Preimage Attacks on Reduced-Round Stribog

AlTawy, Riham; Youssef, Amr M.

doi:10.1007/978-3-319-06734-6_7

Cited by 24 publications

(24 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It is interesting to mention that because of the versatility of the used differential path where the 1 byte difference can virtually be anywhere in the state, we obtain the freedom to satisfy the magic number as well as other constraints that are needed to produce meaningful collisions for some specific file formats (compare Section 4 in [12]). In other words, as the difference is sparse and the complexity of the attack is upper bounded by 2 20 , if one requires to find two messages that start with a specific byte value, then we need to repeat the first path search 256 times which raises the time complexity of the attack by a factor of 2 8 . As a future direction, one may investigate the applicability of the attack if the number of rounds is not a multiple of four.…”

Section: Conclusion and Discussionmentioning

confidence: 99%

“…Since we restrict the input difference of the second path to a specific value, the complexity of the second procedure of our search is increased by a factor of 2 8 . However, the overall search complexity is still dominated by the first procedure which is about 2 20 . Finally, we search for the third and last differential path and its solution which covers rounds 9-12.…”

Section: Our Proposed Technique For Finding Collisions Of the Maliciomentioning

confidence: 99%

“…This fact opens the door to our analysis, which makes use of exactly two parameters: the heavily random looking independent constants and the number of rounds, to present practical collisions for a malicious version of Streebog. Early works related to the cryptanalysis of Streebog have been introduced in [3][4][5]16] and in [13,10,30], where practical semi free-start collision and near collision examples for reduced round versions have been presented in only [3,30].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Watch your constants: malicious Streebog

AlTawy

Youssef

2015

IET Information Security

Self Cite

View full text Add to dashboard Cite

Abstract. In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this paper, we investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, we apply the rebound attack to find three solutions for three different differential paths for four rounds, and using the freedom of the round constants we connect them to obtain a collision for the twelve rounds of the compression function. Additionally, and due to the simple processing of the counter, we bypass the barrier of the checksum finalization step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. While the results of this paper may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and wide spread adoption by the security community.

show abstract

Section: Conclusion and Discussionmentioning

confidence: 99%

Section: Our Proposed Technique For Finding Collisions Of the Maliciomentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Watch your constants: malicious Streebog

AlTawy

Youssef

2015

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Since the detailed algorithm of f is not related to our attack, we omit its description in this paper, and refer the interested reader to the original document [20,27]. Yet we would like to point out that f shares high similarity with the compression function of Whirlpool hash function [28], which leads to the analysis results on Streebog [1,2,31] that share similarity with the attacks on Whirlpool [25,29].…”

Section: The Compression Function Of Streebogmentioning

confidence: 99%

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Guo

Jean

Leurent

et al. 2014

Selected Areas in Cryptography -- SAC 2014

View full text Add to dashboard Cite

Abstract. Streebog is a new Russian hash function standard. It follows the HAIFA framework as domain extension algorithm and claims to resist recent generic second-preimage attacks with long messages. However, we demonstrate in this article that the specific instantiation of the HAIFA framework used in Streebog makes it weak against such attacks. More precisely, we observe that Streebog makes a rather poor usage of the HAIFA counter input in the compression function, which allows to construct second-preimages on the full Streebog-512 with a complexity as low as n × 2 n/2 (namely 2 266 ) compression function evaluations for long messages. This complexity has to be compared with the expected 2 512 computations bound that an ideal hash function should provide. Our work is a good example that one must be careful when using a design framework for which not all instances are secure. HAIFA helps designers to build a secure hash function, but one should pay attention to the way the counter is handled inside the compression function.

show abstract

“…Stribog [AY14a], and Whirlwind [AY14b]. It is interesting to see that the idea of MITM preimage attacks also leads to the progress of collision attacks against reduced SHA-2 [LIS12].…”

Section: Introductionmentioning

confidence: 99%

Improved Meet-in-the-Middle Preimage Attacks against AES Hashing Modes

Bao

Ding

Guo

et al. 2020

ToSC

View full text Add to dashboard Cite

Hashing modes are ways to convert a block cipher into a hash function, and those with AES as the underlying block cipher are referred to as AES hashing modes. Sasaki in 2011, introduced the first preimage attack against AES hashing modes with the AES block cipher reduced to 7 rounds, by the method of meet-in-the-middle. In his attack, the key-schedules are not taken into account. Hence, the same attack applies to all three versions of AES. In this paper, by introducing neutral bits from the key, extra degree of freedom is gained, which is utilized in two ways, i.e., to reduce the time complexity and to extend the attack to more rounds. As an immediate result, the complexities of 7-round pseudo-preimage attacks are reduced from 2120 to 2104, 296, and 296 for AES-128, AES-192, and AES-256, respectively. By carefully choosing the neutral bits from the key to cancel those from the state, the attack is extended to 8 rounds for AES-192 and AES-256 with complexities 2112 and 296. Similar results are obtained for Kiasu-BC, a tweakable block cipher based on AES-128, and interestingly the additional input tweak helps reduce the complexity and extend the attack to one more round. To the best of our knowledge, these are the first preimage attacks against 8-round AES hashing modes.

show abstract

Preimage Attacks on Reduced-Round Stribog

Cited by 24 publications

References 18 publications

Watch your constants: malicious Streebog

Watch your constants: malicious Streebog

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Improved Meet-in-the-Middle Preimage Attacks against AES Hashing Modes

Contact Info

Product

Resources

About