Differential Fault Analysis of Streebog

In August 2012, the Streebog hash function was selected as the new Russian federal hash function standard (GOST R 34.11-2012). In this paper, we present a fault analysis attack on this new hashing standard. In particular, our attack considers the compression function in the secret key setting where both the input chaining value and the message block are unknown. The fault model adopted is the one in which an attacker is assumed to be able to cause a bit-flip at a random byte in the internal state of the underlying cipher of the compression function. We also consider the case where the position of the faulted byte can be chosen by the attacker. In the sequel, we propose a two-stage approach that recovers the two secret inputs of the compression function using an average number of faults that varies between 338-1640, depending on the assumptions of our employed fault model. Moreover, we show that the attack can be extended to the iterated hash function using a feasible pre-computation stage. Finally, we analyze Streebog in different MAC settings and demonstrate how our attack can be used to recover the secret key of HMAC/NMAC-GOST.

[1]  Assia Tria,et al.  Adjusting Laser Injections for Fully Controlled Faults , 2014, COSADE.

[2]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[3]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[4]  Chao Li,et al.  Differential Fault Analysis on SHACAL-1 , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[5]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[6]  Christian A. Reuter,et al.  Differential Fault Analysis on Grøstl , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[7]  Amr M. Youssef,et al.  Preimage Attacks on Reduced-Round Stribog , 2014, AFRICACRYPT.

[8]  Thomas Peyrin,et al.  The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function , 2014, Selected Areas in Cryptography.

[9]  Lars Hoffmann,et al.  Differential Fault Analysis on the SHA1 Compression Function , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[10]  Jean-Jacques Quisquater,et al.  New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough , 2008, CARDIS.

[11]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[12]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.

[13]  Santanu Sarkar,et al.  A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[14]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[15]  Amr M. Youssef,et al.  Watch your constants: malicious Streebog , 2014, IET Inf. Secur..

[16]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[17]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[18]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[19]  Amr M. Youssef,et al.  Rebound Attacks on Stribog , 2013, ICISC.

[20]  Xiaoyun Wang,et al.  Cryptanalysis of GOST R Hash Function , 2014, IACR Cryptol. ePrint Arch..

[21]  John Kelsey,et al.  Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition , 2011 .

[22]  Bao Li,et al.  Improved Cryptanalysis on Reduced-Round GOST and Whirlpool Hash Function , 2014, ACNS.

[23]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[24]  Shuang Wu,et al.  Cryptanalysis of the Round-Reduced GOST Hash Function , 2013, Inscrypt.

[25]  Amr M. Youssef,et al.  Integral distinguishers for reduced-round Stribog , 2014, Inf. Process. Lett..

[26]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.