Cryptology ePrint Archive: Report 2014/319

Preimage attacks on Reduced-round Stribog

Riham AlTawy and Amr M. Youssef

Abstract: In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. Specifically, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of $2^{448}$ and memory complexity of $2^{64}$. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of $2^{496}$ and $2^{112}$, respectively. Finally, employing $2^t$ multicollision, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of $2^{481}$ and $2^{505}$, respectively. The two preimage attacks have equal memory complexity of $2^{256}$.

Category / Keywords: foundations / Cryptanalysis, Hash functions, Meet in the middle, Preimage attack, GOST R 34.11-2012, Stribog

Original Publication (in the same form): AfricaCrypt 2014

Date: received 5 May 2014

Contact author: rihammahdy at hotmail com

Available format(s): PDF | BibTeX Citation

Version: 20140506:093324 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]