Paper 2014/879

Watch your Constants: Malicious Streebog

Riham AlTawy and Amr M. Youssef

Abstract

In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this paper, we investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, we apply the rebound attack to find three solutions for three different differential paths for four rounds, and using the freedom of the round constants we connect them to obtain a collision for the twelve rounds of the compression function. Additionally, and due to the simple processing of the counter, we bypass the barrier of the checksum finalization step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. While the results of this paper may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and wide spread adoption by the security community.

Metadata
Available format(s)
PDF
Publication info
Preprint. MINOR revision.
Keywords
CryptanalysisHash functionsMalicious hashingRebound attacksGOST R 34.11-2012Streebog
Contact author(s)
r altawy @ gmail com
History
2014-10-28: received
Short URL
https://ia.cr/2014/879
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/879,
      author = {Riham AlTawy and Amr M.  Youssef},
      title = {Watch your Constants: Malicious Streebog},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/879},
      year = {2014},
      url = {https://eprint.iacr.org/2014/879}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.