Preimage Attacks on Reduced-Round Stribog

In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. In particular, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of 2448 and memory complexity of 264. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of 2496 and 2112, respectively. Finally, by employing a multicollision attack, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of 2481 and 2505, respectively. The two preimage attacks have equal memory complexity of 2256.

[1]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.

[2]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[3]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[4]  Amr M. Youssef,et al.  Integral distinguishers for reduced-round Stribog , 2014, Inf. Process. Lett..

[5]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[6]  Huaxiong Wang,et al.  Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[9]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[10]  Amr M. Youssef,et al.  Rebound Attacks on Stribog , 2013, ICISC.

[11]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[12]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[13]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[14]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[15]  Yu Sasaki,et al.  Improved Preimage Attack for 68-Step HAS-160 , 2009, ICISC.

[16]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[17]  V. A. Shishkin,et al.  Некоторые методы анализа функций хэширования и их применение к алгоритму ГОСТ Р 34.11-94 , 2012 .

[18]  Oleksandr Kazymyrov,et al.  Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 , 2013, IACR Cryptol. ePrint Arch..

[19]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[20]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[21]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[22]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..