Streebog (russian: Стрибог) is a

cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...

defined in the Russian national standard

GOST GOST (russian: ГОСТ) refers to a set of international technical standards maintained by the ''Euro-Asian Council for Standardization, Metrology and Certification (EASC)'', a regional standards organization operating under the auspices of th ...

R 34.11-2012 ''Information Technology – Cryptographic Information Security – Hash Function''. It was created to replace an obsolete

hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...

competition Competition is a rivalry where two or more parties strive for a common goal which cannot be shared: where one's gain is the other's loss (an example of which is a zero-sum game). Competition can arise between entities such as organisms, indivi ...

by the US

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

.GOST R 34.11-2012: Streebog Hash Function
/ref> The function is also described in RFC 6986 and one out of hash functions in

ISO/IEC ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and pr ...

10118-3:2018.

Description

Streebog operates on 512-bit blocks of the input, using the

Merkle–Damgård construction In cryptography, the Merkle–Damgård construction or Merkle–Damgård hash function is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. Goldwasser, S. and Bellare, M.b ...

to handle inputs of arbitrary size. The high-level structure of the new hash function resembles the one from GOST R 34.11-94, however, the compression function was changed significantly. The compression function operates in Miyaguchi–Preneel mode and employs a 12-round AES-like cipher with a 512-bit block and 512-bit key. (It uses an 8×8 matrix of bytes rather than AES's 4×4 matrix.) Streebog-256 uses a different initial state than Streebog-512, and truncates the output hash, but is otherwise identical. The function was named Streebog after

Stribog Stribog is a god in Slavic mythology found in three East Slavic sources, whose cult may also have existed in Poland. The sources do not inform about the functions of the god, but nowadays he is most often interpreted as a wind deity who distribut ...

, the god of rash wind in ancient Slavic mythology, and is often referred by this name, even though it is not explicitly mentioned in the text of the standard.

Examples of Streebog hashes

Hash values of empty string. Streebog-256("") 0x 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb Streebog-512("") 0x 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7 \ 362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the

avalanche effect In cryptography, the avalanche effect is the desirable property of cryptographic algorithms, typically block ciphers and cryptographic hash functions, wherein if an input is changed slightly (for example, flipping a single bit), the output changes ...

. For example, adding a period to the end of the sentence: Streebog-256("

The quick brown fox jumps over the lazy dog "The quick brown fox jumps over the lazy dog" is an English-language pangram — a sentence that contains all the letters of the alphabet. The phrase is commonly used for touch-typing practice, testing typewriters and computer keyboards, displ ...

") 0x 3e7dea7f2384b6c5a3d0e24aaa29c05e89ddd762145030ec22c71a6db8b2c1f4 Streebog-256("

.") 0x 36816a824dcbe7d6171aa58500741f2ea2757ae2e1784ab72c5c3c6c198d71da Streebog-512("

") 0x d2b793a0bb6cb5904828b5b6dcfb443bb8f33efc06ad09368878ae4cdc8245b9 \ 7e60802469bed1e7c21a64ff0b179a6a1e0bb74d92965450a0adab69162c00fe Streebog-512("

.") 0x fe0c42f267d921f940faa72bd9fcf84f9f1bd7e9d055e9816e4c2ace1ec83be8 \ 2d2957cd59b86e123d8f5adee80b3ca08a017599a9fc1a14d940cf87c77df070

Cryptanalysis

In 2013 the Russian Technical Committee for Standardization "Cryptography and Security Mechanisms" (TC 26) with the participation of Academy of Cryptography of the Russian Federation declared an open competition for cryptanalysis of the Streebog hash function, which attracted international attention to the function. Ma, ''et al'', describe a

preimage attack In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs). In the context of attack, th ...

that takes 2⁴⁹⁶ time and 2⁶⁴ memory or 2⁵⁰⁴ time and 2¹¹ memory to find a single preimage of GOST-512 reduced to 6 rounds. They also describe a

collision attack In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified. There are roughl ...

with 2¹⁸¹

time complexity In computer science, the time complexity is the computational complexity that describes the amount of computer time it takes to run an algorithm. Time complexity is commonly estimated by counting the number of elementary operations performed by ...

and 2⁶⁴ memory requirement in the same paper. Guo, ''et al'', describe a second preimage attack on full Streebog-512 with total time complexity equivalent to 2²⁶⁶ compression function evaluations, if the message has more than 2²⁵⁹ blocks. AlTawy and Youssef published an attack to a modified version of Streebog with different round constants. While this attack may not have a direct impact on the security of the original Streebog hash function, it raised a question about the origin of the used parameters in the function. The designers published a paper explaining that these are pseudorandom constants generated with Streebog-like hash function, provided with 12 different natural language input messages. AlTawy, ''et al'', found 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 2⁸ and 2⁴⁰, respectively, as well as attacks on the compression function with 7.75 round semi free-start collision with time complexity 2¹⁸⁴ and memory complexity 2⁸, 8.75 and 9.75 round semi free-start near collisions with time complexities 2¹²⁰ and 2¹⁹⁶, respectively. Wang, ''et al'', describe a collision attack on the compression function reduced to 9.5 rounds with 2¹⁷⁶ time complexity and 2¹²⁸ memory complexity. In 2015 Biryukov, Perrin and Udovenko reverse engineered the unpublished S-box generation structure (which was earlier claimed to be generated randomly) and concluded that the underlying components are cryptographically weak.

References

{{Cryptography navbox , hash Cryptographic hash functions

Description

Examples of Streebog hashes

Cryptanalysis

See also

References