Cryptology ePrint Archive: Report 2009/135

Practical Key Recovery Attack against Secret-prefix Edon-R

Gaëtan Leurent

Abstract: Edon-R is one of the fastest SHA-3 candidate. In this paper we study the security of Edon-R, and we show that using Edon-R as a MAC with the secret prefix construction is unsafe. We present a practical attack in the case of Edon-R256, which requires 32 queries, 2^30 computations, negligible memory, and a precomputation of 2^50 . This does not directly contradict the security claims of Edon-R or the NIST requirements for SHA-3, but we believe it shows a strong weakness in the design.

Category / Keywords: secret-key cryptography / hash functions, SHA-3, Edon-R, MAC, secret prefix, key recovery.

Date: received 23 Mar 2009, last revised 3 Jun 2009

Contact author: gaetan leurent at ens fr

Available format(s): PDF | BibTeX Citation

Note: Improved attack with practical complexity.

Version: 20090603:123728 (All versions of this report)

Short URL: ia.cr/2009/135

Discussion forum: Show discussion | Start new discussion