Information Processing Letters 114 (2014) 655–662
Contents lists available at ScienceDirect
Information Processing Letters
www.elsevier.com/locate/ipl
Cryptanalysis of GOST R hash function
✩
Zongyue Wang
a
, Hongbo Yu
b,∗
, Xiaoyun Wang
a,b,c
a
Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China
b
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
c
Institute for Advanced Study , Tsinghua University, Beijing 10084, China
a r t i c l e i n f o a b s t r a c t
Article history:
Received
8 May 2013
Received
in revised form 9 April 2014
Accepted
7 July 2014
Available
online 22 July 2014
Communicated
by S.M. Yiu
Keywords:
Cryptography
Hash
function
GOST R
Rebound
attack
Multi-collision
GOST R 34.11-2012 is the new Russian hash function standard. This paper presents
some cryptanalytic results on GOST R. Using the rebound attack technique, we achieve
collision attacks on the reduced round compression function. Result on up to 9.5 rounds is
proposed, the time complexity is 2
176
and the memory requirement is 2
128
bytes. Based
on the 9.5-round collision result, a limited birthday distinguisher is presented. More over,
a k-collision on 512-bit version of GOST R is constructed which shows the weakness of the
structure used in GOST R.
© 2014 Elsevier B.V. All rights reserved.
1. Introduction
Hash functions are taking important roles in cryptogra-
phy
and have been used in many applications, e.g., digi-
tal
signatures, authentications and message integrity. Since
the break of MD5 and SHA-1 [1,2], cryptographers have
been searching for secure and efficient hash functions. Stri-
bog
[3] is proposed by Grebnev et al. It was selected as the
new Russian hash standard (GOST R 34.11-2012) in August
2012. Similar as the structure of Whirlpool [4], it also uses
an AES-like block cipher in its compression function.
Rebound
attack is a freedom degrees utilized technique
which can be applied to find collisions in both permuta-
tion
based and block cipher based hash constructions. This
technique was firstly proposed by Mendel et al. to achieve
collision attacks on reduced Whirlpool and Grøstl [5]. It
aims to find a pair of values that follows a pre-determined
✩
Supported by 973 program (No. 2013CB834205), the National Natural
Science Foundation of China (Nos. 61133013 and 61373142), the Tsinghua
University Initiative Scientific Research Program (No. 20111080970) and
“12th Five-year plan” the National Development Foundation for Crypto-
logical
Research (No. MMJJ201401009).
*
Corresponding author.
truncated differential efficiently. The searching procedure
is divided into two phase: the inbound phase and the out-
bound
phase. In inbound phase the attacker makes full use
of the available degrees of freedom and generates suffi-
ciently
many paired values that satisfy the truncated dif-
ferential
path of the inbound phase as starting points. The
subsequent outbound phase tests these starting points in
order to find paired values that satisfy the truncated dif-
ferential
path of the outbound phase.
Giving
better results on Whirlpool, Lamberger et al. im-
proved
this technique in [6]. Available degrees of freedom
of the key schedule are used to extended the inbound
phase of the rebound attack by up to two rounds. The best
result of [6] is near-collision attack on 9.5 rounds of the
compression function with a complexity of 2
176
. And this
result is further turned into the first distinguishing attack
for the full 10 round compression function of Whirlpool.
As an independent work, Gilbert et al. bring in Super-Sbox
technique to rebound attack in [7] where two rounds of
AES-like permutations were viewed as a layer of Super-
Sbox.
Besides, the rebound technique can also be applied
to analysis AES and AES-like block ciphers [8,9] as well as
ARX ciphers [10]. Recently, using techniques adapted from
http://dx.doi.org/10.1016/j.ipl.2014.07.007
0020-0190/
© 2014 Elsevier B.V. All rights reserved.