Information Processing Letters 114 (2014) 655–662
Contents lists available at ScienceDirect
Information Processing Letters
www.elsevier.com/locate/ipl
Cryptanalysis of GOST R hash function
✩
Zongyue Wang
a
, Hongbo Yu
b,∗
, Xiaoyun Wang
a,b,c
a
Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China
b
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
c
Institute for Advanced Study , Tsinghua University, Beijing 10084, China
a r t i c l e i n f o a b s t r a c t
Article history:
Received
8 May 2013
Received
in revised form 9 April 2014
Accepted
7 July 2014
Available
online 22 July 2014
Communicated
by S.M. Yiu
Keywords:
Cryptography
Hash
function
GOST R
Rebound
attack
Multi-collision
GOST R 34.11-2012 is the new Russian hash function standard. This paper presents
some cryptanalytic results on GOST R. Using the rebound attack technique, we achieve
collision attacks on the reduced round compression function. Result on up to 9.5 rounds is
proposed, the time complexity is 2
176
and the memory requirement is 2
128
bytes. Based
on the 9.5-round collision result, a limited birthday distinguisher is presented. More over,
a k-collision on 512-bit version of GOST R is constructed which shows the weakness of the
structure used in GOST R.
© 2014 Elsevier B.V. All rights reserved.
1. Introduction
Hash functions are taking important roles in cryptogra-
phy
and have been used in many applications, e.g., digi-
tal
signatures, authentications and message integrity. Since
the break of MD5 and SHA-1 [1,2], cryptographers have
been searching for secure and efficient hash functions. Stri-
bog
[3] is proposed by Grebnev et al. It was selected as the
new Russian hash standard (GOST R 34.11-2012) in August
2012. Similar as the structure of Whirlpool [4], it also uses
an AES-like block cipher in its compression function.
Rebound
attack is a freedom degrees utilized technique
which can be applied to find collisions in both permuta-
tion
based and block cipher based hash constructions. This
technique was firstly proposed by Mendel et al. to achieve
collision attacks on reduced Whirlpool and Grøstl [5]. It
aims to find a pair of values that follows a pre-determined
✩
Supported by 973 program (No. 2013CB834205), the National Natural
Science Foundation of China (Nos. 61133013 and 61373142), the Tsinghua
University Initiative Scientific Research Program (No. 20111080970) and
“12th Five-year plan” the National Development Foundation for Crypto-
logical
Research (No. MMJJ201401009).
*
Corresponding author.
truncated differential efficiently. The searching procedure
is divided into two phase: the inbound phase and the out-
bound
phase. In inbound phase the attacker makes full use
of the available degrees of freedom and generates suffi-
ciently
many paired values that satisfy the truncated dif-
ferential
path of the inbound phase as starting points. The
subsequent outbound phase tests these starting points in
order to find paired values that satisfy the truncated dif-
ferential
path of the outbound phase.
Giving
better results on Whirlpool, Lamberger et al. im-
proved
this technique in [6]. Available degrees of freedom
of the key schedule are used to extended the inbound
phase of the rebound attack by up to two rounds. The best
result of [6] is near-collision attack on 9.5 rounds of the
compression function with a complexity of 2
176
. And this
result is further turned into the first distinguishing attack
for the full 10 round compression function of Whirlpool.
As an independent work, Gilbert et al. bring in Super-Sbox
technique to rebound attack in [7] where two rounds of
AES-like permutations were viewed as a layer of Super-
Sbox.
Besides, the rebound technique can also be applied
to analysis AES and AES-like block ciphers [8,9] as well as
ARX ciphers [10]. Recently, using techniques adapted from
http://dx.doi.org/10.1016/j.ipl.2014.07.007
0020-0190/
© 2014 Elsevier B.V. All rights reserved.
下载后可阅读完整内容,剩余7页未读,立即下载
weixin_38657457
- 粉丝: 9
- 资源: 971
我的内容管理
展开
最新资源
- WebLogic集群配置与管理实战指南
- AIX5.3上安装Weblogic 9.2详细步骤
- 面向对象编程模拟试题详解与解析
- Flex+FMS2.0中文教程:开发流媒体应用的实践指南
- PID调节深入解析:从入门到精通
- 数字水印技术:保护版权的新防线
- 8位数码管显示24小时制数字电子钟程序设计
- Mhdd免费版详细使用教程:硬盘检测与坏道屏蔽
- 操作系统期末复习指南:进程、线程与系统调用详解
- Cognos8性能优化指南:软件参数与报表设计调优
- Cognos8开发入门:从Transformer到ReportStudio
- Cisco 6509交换机配置全面指南
- C#入门:XML基础教程与实例解析
- Matlab振动分析详解:从单自由度到6自由度模型
- Eclipse JDT中的ASTParser详解与核心类介绍
- Java程序员必备资源网站大全
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
