far, we have failed to do so.This does not mean at all that MD6 has been broken or that this new version with fewer rounds is weaker but it seems to be enough for Rivest to give up the contest:
While MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round.
Differential cryptanalysis: a type of cryptanalysis which studies how the differences on the input affects the algorithm output in order to extract some information on a secret or find a weakness in the algorithm.