Practical Key Recovery Attack against Secret IV Edon R

pages

English

Documents

Écrit par
Gaëtan Leurent

Publié par
pefav

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

pages

English

Ebook

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Publié par

pefav

Nombre de lectures

Langue

English

Practical Key Recovery Attack against Secret-IV Edon-R Gaëtan Leurent École Normale Supérieure – Département d'Informatique, 45 rue d'Ulm, 75230 Paris Cedex 05, France Abstract. The SHA-3 competition has been organized by NIST to se- lect a new hashing standard. Edon-R was one of the fastest candidates in the first round of the competition. In this paper we study the security of Edon-R, and we show that using Edon-R as a MAC with the secret- IV or secret-prefix construction is unsafe. We present a practical attack in the case of Edon-R256, which requires 32 queries, 230 computations, negligible memory, and a precomputation of 252. The main part of our attack can also be adapted to the tweaked Edon-R in the same settings: it does not yield a key-recovery attack, but it allows a selective forgery attack. This does not directly contradict the security claims of Edon-R or the NIST requirements for SHA-3, since the recommended mode to build a MAC is HMAC. However, we believe that it shows a major weakness in the design. Key words: Hash functions, SHA-3, Edon-R, MAC, secret IV, secret prefix, key recovery. 1 Introduction In 2005, a team of researchers led by X.

against iterated

macs based

based

hash functions

secret key

against many

secret prefix

recovery attack against

mac oracle

Voir

Publié par

pefav

Nombre de lectures

Langue

English

Hash function Key (cryptography)

PracticalKeyRecoveryAttackagainstSecret-IVEdon-RGaëtanLeurentÉcoleNormaleSupérieure–Départementd’Informatique,45rued’Ulm,75230ParisCedex05,FranceGaetan.Leurent@ens.frAbstract.TheSHA-3competitionhasbeenorganizedbyNISTtose-lectanewhashingstandard.Edon-Rwasoneofthefastestcandidatesintheﬁrstroundofthecompetition.InthispaperwestudythesecurityofEdon-R,andweshowthatusingEdon-RasaMACwiththesecret-IVorsecret-preﬁxconstructionisunsafe.WepresentapracticalattackinthecaseofEdon-R256,whichrequires32queries,230computations,negligiblememory,andaprecomputationof252.ThemainpartofourattackcanalsobeadaptedtothetweakedEdon-Rinthesamesettings:itdoesnotyieldakey-recoveryattack,butitallowsaselectiveforgeryattack.ThisdoesnotdirectlycontradictthesecurityclaimsofEdon-RortheNISTrequirementsforSHA-3,sincetherecommendedmodetobuildaMACisHMAC.However,webelievethatitshowsamajorweaknessinthedesign.Keywords:Hashfunctions,SHA-3,Edon-R,MAC,secretIV,secretpreﬁx,keyrecovery.1IntroductionIn2005,ateamofresearchersledbyX.Wangproducedbreakthroughattacksagainstmanywidelyusedhashfunctions,includingMD5[12]andSHA-1[11].ThishasledNISTtocallforanewhashfunctiondesign,andtolaunchtheSHA-3competition[7].Thiscompetitionhasfocusedtheattentionofmanycryptographers,andNISTreceived64submissions.51designswereacceptedtotheﬁrstround.Edon-Rwasoneofthefastestcandidatesintheﬁrstroundofthecompeti-tion.Ithasreceivedsomeattentionfromthecryptographiccommunity,resultinginvariousattacksonthecompressionfunction.Thereisalsoapreimageattackonthefullhashfunction,butitrequiresofhugeamountofmemorymakingitdebatable.InthispaperweshowanewattackonEdon-R,whenusedinthesecret-IVorsecret-preﬁxMACconstruction.Thismodeofoperationisnotclaimedtobesecurebythedesigners,butourattackhasnomemoryrequirement,andisevenpracticalattack,whilepreviousattacksarelargelytheoretical.OurapproachissimilartotheonefollowedbyWangetal.whostudiedasimilarMACused1

Voir