Rebound Attacks on Stribog

In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11–2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities \(2^8\) and \(2^{40}\), respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 50 out of 64 bytes near colliding message pair.

[1]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[2]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[3]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[4]  Vincent Rijmen,et al.  Rebound Attack on Reduced-Round Versions of JH , 2010, FSE.

[5]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[6]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[7]  Anne Canteaut,et al.  A Unified Indifferentiability Proof for Permutation- or Block Cipher-Based Hash Functions , 2012, IACR Cryptol. ePrint Arch..

[8]  Jérémy Jean,et al.  Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function , 2010, IACR Cryptol. ePrint Arch..

[9]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[10]  V. A. Shishkin,et al.  Некоторые методы анализа функций хэширования и их применение к алгоритму ГОСТ Р 34.11-94 , 2012 .

[11]  Oleksandr Kazymyrov,et al.  Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 , 2013, IACR Cryptol. ePrint Arch..

[12]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[13]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[14]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[15]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[16]  Florian Mendel,et al.  Rebound Attacks on the Reduced Grøstl Hash Function , 2010, CT-RSA.

[17]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[18]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.

[19]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[20]  John Kelsey,et al.  Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition , 2011 .