Practical Key Recovery Attack against Secret-IV Edon-\(\mathcal R\)

  • Gaëtan Leurent
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)


The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-\(\mathcal R\) was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-\(\mathcal R\), and we show that using Edon-\(\mathcal R\) as a MAC with the secret-IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-\(\mathcal R\)[256], which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-\(\mathcal R\) in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack.

This does not directly contradict the security claims of Edon-\(\mathcal R\) or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design.


Hash functions SHA-3 Edon-\(\mathcal R\) MAC secret IV secret prefix key recovery 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chang, D., Nandi, M.: Improved Indifferentiability Security Analysis of chopMD Hash Function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen, A., Sink, E., Stewart, L.: RFC2069: An extension to HTTP: Digest access authentication. Internet RFCs (1997)Google Scholar
  3. 3.
    Gligoroski, D., Klima, V.: Official Comment: Edon \(\mathcal R\). SHA-3 forum (May 2009)Google Scholar
  4. 4.
    Gligoroski, D., Ødegråd, R.S., Mihova, M., Knapskog, S.J., Kocarev, L., Drápal, A., Klima, V.: Cryptographic Hash Function EDON-R. Submission to NIST (2008)Google Scholar
  5. 5.
    Khovratovich, D., Nikolić, I., Weinmann, R.P.: Cryptanalysis of Edon-R. Available online (2008) Google Scholar
  6. 6.
    Klima, V.: Multicollisions of EDON-R hash function and other observations (2008)Google Scholar
  7. 7.
    National Institute of Standards and Technology: Cryptographic Hash Algorithm Competition,
  8. 8.
    Novotney, P., Ferguson, N.: Detectable correlations in edon-r. Cryptology ePrint Archive, Report 2009/378 (2009),
  9. 9.
    Preneel, B., van Oorschot, P.C.: On the Security of Iterated Message Authentication Codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  10. 10.
    Wang, X., Wang, W., Jia, K., Wang, M.: New Distinguishing Attack on MAC using Secret-Prefix Method. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 363–374. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Gaëtan Leurent
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParis Cedex 05France

Personalised recommendations