View
0
Download
0
Category
Preview:
Citation preview
Prototype of Russian Hash Function
”Stribog”
Oleksandr Kazymyrov
Department of Informatics, University of Bergen,P.O.Box 7803, N-5020 Bergen, Norway
Oleksandr.Kazymyrov@uib.no
May 30, 2012
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Outline
1 Introduction
2 Description of Stribog
3 Conclusions
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
1998
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
1998
2001
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
1998
2001
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna1998
20012007
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
1998
20012007
2008
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
Hash
1998
20012007
2008
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
1998
20012007
20082001
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
1998
20012007
20082001
1994
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Basic Operations and Functions
Stribog is based on SP-network block cipher with block andkey length equal 512 bits
SubBytes (S): nonlinear bijective mapping.
Transposition (P): byte permutation.
MixColumns (L): linear transformation.
AddRoundKey (X): addition with the round key usingbitwise XOR.
Other basic functions
�: addition modulo 2512.
MSBs(A): getting s most significant bits of vector A.
A||B: concatenation of two vectors A and B.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
State Representation
Grøstl
a7
a6
a5
a4
a3
a2
a1
a0
a15
a14
a13
a12
a11
a10
a9
a8
a23
a22
a21
a20
a19
a18
a17
a16
a31
a30
a29
a28
a27
a26
a25
a24
a39
a38
a37
a36
a35
a34
a33
a32
a47
a46
a45
a44
a43
a42
a41
a40
a55
a54
a53
a52
a51
a50
a49
a48
a63
a62
a61
a60
a59
a58
a57
a56
A = a0||a1|| . . . ||a63
Stribog
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56
B = b63||b62|| . . . ||b0
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Outline
1 Introduction
2 Description of Stribog
3 Conclusions
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Merkle-Damg̊ard Scheme
IV
m1
g
m2
g
m3
gh h . . . g h
mt
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Modification of Merkle-Damg̊ard Scheme
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
hg
�
�
512
mt
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 1
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 2
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1 Stage 2
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
t =
⌊|M |512
⌋
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 3
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1 Stage 2 Stage 3
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
t =
⌊|M |512
⌋ m = 0512−|M |||1||M
H =
{h, Stribog-512
MSB256(h), Stribog-256
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Compression Function Construction
Grøstl
P Q
hi
⊕
⊕hi−1 mi
f
Stribog
E
F
hi
⊕
⊕hi−1 N mi
g
L
P
S
hi−1N
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of E
Block Cipher of Stribog
F
r = 12
⊕
⊕L
P
S
Ki
K13
Message
Ciphertext
Key Schedule
F
r = 12
⊕L
P
S
Ci−1
K1 = K
Ki
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
SubBytes Transformation
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56
a35
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56
b35
S
bi = S-box(ai)
SubBytes
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Transposition
Transposition transformation has a form
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56
a0a8a16a24a32a40a48a56
a1a9a17a25a33a41a49a57
a2a10a18a26a34a42a50a58
a3a11a19a27a35a43a51a59
a4a12a20a28a36a44a52a60
a5a13a21a29a37a45a53a61
a6a14a22a30a38a46a54a62
a7a15a23a31a39a47a55a63
Transpose
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
MixColumns
MixColumns transformation has a form
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56a63 a62 a61 a60 a59 a58 a57 a56
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56b63 b62 b61 b60 b59 b58 b57 b56
M
Multiplying the vector by the constant 64×64 matrix M in F2
B = A ·M
MixColumns
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.
It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?
No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?
No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?
No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?
No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).
Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is evolution of GOST 34.11-94.It is planned to replace the existing standard34.11-94.
It leads to the replacement of the standard 34.10-01.
Is Stribog 20% faster than GOST 34.11-94?No, it is 30% slower (source code).
Several mistakes in appendix (test vectors).Appendices are for reference purposes only and are notpart of the standard.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
What is Stribog?
”Stribog in the Slavic pantheon, is the god and spirit of thewinds, sky and air; he is said to be the ancestor (grandfather)of the winds of the eight directions.”
– Wikipedia
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
References
F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, andJ. Szmidt. Cryptanalysis of the GOST hash function. InD. Wagner, editor, Advances in Cryptology CRYPTO 2008,volume 5157 of LNCS, pages 162–178.
Matuhin D.V., Shyshkin V.A., Rudskoy V.I.: Prospectivehashing algorithm. RusCrypto’2010, 2010. (In Russian).
GOST 34.11-20 , Information technology. Cryptographic datasecurity. Hash function. Prototype (version 1).http://infotecs.ru/laws/gost/proj/gost3411.pdf. (InRussian).
R. Oliynykov, I. Gorbenko, V. Dolgov, V. Ruzhentsev, Resultsof Ukrainian National Public Cryptographic Competition,Tatra Mt. Math. Publ. 47 2010, 99–113. http://www.sav.sk/journals/uploads/0317154006ogdr.pdf.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Recommended