View
3
Download
0
Category
Preview:
Citation preview
Prototype of Russian Hash Function
”Stribog”
Oleksandr Kazymyrov
Selmer Center, Department of Informatics,University of Bergen, NorwayOleksandr.Kazymyrov@uib.no
Spring 2013
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Outline
1 Introduction
2 Description of Stribog
3 Representation over F28
4 Conclusions
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3 (Keccak).
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3 (Keccak).
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
GOST 34.11-94 was theoretically broken in2008.
The complexities O(2192)/O(269) for preimage andsecond preimage attacks.
Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.
Opposite to SHA-3 (Keccak).
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
2001
2007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
2001
2007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
2008
2001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
Hash
SHA
GOST 34.11
Stribog
1998
20012007
2008
2001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Rijndael
AES
Other
Kalyna
Grøstl
HashSHA
GOST 34.11
Stribog
1998
20012007
20082001
1994
2010
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Basic Operations and Functions
Stribog is based on SP-network block cipher with block andkey length equal 512 bits
SubBytes (S): nonlinear bijective mapping.
Transposition (P): byte permutation.
MixColumns (L): linear transformation.
AddRoundKey (X): addition with the round key usingbitwise XOR.
Other basic functions
�: addition modulo 2512.
MSBs(A): getting s most significant bits of vector A.
A||B: concatenation of two vectors A and B.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
State Representation
Grøstl
a7
a6
a5
a4
a3
a2
a1
a0
a15
a14
a13
a12
a11
a10
a9
a8
a23
a22
a21
a20
a19
a18
a17
a16
a31
a30
a29
a28
a27
a26
a25
a24
a39
a38
a37
a36
a35
a34
a33
a32
a47
a46
a45
a44
a43
a42
a41
a40
a55
a54
a53
a52
a51
a50
a49
a48
a63
a62
a61
a60
a59
a58
a57
a56
A = a0||a1|| . . . ||a63
Stribog
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56
B = b63||b62|| . . . ||b0
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
State Representation
Grøstl
a7
a6
a5
a4
a3
a2
a1
a0
a15
a14
a13
a12
a11
a10
a9
a8
a23
a22
a21
a20
a19
a18
a17
a16
a31
a30
a29
a28
a27
a26
a25
a24
a39
a38
a37
a36
a35
a34
a33
a32
a47
a46
a45
a44
a43
a42
a41
a40
a55
a54
a53
a52
a51
a50
a49
a48
a63
a62
a61
a60
a59
a58
a57
a56
Stribog
a56
a48
a40
a32
a24
a16
a8
a0
a57
a49
a41
a33
a25
a17
a9
a1
a58
a50
a42
a34
a26
a18
a10
a2
a59
a51
a43
a35
a27
a19
a11
a3
a60
a52
a44
a36
a28
a20
a12
a4
a61
a53
a45
a37
a29
a21
a13
a5
a62
a54
a46
a38
a30
a22
a14
a6
a63
a55
a47
a39
a31
a23
a15
a7
A = a0||a1|| . . . ||a63
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Outline
1 Introduction
2 Description of Stribog
3 Representation over F28
4 Conclusions
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Merkle-Damg̊ard Scheme
IV
m1
g
m2
g
m3
gh h . . . g h
mt
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Modification of Merkle-Damg̊ard Scheme
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
hg
�
�
512
mt
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 1
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 2
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1 Stage 2
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
t =
⌊|M |512
⌋
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Hash Function Stribog. Stage 3
N
IV
Σm1
�
�
512
g
m2
�
�
512
g
m3
�
�
512
gh h . . .
. . .
. . .
g g g gh h h
�
�
�
�
512 |M |
mt m
0 0
h
Stage 1 Stage 2 Stage 3
Σ = N = 0512
IV =
{0, Stribog-512
(00000001)64, Stribog-256
t =
⌊|M |512
⌋ m = 0512−|M |||1||M
H =
{h, Stribog-512
MSB256(h), Stribog-256
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Compression Function Construction
Grøstl
P Q
hi
⊕
⊕hi−1 mi
f
Stribog
E
F
hi
⊕
⊕hi−1 N mi
g
L
P
S
hi−1N
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Design of E
Compression function gN : F5122 × F512
2 7→ F5122 , N ∈ F512
2 isdefined as follows
gN(h,m) = E(L ◦ P ◦ S(h⊕N),m)⊕ h⊕m, h,m ∈ F5122
where
E(K,m) = X[K13] ◦12∏i=1
L ◦ P ◦ S ◦X[Ki]
KeySchedule function
Ki = L ◦ P ◦ S(Ki−1 ⊕ Ci−1), K1 = K, i ∈ {2, . . . , 13}.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of E
Block Cipher of Stribog
F
r = 12
⊕
⊕L
P
S
Ki
K13
Message
Ciphertext
Key Schedule
F
r = 12
⊕L
P
S
Ci−1
K1 = K
Ki
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
SubBytes Transformation
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56
a35
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56
b35
S
bi = S-box(ai)
SubBytes
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
S-box of Stribog
0 1 2 3 4 5 6 7 8 9 A B C D E F0 FC EE DD 11 CF 6E 31 16 FB C4 FA DA 23 C5 04 4D1 E9 77 F0 DB 93 2E 99 BA 17 36 F1 BB 14 CD 5F C12 F9 18 65 5A E2 5C EF 21 81 1C 3C 42 8B 01 8E 4F3 05 84 02 AE E3 6A 8F A0 06 0B ED 98 7F D4 D3 1F4 EB 34 2C 51 EA C8 48 AB F2 2A 68 A2 FD 3A CE CC5 B5 70 0E 56 08 0C 76 12 BF 72 13 47 9C B7 5D 876 15 A1 96 29 10 7B 9A C7 F3 91 78 6F 9D 9E B2 B17 32 75 19 3D FF 35 8A 7E 6D 54 C6 80 C3 BD 0D 578 DF F5 24 A9 3E A8 43 C9 D7 79 D6 F6 7C 22 B9 039 E0 0F EC DE 7A 94 B0 BC DC E8 28 50 4E 33 0A 4AA A7 97 60 73 1E 00 62 44 1A B8 38 82 64 9F 26 41B AD 45 46 92 27 5E 55 2F 8C A3 A5 7D 69 D5 95 3BC 07 58 B3 40 86 AC 1D F7 30 37 6B E4 88 D9 E7 89D E1 1B 83 49 4C 3F F8 FE 8D 53 AA 90 CA D8 85 61E 20 71 67 A4 2D 2B 09 5B CB 9B 25 D0 BE E5 6C 52F 59 A6 74 D2 E6 F4 B4 C0 D1 66 AF C2 39 4B 63 B6
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
S-box Characteristics
Properties Stribog AESVectorial Boolean Function
Balancedness True TrueNonlinearity 100 112
Absolute Indicator 96 32SSI 258688 133120PC 0 0CI 0 0
Algebraic Degree 7 7Resiliency 0 0
SAC False FalseSubstitution
Bijection True TrueMDT 8 4MLT 28 16
Cycles 252:243, 46:1343:27, 242:87,
99:59, 124:81, 143:2Algebraic Immunity 3(441) 2(39)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Transposition
Transposition transformation has a form
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56
a0a8a16a24a32a40a48a56
a1a9a17a25a33a41a49a57
a2a10a18a26a34a42a50a58
a3a11a19a27a35a43a51a59
a4a12a20a28a36a44a52a60
a5a13a21a29a37a45a53a61
a6a14a22a30a38a46a54a62
a7a15a23a31a39a47a55a63
Transpose
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
MixColumns
MixColumns transformation has a form
a7
a15
a23
a31
a39
a47
a55
a63
a6
a14
a22
a30
a38
a46
a54
a62
a5
a13
a21
a29
a37
a45
a53
a61
a4
a12
a20
a28
a36
a44
a52
a60
a3
a11
a19
a27
a35
a43
a51
a59
a2
a10
a18
a26
a34
a42
a50
a58
a1
a9
a17
a25
a33
a41
a49
a57
a0
a8
a16
a24
a32
a40
a48
a56a63 a62 a61 a60 a59 a58 a57 a56
b7
b15
b23
b31
b39
b47
b55
b63
b6
b14
b22
b30
b38
b46
b54
b62
b5
b13
b21
b29
b37
b45
b53
b61
b4
b12
b20
b28
b36
b44
b52
b60
b3
b11
b19
b27
b35
b43
b51
b59
b2
b10
b18
b26
b34
b42
b50
b58
b1
b9
b17
b25
b33
b41
b49
b57
b0
b8
b16
b24
b32
b40
b48
b56b63 b62 b61 b60 b59 b58 b57 b56
M
Multiplying the vector by the constant 64×64 matrix M over F2
B = A ·M
MixColumns
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Outline
1 Introduction
2 Description of Stribog
3 Representation over F28
4 Conclusions
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
Easier to proveproperties
Motivation
Modifiedstructure of
Rijndael
Moreunderstandable
form
Complex(diff. probability)
Individual(i.e. MDS)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
Easier to proveproperties
Motivation
Modifiedstructure of
Rijndael
Moreunderstandable
form
Complex(diff. probability)
Individual(i.e. MDS)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
Easier to proveproperties
Motivation
Modifiedstructure of
Rijndael
Moreunderstandable
form
Complex(diff. probability)
Individual(i.e. MDS)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
Easier to proveproperties
Motivation
Modifiedstructure of
Rijndael
Moreunderstandable
form
Complex(diff. probability)
Individual(i.e. MDS)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Motivation
Easier to proveproperties
Motivation
Modifiedstructure of
Rijndael
Moreunderstandable
form
Complex(diff. probability)
Individual(i.e. MDS)
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
State Representation
Alternative representation
Reverse input bits
AES-like transformations (state as in Grøstl/AES)
Reverse output bits
B0, B1, . . . , B63 B′0, B
′1, . . . , B
′63
b0, b1, . . . , b511 b511, b510, . . . , b0(Inv)ReverseBits
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Transposition and SubBytes Operations
Transposition is invariant operation.
Substitution has the form F (x) = D ◦G ◦D(x) forlinearized polynomial D : F2n 7→ F2n .
0 1 2 3 4 5 6 7 8 9 A B C D E F0 3F FB D7 E0 9F E5 A8 04 97 07 AD 87 A0 B5 4C 9A1 DF EB 4F 0C 81 58 CF D3 E8 3B FD B1 60 31 B6 8B2 F3 7C 57 61 47 78 08 B4 C9 5E 10 32 C7 E4 FF 673 C4 3E BF 11 D1 26 B9 7D 28 72 39 53 FE 96 C3 9C4 BB 24 34 CD A6 06 69 E6 0F 37 70 C1 40 62 98 2E5 5F 6B 16 D6 3C 1C 1E A4 8F 14 C8 55 B7 A5 63 F56 8C C2 12 B8 F7 46 59 90 99 0D 6E 1F F1 AA 51 2D7 20 9D 73 E7 71 64 4D 36 FA 50 BA A1 CB A9 B0 C68 77 AF 2C 1A 18 E9 85 8E EE F0 0E D8 21 A2 AE 659 23 9E 54 EC 38 1D 89 D9 6C 17 4E CA D0 C5 2A 66A 76 15 13 35 3A 00 DE D4 74 29 30 FC 56 7A AC 2FB A3 44 5C 9B 80 F9 79 A7 B3 CC ED 1B 2B AB BD D2C 88 95 8A 02 5A CE 94 25 DB 7B 6A 92 75 49 BC 4BD 5B 6F 45 27 42 41 F6 0B DD 0A E2 09 19 BE 01 43E 68 93 D5 EF 84 22 E3 DA 5D 3D 48 7F 05 F4 7E 03F B2 C0 33 91 F2 82 8D 4A 83 52 E1 86 F8 DC EA 6D
Table : The Substitution F for AES-like Description
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Transposition and SubBytes Operations
Transposition is invariant operation.
Substitution has the form F (x) = D ◦G ◦D(x) forlinearized polynomial D : F2n 7→ F2n .
0 1 2 3 4 5 6 7 8 9 A B C D E F0 3F FB D7 E0 9F E5 A8 04 97 07 AD 87 A0 B5 4C 9A1 DF EB 4F 0C 81 58 CF D3 E8 3B FD B1 60 31 B6 8B2 F3 7C 57 61 47 78 08 B4 C9 5E 10 32 C7 E4 FF 673 C4 3E BF 11 D1 26 B9 7D 28 72 39 53 FE 96 C3 9C4 BB 24 34 CD A6 06 69 E6 0F 37 70 C1 40 62 98 2E5 5F 6B 16 D6 3C 1C 1E A4 8F 14 C8 55 B7 A5 63 F56 8C C2 12 B8 F7 46 59 90 99 0D 6E 1F F1 AA 51 2D7 20 9D 73 E7 71 64 4D 36 FA 50 BA A1 CB A9 B0 C68 77 AF 2C 1A 18 E9 85 8E EE F0 0E D8 21 A2 AE 659 23 9E 54 EC 38 1D 89 D9 6C 17 4E CA D0 C5 2A 66A 76 15 13 35 3A 00 DE D4 74 29 30 FC 56 7A AC 2FB A3 44 5C 9B 80 F9 79 A7 B3 CC ED 1B 2B AB BD D2C 88 95 8A 02 5A CE 94 25 DB 7B 6A 92 75 49 BC 4BD 5B 6F 45 27 42 41 F6 0B DD 0A E2 09 19 BE 01 43E 68 93 D5 EF 84 22 E3 DA 5D 3D 48 7F 05 F4 7E 03F B2 C0 33 91 F2 82 8D 4A 83 52 E1 86 F8 DC EA 6D
Table : The Substitution F for AES-like Description
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
The are exist at least three forms:
1 representation over F2n
2 representation over F2
1 matrix form2 system of equations
F2n F2
easy
hard
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
The are exist at least three forms:
1 representation over F2n
2 representation over F2
1 matrix form2 system of equations
F2n F2
easy
hard
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
The are exist at least three forms:
1 representation over F2n
2 representation over F2
1 matrix form2 system of equations
F2n F2
easy
hard
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
Any multiplication mapping F2n 7→ F2n is a lineartransformation of a vector space over F2 for specified basis.
Multiplication by arbitrary δ ∈ F28 can be represented asmultiplication on a matrix
δx =
k0,0 · · · k0,7k1,0 · · · k1,7
.... . .
...k7,0 · · · k7,7
·x0x1. . .x7
with xi, kj,s ∈ F2.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
Let L : Fn2 7→ Fn
2 be a linear function of the form
L(x) =n−1∑i=0
δix2i .
Proposition [5]
Any linear function L : Fn2 7→ Fm
2 can be converted to a matrixwith the complexity O(n).
L(x) = δx, δi = 0, for 1 ≤ i ≤ n− 1.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
Let L : Fn2 7→ Fn
2 be a linear function of the form
L(x) =n−1∑i=0
δix2i .
Proposition [5]
Any linear function L : Fn2 7→ Fm
2 can be converted to a matrixwith the complexity O(n).
L(x) = δx, δi = 0, for 1 ≤ i ≤ n− 1.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
Let L : Fn2 7→ Fn
2 be a linear function of the form
L(x) =n−1∑i=0
δix2i .
Proposition [5]
Any linear function L : Fn2 7→ Fm
2 can be converted to a matrixwith the complexity O(n).
L(x) = δx, δi = 0, for 1 ≤ i ≤ n− 1.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
The main steps of algorithm for obtaining MDS matrix overF28 from 64× 64 matrix over F2
1 for every irreducible polynomial (30)1 convert each 8× 8 submatrices to the element of the
filed2 check MDS property of the resulting matrix
Hint
It is necessary to transpose matrix of Stribog before applyingthe algorithm.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Representation of MixColumns
The main steps of algorithm for obtaining MDS matrix overF28 from 64× 64 matrix over F2
1 for every irreducible polynomial (30)1 convert each 8× 8 submatrices to the element of the
filed2 check MDS property of the resulting matrix
Hint
It is necessary to transpose matrix of Stribog before applyingthe algorithm.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
MixColumns
a7
a6
a5
a4
a3
a2
a1
a0
a15
a14
a13
a12
a11
a10
a9
a8
a23
a22
a21
a20
a19
a18
a17
a16
a31
a30
a29
a28
a27
a26
a25
a24
a39
a38
a37
a36
a35
a34
a33
a32
a47
a46
a45
a44
a43
a42
a41
a40
a55
a54
a53
a52
a51
a50
a49
a48
a63
a62
a61
a60
a59
a58
a57
a56
b7
b6
b5
b4
b3
b2
b1
b0
b15
b14
b13
b12
b11
b10
b9
b8
b23
b22
b21
b20
b19
b18
b17
b16
b31
b30
b29
b28
b27
b26
b25
b24
b39
b38
b37
b36
b35
b34
b33
b32
b47
b46
b45
b44
b43
b42
b41
b40
b55
b54
b53
b52
b51
b50
b49
b48
b63
b62
b61
b60
b59
b58
b57
b56
0E
2D
05
D4
E5
5F
04
71
02
F1
71
81
01
CB
88
05
F6
E7
5E
1C
54
AD
5B
09
8A
28
66
FA
BA
0F
B2
B9
15
55
17
39
0F
BA
E4
61
9D
A0
1C
5E
11
2C
36
A2
39
4C
D0
15
2A
04
5F
27
71
9A
02
24
76
A5
65
0E
a55
a54
a53
a52
a51
a50
a49
a48
b55
b54
b53
b52
b51
b50
b49
b48
Multiplying the vector by the constant 8×8 matrix G over F28
with the primitive polynomial f(x) = x8 + x6 + x5 + x4 + 1
B = G · A
×
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Modified Compression Function
Original Function
E
F
hi
⊕
⊕hi−1 N mi
g
L
P
S
hi−1N
Modified Function
E
F
hi
⊕
⊕hi−1 N mi
D D D
D
g
L
P
S
hi−1N
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is based on GOST 34.11-94 as well ason AES.
It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?
No, it is slower.
More details on github.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is based on GOST 34.11-94 as well ason AES.
It is planned to replace existing standard34.11-94 in 2013.
Is Stribog 20% faster than GOST 34.11-94?
No, it is slower.
More details on github.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is based on GOST 34.11-94 as well ason AES.
It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?
No, it is slower.
More details on github.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is based on GOST 34.11-94 as well ason AES.
It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?
No, it is slower.
More details on github.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Conclusions
Stribog is based on GOST 34.11-94 as well ason AES.
It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?
No, it is slower.
More details on github.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
References
F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, andJ. Szmidt. Cryptanalysis of the GOST hash function. InD. Wagner, editor, Advances in Cryptology CRYPTO 2008,volume 5157 of LNCS, pages 162–178.
Matuhin D.V., Shyshkin V.A., Rudskoy V.I.: Prospectivehashing algorithm. RusCrypto’2010, 2010. (In Russian).
GOST 34.11-20 , Information technology. Cryptographic datasecurity. Hash function. Prototype (version 1).http://infotecs.ru/laws/gost/proj/gost3411.pdf. (InRussian).
R. Oliynykov, I. Gorbenko, V. Dolgov, V. Ruzhentsev, Resultsof Ukrainian National Public Cryptographic Competition,Tatra Mt. Math. Publ. 47 2010, 99–113. http://www.sav.sk/journals/uploads/0317154006ogdr.pdf.
L. Budaghyan, O. Kazymyrov, Verification of RestrictedEA-Equivalence for Vectorial Boolean Functions. WAIFI 2012,pp. 108-118.
Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”
Recommended