Prototype of Russian Hash Function 'Stribog'€¦ · GOST 34.11-94 wastheoretically brokenin 2008. The complexities O(2192)=O(269) for preimage and second preimage attacks. Increasing

Prototype of Russian Hash Function

”Stribog”

Oleksandr Kazymyrov

Department of Informatics, University of Bergen,P.O.Box 7803, N-5020 Bergen, Norway

[email protected]

May 30, 2012

Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”

Outline

1 Introduction

2 Description of Stribog

3 Conclusions


Motivation

GOST 34.11-94 was theoretically broken in2008.

The complexities O(2192)/O(269) for preimage andsecond preimage attacks.

Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.

Opposite to SHA-3.


Motivation




Opposite to SHA-3.


Motivation




Opposite to SHA-3.


Rijndael

1998


Rijndael

AES

1998

2001


Rijndael

AES

Other

1998

2001


Rijndael

AES

Other

Kalyna1998

20012007


Rijndael

AES

Other

Kalyna

Grøstl

1998

20012007

2008


Rijndael

AES

Other

Kalyna

Grøstl

Hash

1998

20012007

2008


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

1998

20012007

20082001


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

1998

20012007

20082001

1994


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

20012007

20082001

1994

2010


Basic Operations and Functions

Stribog is based on SP-network block cipher with block andkey length equal 512 bits

SubBytes (S): nonlinear bijective mapping.

Transposition (P): byte permutation.

MixColumns (L): linear transformation.

AddRoundKey (X): addition with the round key usingbitwise XOR.

Other basic functions

�: addition modulo 2512.

MSBs(A): getting s most significant bits of vector A.

A||B: concatenation of two vectors A and B.


State Representation

Grøstl

a7

a6

a5

a4

a3

a2

a1

a0

a15

a14

a13

a12

a11

a10

a9

a8

a23

a22

a21

a20

a19

a18

a17

a16

a31

a30

a29

a28

a27

a26

a25

a24

a39

a38

a37

a36

a35

a34

a33

a32

a47

a46

a45

a44

a43

a42

a41

a40

a55

a54

a53

a52

a51

a50

a49

a48

a63

a62

a61

a60

a59

a58

a57

a56

A = a0||a1|| . . . ||a63

Stribog

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56

B = b63||b62|| . . . ||b0


Outline

1 Introduction

2 Description of Stribog

3 Conclusions


Merkle-Damg̊ard Scheme

IV

m1

g

m2

g

m3

gh h . . . g h

mt


Modification of Merkle-Damg̊ard Scheme

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

hg

�

�

512

mt


Hash Function Stribog

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h


Hash Function Stribog. Stage 1

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256



N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1 Stage 2

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256

t =

⌊|M |512

⌋



N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1 Stage 2 Stage 3

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256

t =

⌊|M |512

⌋ m = 0512−|M |||1||M

H =

{h, Stribog-512

MSB256(h), Stribog-256


Compression Function Construction

Grøstl

P Q

hi

⊕

⊕hi−1 mi

f

Stribog

E

F

hi

⊕

⊕hi−1 N mi

g

L

P

S

hi−1N


Representation of E

Block Cipher of Stribog

F

r = 12

⊕

⊕L

P

S

Ki

K13

Message

Ciphertext

Key Schedule

F

r = 12

⊕L

P

S

Ci−1

K1 = K

Ki


SubBytes Transformation

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56

a35

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56

b35

S

bi = S-box(ai)

SubBytes


Transposition

Transposition transformation has a form

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56

a0a8a16a24a32a40a48a56

a1a9a17a25a33a41a49a57

a2a10a18a26a34a42a50a58

a3a11a19a27a35a43a51a59

a4a12a20a28a36a44a52a60

a5a13a21a29a37a45a53a61

a6a14a22a30a38a46a54a62

a7a15a23a31a39a47a55a63

Transpose


MixColumns

MixColumns transformation has a form

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56a63 a62 a61 a60 a59 a58 a57 a56

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56b63 b62 b61 b60 b59 b58 b57 b56

M

Multiplying the vector by the constant 64×64 matrix M in F2

B = A ·M

MixColumns


Conclusions

Stribog is evolution of GOST 34.11-94.

It is planned to replace the existing standard34.11-94.

It leads to the replacement of the standard 34.10-01.

Is Stribog 20% faster than GOST 34.11-94?

No, it is 30% slower (source code).

Several mistakes in appendix (test vectors).

Appendices are for reference purposes only and are notpart of the standard.


http://goo.gl/JGa2h

Conclusions

Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.







http://goo.gl/JGa2h

Conclusions








http://goo.gl/JGa2h

Conclusions








http://goo.gl/JGa2h

Conclusions



Is Stribog 20% faster than GOST 34.11-94?No, it is 30% slower (source code).




http://goo.gl/JGa2h

Conclusions







http://goo.gl/JGa2h

Conclusions




Several mistakes in appendix (test vectors).Appendices are for reference purposes only and are notpart of the standard.


http://goo.gl/JGa2h

What is Stribog?

”Stribog in the Slavic pantheon, is the god and spirit of thewinds, sky and air; he is said to be the ancestor (grandfather)of the winds of the eight directions.”

– Wikipedia


References

F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, andJ. Szmidt. Cryptanalysis of the GOST hash function. InD. Wagner, editor, Advances in Cryptology CRYPTO 2008,volume 5157 of LNCS, pages 162–178.

Matuhin D.V., Shyshkin V.A., Rudskoy V.I.: Prospectivehashing algorithm. RusCrypto’2010, 2010. (In Russian).

GOST 34.11-20 , Information technology. Cryptographic datasecurity. Hash function. Prototype (version 1).http://infotecs.ru/laws/gost/proj/gost3411.pdf. (InRussian).

R. Oliynykov, I. Gorbenko, V. Dolgov, V. Ruzhentsev, Resultsof Ukrainian National Public Cryptographic Competition,Tatra Mt. Math. Publ. 47 2010, 99–113. http://www.sav.sk/journals/uploads/0317154006ogdr.pdf.


http://infotecs.ru/laws/gost/proj/gost3411.pdf

http://www.sav.sk/journals/uploads/0317154006ogdr.pdf

http://www.sav.sk/journals/uploads/0317154006ogdr.pdf

Documents

Prototype of Russian Hash Function 'Stribog'€¦ · GOST 34.11-94 wastheoretically brokenin 2008. The complexities O(2192)=O(269) for preimage and second preimage attacks. Increasing