Paper 2022/970

Related-key attacks on the compression function of Streebog

Vitaly Kiryukhin, LLC <<SFB Lab>>, Moscow, Russia, JSC <<InfoTeCS>>, Moscow, Russia

Related-key attacks against block ciphers are often considered unrealistic. In practice, as far as possible, the existence of a known "relation" between the secret encryption keys is avoided. Despite this, related keys arise directly in some widely used keyed hash functions. This is especially true for HMAC-Streebog, where known constants and manipulated parameters are added to the secret key. The relation is determined by addition modulo $2$ and $2^{n}$. The security of HMAC reduces to the properties of the underlying compression function. Therefore, as an initial analysis we propose key-recovery methods for 10 and 11 rounds (out of 12) of Streebog compression function in the related-key setting. The result shows that Streebog successfully resists attacks even in the model with such powerful adversaries.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. CTCrypt 2022 - 11th Workshop on Current Trends in Cryptology, June 6–9, 2022, Novosibirsk, Russia
Streebog related-key truncated differentials rebound
Contact author(s)
vitaly kiryukhin @ sfblaboratory ru
2022-07-28: approved
2022-07-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Vitaly Kiryukhin},
      title = {Related-key attacks on the compression function of Streebog},
      howpublished = {Cryptology ePrint Archive, Paper 2022/970},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.