Cryptology ePrint Archive: Report 2014/375
Improved Cryptanalysis on Reduced-Round GOST and Whirlpool Hash Function (Full Version)
Bingke Ma and Bao Li and Ronglin Hao and Xiaoqian Li
Abstract: The GOST hash function family has served as the new Russian national hash standard (GOST R 34.11-2012) since January 1, 2013, and it has two members, $i.e.$, GOST-256 and GOST-512 which correspond to two different output lengths. Most of the previous analyses of GOST emphasize on the compression function rather than the hash function. In this paper, we focus on security properties of GOST under the hash function setting. First we give two improved preimage attacks on 6-round GOST-512 compared with the previous preimage attack, $i.e.$, a time-reduced attack with the same memory requirements and a memoryless attack with almost identical time. Then we improve the best collision attack on reduced GOST-256 (resp. GOST-512) from 5 rounds to 6.5 (resp. 7.5) rounds. Finally, we construct a limited-birthday distinguisher on 9.5-round GOST using the limited-birthday distinguisher on hash functions proposed at ASIACRYPT 2013. An essential technique used in our distinguisher is the carefully chosen differential trail, which can further exploit freedom degrees in the inbound phase when launching rebound attacks on the GOST compression function. This technique helps us to reduce the time complexity of the distinguisher significantly. We apply this strategy to Whirlpool, an ISO standardized hash function, as well. As a result, we construct a limited-birthday distinguisher on 9-round Whirlpool out of 10 rounds, and reduce the time complexity of the previous 7-round distinguisher. To the best of our knowledge, all of our results are the best cryptanalytic results on GOST and Whirlpool in terms of the number of rounds analyzed under the hash function setting.
Category / Keywords: secret-key cryptography / hash function, GOST, Whirlpool, multicollision, preimage, collision, limited-birthday distinguisher
Original Publication (with minor differences): ACNS 2014
Date: received 27 May 2014
Contact author: bkma at is ac cn
Available format(s): PDF | BibTeX Citation
Note: This article is the full version of the paper published at ACNS 2014.
Version: 20140528:163552 (All versions of this report)
Short URL: ia.cr/2014/375
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]