| General | |
|---|---|
| Designers | FSB, InfoTeCS JSC |
| First published | 2012 |
| Related to | GOST |
| Certification | GOST standard,ISO/IEC 10118-3:2018, RFC 6986 |
| Detail | |
| Digest sizes | 256 and 512 bits |
| Rounds | 12 |
| Best publiccryptanalysis | |
| Second preimage attack with 2266time complexity.[1] | |
Streebog (Russian:Стрибог) is acryptographic hash function defined in the Russian national standardGOST R 34.11-2012Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsoleteGOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply toSHA-3competition by the USNational Institute of Standards and Technology.[2] The function is also described in RFC 6986 and one out of hash functions inISO/IEC 10118-3:2018.[3]
Streebog operates on 512-bit blocks of the input, using theMerkle–Damgård construction to handle inputs of arbitrary size.[4]
The high-level structure of the new hash function resembles the one from GOST R 34.11-94, however, the compression function was changed significantly.[5] The compression function operates inMiyaguchi–Preneel mode and employs a 12-roundAES-like cipher with a 512-bit block and 512-bit key. (It uses an 8×8 matrix of bytes rather than AES's 4×4 matrix.)
Streebog-256 uses a different initial state than Streebog-512, and truncates the output hash, but is otherwise identical.
The function was namedStreebog afterStribog, the god of rash wind in ancient Slavic mythology,[2] and is often referred by this name, even though it is not explicitly mentioned in the text of the standard.[6]
Hash values of empty string.
Streebog-256("")0x 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bbStreebog-512("")0x 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7 \ 362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to theavalanche effect. For example, adding a period to the end of the sentence:
Streebog-256("The quick brown fox jumps over the lazy dog")0x 3e7dea7f2384b6c5a3d0e24aaa29c05e89ddd762145030ec22c71a6db8b2c1f4Streebog-256("The quick brown fox jumps over the lazy dog.")0x 36816a824dcbe7d6171aa58500741f2ea2757ae2e1784ab72c5c3c6c198d71daStreebog-512("The quick brown fox jumps over the lazy dog")0x d2b793a0bb6cb5904828b5b6dcfb443bb8f33efc06ad09368878ae4cdc8245b9 \ 7e60802469bed1e7c21a64ff0b179a6a1e0bb74d92965450a0adab69162c00feStreebog-512("The quick brown fox jumps over the lazy dog.")0x fe0c42f267d921f940faa72bd9fcf84f9f1bd7e9d055e9816e4c2ace1ec83be8 \ 2d2957cd59b86e123d8f5adee80b3ca08a017599a9fc1a14d940cf87c77df070
In 2013 the Russian Technical Committee for Standardization "Cryptography and Security Mechanisms" (TC 26) with the participation of Academy of Cryptography of the Russian Federation declared an open competition forcryptanalysis of the Streebog hash function,[7] which attracted international attention to the function.
Ma,et al, describe apreimage attack that takes 2496 time and 264 memory or 2504 time and 211 memory to find a single preimage of GOST-512 reduced to 6 rounds.[8] They also describe acollision attack with 2181time complexity and 264 memory requirement in the same paper.
Guo,et al, describe asecond preimage attack on full Streebog-512 with total time complexity equivalent to 2266 compression function evaluations, if the message has more than 2259 blocks.[1]
AlTawy and Youssef published an attack to a modified version of Streebog with different round constants.[9] While this attack may not have a direct impact on the security of the original Streebog hash function, it raised a question about the origin of the used parameters in the function. The designers published a paper explaining that these are pseudorandom constants generated with Streebog-like hash function, provided with 12 different natural language input messages.[10]
AlTawy,et al, found 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 28 and 240, respectively, as well as attacks on the compression function with 7.75 round semi free-start collision with time complexity 2184 and memory complexity 28, 8.75 and 9.75 round semi free-start near collisions with time complexities 2120 and 2196, respectively.[11]
Wang,et al, describe a collision attack on the compression function reduced to 9.5 rounds with 2176 time complexity and 2128 memory complexity.[12]
In 2015 Biryukov, Perrin and Udovenko reverse engineered the unpublished S-box generation structure (which was earlier claimed to be generated randomly) and concluded that the underlying components are cryptographically weak.[13]
