Practical Key Recovery Attack against Secret-IV Edon-\(\mathcal R\)
- 1.1k Downloads
The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-\(\mathcal R\) was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-\(\mathcal R\), and we show that using Edon-\(\mathcal R\) as a MAC with the secret-IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-\(\mathcal R\), which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-\(\mathcal R\) in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack.
This does not directly contradict the security claims of Edon-\(\mathcal R\) or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design.
KeywordsHash functions SHA-3 Edon-\(\mathcal R\) MAC secret IV secret prefix key recovery
Unable to display preview. Download preview PDF.
- 2.Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen, A., Sink, E., Stewart, L.: RFC2069: An extension to HTTP: Digest access authentication. Internet RFCs (1997)Google Scholar
- 3.Gligoroski, D., Klima, V.: Official Comment: Edon \(\mathcal R\). SHA-3 forum (May 2009)Google Scholar
- 4.Gligoroski, D., Ødegråd, R.S., Mihova, M., Knapskog, S.J., Kocarev, L., Drápal, A., Klima, V.: Cryptographic Hash Function EDON-R. Submission to NIST (2008)Google Scholar
- 5.Khovratovich, D., Nikolić, I., Weinmann, R.P.: Cryptanalysis of Edon-R. Available online (2008) Google Scholar
- 6.Klima, V.: Multicollisions of EDON-R hash function and other observations (2008)Google Scholar
- 7.National Institute of Standards and Technology: Cryptographic Hash Algorithm Competition, http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
- 8.Novotney, P., Ferguson, N.: Detectable correlations in edon-r. Cryptology ePrint Archive, Report 2009/378 (2009), http://eprint.iacr.org/
- 10.Wang, X., Wang, W., Jia, K., Wang, M.: New Distinguishing Attack on MAC using Secret-Prefix Method. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 363–374. Springer, Heidelberg (2009)Google Scholar
- 11.Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
- 12.Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar