Abstract
In this paper, we present improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round GOST-256 is proposed which is the first preimage attack for GOST-256 at the hash function level. Then we extend the (previous) attacks on 5-round GOST-256 and 6-round GOST-512 to 6.5 and 7.5 rounds respectively by exploiting the involution property of the GOST transposition operation.
Secondly, inspired by the preimage attack on GOST-256, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against AES-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round Grøstl-256.
This work was supported by the National High Technology Research and Development Program of China (863 Program, No.2013AA014002) and the National Natural Science Foundation of China (No.61379137).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Actually, similar observations have already been adopted [40], in which preimage attack on 7-round AES hashing modes was constructed by omitting the last MixColumn operation, but it is natural for AES since there is no MixColumn operation in the last round of AES. However, the omission of MixColumn/MixRow in the last round is mainly adopted by block ciphers to achieve implementation advantage in the decryption algorithm, but such omission might be improper under the hash function setting since inverse computation is commonly not required for hash functions.
- 2.
A pseudo preimage is a preimage whose input chaining value is not equal to the given chaining value.
- 3.
Similar to the pseudo preimage attack on Grøstl [44], although the match point is cut to half by the feed-forward operation, the indirect-partial-matching is still only related to the preserved parts of the digest, and contains no information of the truncated parts.
- 4.
Note that \(r=4\) satisfy the above requirement \(r\le 4\) of Case 1.
References
AlTawy, R., Kircanski, A., Youssef, A.M.: Rebound attacks on stribog. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 175–188. Springer, Heidelberg (2014)
AlTawy, R., Youssef, A.M.: Preimage attacks on reduced-round stribog. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 109–125. Springer, Heidelberg (2014)
Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009)
Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)
Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to NIST (Round 3) (2010). http://131002.net/blake/
Barreto, P., Rijmen, V.: The whirlpool hashing function. Submitted to NESSIE, September 2000. http://www.larc.usp.br/ pbarreto/WhirlpoolPage.html
Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST (updated) (2009). http://crypto.rd.francetelecom.com/ECHO/
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The keccak reference. Submission to NIST (Round 3) (2011). http://keccak.noekeon.org/Keccak-reference-3.0.pdf
Biham, E., Dunkelman, O.: A framework for iterative hash functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007). http://eprint.iacr.org/2007/278
Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009), http://www.cs.technion.ac.il/orrd/SHAvite-3/
Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)
Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)
Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
Dolmatov, V., Degtyarev, A.: GOST R 34.11-2012: hash function (2013)
Dolmatov, V., Degtyarev, A.: Request for comments 6986: GOST R 34.11-2012: hash function. Internet Engineering Task Force (IETF) (2013). http://www.ietf.org/rfc/rfc6986.txt
Information protection and special communications of the federal security service of the Russian federation: GOST R 34.11-94, information technology cryptographic data security hashing function (1994). (In Russian)
Information protection and special communications of the federal security service of the Russian federation: GOST R 34.11-2012, information technology cryptographic data security hashing function (2012). http://www.tc26.ru/en/GOSTR3411-2012/GOST_R_34_11-2012_eng.pdf
Gauravaram, P., Kelsey, J.: Linear-XOR and additive checksums don’t protect Damgård-Merkle hashes from generic attacks. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 36–51. Springer, Heidelberg (2008)
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl-a SHA-3 candidate. Submission to NIST (Round 3) (2011). http://www.groestl.info/Groestl.pdf
Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010)
Guo, J., Jean, J., Leurent, G., Peyrin, T., Wang, L.: The usage of counter revisited: second-preimage attack on new Russian standardized hash function. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 195–211. Springer, Heidelberg (2014)
International Organization for Standardization: ISO/IEC 10118–3:2004: information technology - security techniques - hash-functions - part 3: dedicated hash-functions (2004)
Iwamoto, M., Peyrin, T., Sasaki, Y.: Limited-birthday distinguishers for hash functions. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 504–523. Springer, Heidelberg (2013)
Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)
Kazymyrov, O., Kazymyrova, V.: Algebraic aspects of the Russian hash standard GOST R 34.11-2012. Cryptology ePrint Archive, Report 2013/556 (2013). http://eprint.iacr.org/2013/556
Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)
Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)
Khovratovich, D., Nikolić, I., Weinmann, R.-P.: Meet-in-the-middle attacks on SHA-3 candidates. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 228–245. Springer, Heidelberg (2009)
Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012)
Knellwolf, S., Khovratovich, D.: New preimage attacks against reduced SHA-1. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 367–383. Springer, Heidelberg (2012)
Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)
Ma, B., Li, B., Hao, R., Li, X.: Improved cryptanalysis on reduced-round GOST and whirlpool hash function. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 289–307. Springer, Heidelberg (2014)
Ma, B., Li, B., Hao, R., Li, X.: Improved (Pseudo) preimage attacks on reduced-round GOST and Grøstl-256 and studies on several truncation patterns for AES-like compression functions (Full version). Cryptology ePrint Archive (2015)
Mendel, F., Pramstaller, N., Rechberger, C.: A (Second) preimage attack on the GOST hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 224–234. Springer, Heidelberg (2008)
Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008)
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)
National Institute of Standards and Technology (NIST): FIPS PUB 180–3: secure hash standard. Federal Information Processing Standards Publication 180–3, U.S. Department of Commerce, October 2008. http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 378–396. Springer, Heidelberg (2011)
Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)
Sasaki, Y., Wang, L., Wu, S., Wu, W.: Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 562–579. Springer, Heidelberg (2012)
Wang, Z., Yu, H., Wang, X.: Cryptanalysis of GOST R hash function. Cryptology ePrint Archive, Report 2013/584 (2013). http://eprint.iacr.org/2013/584
Wu, S., Feng, D., Wu, W., Guo, J., Dong, L., Zou, J.: (Pseudo)Preimage attack on round-reduced Grøstl hash function and others. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 127–145. Springer, Heidelberg (2012)
Zou, J., Wu, W., Wu, S.: Cryptanalysis of the round-reduced GOST hash function. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 309–322. Springer, Heidelberg (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Ma, B., Li, B., Hao, R., Li, X. (2015). Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions. In: Tanaka, K., Suga, Y. (eds) Advances in Information and Computer Security. IWSEC 2015. Lecture Notes in Computer Science(), vol 9241. Springer, Cham. https://doi.org/10.1007/978-3-319-22425-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-22425-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22424-4
Online ISBN: 978-3-319-22425-1
eBook Packages: Computer ScienceComputer Science (R0)