Cryptanalysis of the Round-Reduced GOST Hash Function

The GOST hash function, defined in GOST R 34.11-2012, was selected as the new Russian standard on August 7, 2012. It is designed to replace the old Russian standard GOST R 34.11-94. The GOST hash function is an AES-based primitive and is considered as an asymmetric reply to the SHA-3. It is an iterated hash function based on the Merkle-Damgard strengthening design. In addition to the common iterated structure, it defines a checksum computed over all input message blocks. The checksum is then needed for the final hash value computation. In this paper, we show the first cryptanalytic attacks on the round-reduced GOST hash function. Using the combination of Super-Sbox technique and multi-collision, we present collision attacks on 5-round of the GOST-256 and GOST-512 hash function, respectively. The complexity of these collision attacks are both (\(2^{122},2^{64}\)) (in time and memory). Furthermore, we combine the guess-and-determine MitM attack with multi-collision to construct a preimage attack on 6-round GOST-512 hash function. The complexity of the preimage attack is about \(2^{505}\) and the memory requirements is about \(2^{64}\). As far as we know, these are the first attacks on the round-reduced GOST hash function.

[1]  Thomas Peyrin,et al.  Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher , 2009, Selected Areas in Cryptography.

[2]  Vincent Rijmen,et al.  The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , 2015, Journal of Cryptology.

[3]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[4]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[5]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[6]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[7]  John Kelsey,et al.  On hash functions using checksums , 2010, International Journal of Information Security.

[8]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[9]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[10]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[11]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[12]  Florian Mendel,et al.  Cryptanalysis of the GOST Hash Function , 2008, CRYPTO.

[13]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[14]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[15]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[16]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[17]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[18]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[19]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[20]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[21]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[22]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[23]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[24]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search. New Results and Applications to DES , 1989, CRYPTO.

[25]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[26]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[27]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[28]  Shuang Wu,et al.  Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl , 2012, IACR Cryptol. ePrint Arch..

[29]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[30]  Florian Mendel,et al.  A (Second) Preimage Attack on the GOST Hash Function , 2008, FSE.