Advertisement

Practical Key Recovery Attack against Secret-IV Edon-\(\mathcal R\)

  • Gaëtan Leurent
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)

Abstract

The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-\(\mathcal R\) was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-\(\mathcal R\), and we show that using Edon-\(\mathcal R\) as a MAC with the secret-IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-\(\mathcal R\)[256], which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-\(\mathcal R\) in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack.

This does not directly contradict the security claims of Edon-\(\mathcal R\) or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design.

Keywords

Hash functions SHA-3 Edon-\(\mathcal R\) MAC secret IV secret prefix key recovery 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Chang, D., Nandi, M.: Improved Indifferentiability Security Analysis of chopMD Hash Function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen, A., Sink, E., Stewart, L.: RFC2069: An extension to HTTP: Digest access authentication. Internet RFCs (1997)Google Scholar
  3. 3.
    Gligoroski, D., Klima, V.: Official Comment: Edon \(\mathcal R\). SHA-3 forum (May 2009)Google Scholar
  4. 4.
    Gligoroski, D., Ødegråd, R.S., Mihova, M., Knapskog, S.J., Kocarev, L., Drápal, A., Klima, V.: Cryptographic Hash Function EDON-R. Submission to NIST (2008)Google Scholar
  5. 5.
    Khovratovich, D., Nikolić, I., Weinmann, R.P.: Cryptanalysis of Edon-R. Available online (2008) Google Scholar
  6. 6.
    Klima, V.: Multicollisions of EDON-R hash function and other observations (2008)Google Scholar
  7. 7.
    National Institute of Standards and Technology: Cryptographic Hash Algorithm Competition, http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
  8. 8.
    Novotney, P., Ferguson, N.: Detectable correlations in edon-r. Cryptology ePrint Archive, Report 2009/378 (2009), http://eprint.iacr.org/
  9. 9.
    Preneel, B., van Oorschot, P.C.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  10. 10.
    Wang, X., Wang, W., Jia, K., Wang, M.: New Distinguishing Attack on MAC using Secret-Prefix Method. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 363–374. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Gaëtan Leurent
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParis Cedex 05France

Personalised recommendations