Paper 2015/956

Analysis of the Kupyna-256 Hash Function

Christoph Dobraunig, Maria Eichlseder, and Florian Mendel

Abstract

The hash function Kupyna was recently published as the Ukrainian standard DSTU 7564:2014. It is structurally very similar to the SHA-3 finalist Grøstl, but differs in details of the round transformations. Most notably, some of the round constants are added with a modular addition, rather than bitwise xor. This change prevents a straightforward application of some recent attacks, in particular of the rebound attacks on the compression function of similar AES-like hash constructions. However, we show that it is actually possible to mount rebound attacks, despite the presence of modular constant additions. More specifically, we describe collision attacks on the compression function for 6 (out of 10) rounds of Kupyna-256 with an attack complexity of 2^{70}, and for 7 rounds with complexity 2^{125.8}. In addition, we have been able to use the rebound attack for creating collisions for the round-reduced hash function itself. This is possible for 4 rounds of Kupyna-256 with complexity 2^{67} and for 5 rounds with complexity 2^{120}.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in FSE 2016
Keywords
hash functionscryptanalysiscollisionsfree-start collisionsKupynarebound attack
Contact author(s)
christoph dobraunig @ iaik tugraz at
History
2016-09-19: last of 2 revisions
2015-10-01: received
See all versions
Short URL
https://ia.cr/2015/956
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2015/956,
      author = {Christoph Dobraunig and Maria Eichlseder and Florian Mendel},
      title = {Analysis of the Kupyna-256 Hash Function},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/956},
      year = {2015},
      url = {https://eprint.iacr.org/2015/956}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.