Practical Key Recovery Attack against Secret-IV Edon-

The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-$\mathcal R$ was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-$\mathcal R$, and we show that using Edon-$\mathcal R$ as a MAC with the secret-IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-$\mathcal R$[256], which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-$\mathcal R$ in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack. This does not directly contradict the security claims of Edon-$\mathcal R$ or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design.

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Donghoon Chang,et al.  Improved Indifferentiability Security Analysis of chopMD Hash Function , 2008, FSE.

[3]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[4]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[5]  Wei Wang,et al.  New Distinguishing Attack on MAC Using Secret-Prefix Method , 2009, FSE.

[6]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[7]  Mohamed El-Hadedy,et al.  Cryptographic hash function Edon-R′ , 2009, 2009 Proceedings of the 1st International Workshop on Security and Communication Networks.

[8]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[9]  Niels Ferguson,et al.  Detectable correlations in Edon-R , 2009, IACR Cryptol. ePrint Arch..

[10]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[11]  Lawrence C. Stewart,et al.  An Extension to HTTP : Digest Access Authentication , 1997, RFC.

[12]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.