Paper 2009/135

Practical Key Recovery Attack against Secret-prefix Edon-R

Gaëtan Leurent

Abstract

Edon-R is one of the fastest SHA-3 candidate. In this paper we study the security of Edon-R, and we show that using Edon-R as a MAC with the secret prefix construction is unsafe. We present a practical attack in the case of Edon-R256, which requires 32 queries, 2^30 computations, negligible memory, and a precomputation of 2^50 . This does not directly contradict the security claims of Edon-R or the NIST requirements for SHA-3, but we believe it shows a strong weakness in the design.

Note: Improved attack with practical complexity.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
hash functionsSHA-3Edon-RMACsecret pre&#64257xkey recovery.
Contact author(s)
gaetan leurent @ ens fr
History
2009-06-03: last of 4 revisions
2009-03-27: received
See all versions
Short URL
https://ia.cr/2009/135
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/135,
      author = {Gaëtan Leurent},
      title = {Practical Key Recovery Attack against Secret-prefix Edon-R},
      howpublished = {Cryptology ePrint Archive, Paper 2009/135},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/135}},
      url = {https://eprint.iacr.org/2009/135}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.