Improved Indifferentiability Security Analysis of chopMD Hash Function
Fast Software Encryption
New Distinguishing Attack on MAC Using Secret-Prefix Method
Fast Software Encryption
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On the security of iterated message authentication codes
IEEE Transactions on Information Theory
Hi-index | 0.00 |
The SHA-3 competition has been organized by NIST to select a new hashing standard. Edon-$\mathcal R$ was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-$\mathcal R$, and we show that using Edon-$\mathcal R$ as a MAC with the secret-IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-$\mathcal R$[256], which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-$\mathcal R$ in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack. This does not directly contradict the security claims of Edon-$\mathcal R$ or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design.