Cryptology ePrint Archive: Report 2014/879

Watch your Constants: Malicious Streebog

Riham AlTawy and Amr M. Youssef

Abstract: In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this paper, we investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, we apply the rebound attack to find three solutions for three different differential paths for four rounds, and using the freedom of the round constants we connect them to obtain a collision for the twelve rounds of the compression function. Additionally, and due to the simple processing of the counter, we bypass the barrier of the checksum finalization step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. While the results of this paper may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and wide spread adoption by the security community.

Category / Keywords: Cryptanalysis, Hash functions, Malicious hashing, Rebound attacks, GOST R 34.11-2012, Streebog

Date: received 23 Oct 2014, last revised 23 Oct 2014

Contact author: r altawy at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20141028:191520 (All versions of this report)

Short URL: ia.cr/2014/879


[ Cryptology ePrint archive ]