Cryptographic hash function Edon-R′

Abstract

In this paper we describe in details the tweaked cryptographic hash function EDON-ℛ that we denote as EDONℛ′ . EDON-ℛ was submitted as a candidate for SHA-3 hash competition organized by National Institute of Standards and Technology (NIST). The difference between originally submitted version of EDON-ℛ and version EDON-ℛ′ is in the added feedback to the original compression function ℛ. The feedback consist of xoring the output of the function ℛ with the previous double pipe value and the value of the current message block. Now, EDON-ℛ′ can be seen as a double-pipe PGV7 hash scheme. The introduced tweak does not invalidates the cryptanalytic efforts to analyze the quasigroup operations used in EDON-ℛ′ , as well as its function ℛ. It also does not affect much the speed of the function. However, this tweak prevents finding free-start collisions and prevents all attacks based on free-start collisions. EDON-ℛ′ is a cryptographic hash function with output size of 𝑛 bits where 𝑛 = 224, 256, 384 or 512. Its conjectured cryptographic security is: 𝑂(2 𝑛 2 ) hash computations for finding collisions, 𝑂(2𝑛) hash computations for finding preimages, 𝑂(2𝑛−𝑘) hash computations for finding second preimages for messages shorter than 2𝑘 bits. Additionally, it is resistant against length-extension attacks, resistant against multicollision attacks and it is provably resistant against differential cryptanalysis. EDON-ℛ′ performance has been measured with Microsoft Visual Studio 2005, and with Intel C++ v 11.0.072. EDON-ℛ′ has been designed to be much more efficient than SHA-2 cryptographic hash functions, while in the same time offering same or better security. The speed of the optimized 32-bit version on defined reference platform with Intel C++ v 11.0.072 is 6.71 cycles/byte for 𝑛 = 224, 256 and 10.74 cycles/byte for 𝑛 = 384, 512. The speed of the optimized 64-bit version on defined reference platform with Intel C++ v 11.0.072 is 4.90 cycles/byte for 𝑛 = 224, 256 and 2.74 cycles/byte for 𝑛 = 384, 512.