Practical Key Recovery Attack against Secret-IV Edon-

10 years 1 months ago
Practical Key Recovery Attack against Secret-IV Edon-
Abstract. The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-R was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-R, and we show that using Edon-R as a MAC with the secretIV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-R256, which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252 . The main part of our attack can also be adapted to the tweaked Edon-R in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack. This does not directly contradict the security claims of Edon-R or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design. Key words: Hash functions, SHA-3, Edon-R, MAC, secret IV, secret prefix, key recovery.
Gaëtan Leurent
Added 18 May 2010
Updated 18 May 2010
Type Conference
Year 2010
Authors Gaëtan Leurent
Comments (0)