[In english | На русском]
GOST R 34.11-2012: Streebog Hash Function
Abstract
This site provides information and source code for the Russian
Federal standard hash function "GOST R 34.11-2012", which is one of
the Russian cryptographic standard algorithms (called GOST
algorithms). This hash function is called "Streebog". Streebog
supposed to be the god of rash wind in ancient Slavic mythology.
The standard published as RFC 6986.
Source code
The C source code for Streebog CLI utility available on this
site. The program can calculate GOST R 34.11-2012 for string, files
and arbitrary stream data. It outputs the resulting hash digest in
hexadecimal format.
Latest version is 0.13.
Browse the source code and usage instructions on GitHub:
https://github.com/adegtyarev/streebog/
Checksums of 0.13.tar.gz:
SHA256:
12ef38893ac631f83301ca4c0e2ac1455f4c2ebee82b4e7d1effed064137c5a6
GOST R 34.11-2012 (256 bit):
946fa60ed9841010d54f90c7ee299efd2b7ffe9755b9b29130695b0df0e72a85
General Information
1. GOST R 34.11-2012 was developed by the Center for Information
Protection and Special Communications of the Federal Security
Service of the Russian Federation with participation of the Open
joint-stock company "Information Technologies and Communication
Systems" (InfoTeCS JSC).
2. GOST R 34.11-2012 was approved and introduced by Decree #216 of
the Federal Agency on Technical Regulating and Metrology on
07.08.2012.
3. GOST R 34.11-2012 intended to replace GOST R 34.11-94 national
standard of Russian Federation.
Scope
GOST R 34.11-2012 establishes the hash-function algorithm and the
hash-function calculation procedure for any sequence of binary
symbols used in cryptographic methods of information processing and
information security, including techniques for providing data
integrity and authenticity, and for digital signatures during
information transfer, information processing and information storage
in computer-aided systems
The hash-function provides operation of digital signature systems
using the asymmetric cryptographic algorithm in compliance with
GOST R 34.10-2012.
Internals
Actually Streebog is a family of cryptographic hash-functions: one
with hash-code length 512 bits and another with hash-code length 256
bits. The only difference between these hash-functions is different
IVs and truncation of the output in 256-bit variant.
As a basic construction simplified HAIFA framework is used with
Streebog. Each compression function which takes the message block
depends on the number of bits hashed so far. Together with
finalization part of the algorithm this prevents from second
pre-image attacks like Kelsey and Schneier and herding attack.
Finalization part of Streebog consists of two consecutive invocations
of a compression function. Message blocks for them are: the length
for the whole processed message (MD-strengthening) and the sum of all
precessed message blocks modulo 2^512. Proposed finalization part
makes many attacks harder to apply. These attacks include
multi-collision attacks, differential attacks, rebound attack etc.
Likewise finalization part and counter of the number of bits hashed
so far prevents length-extension attack.
The main difference of Streebog hash-function from its predecessor,
GOST R 34.11-94 is in compression function. Compression function in
Streebog is built from a block cipher with Miyaguchi-Preneel mode,
where block cipher is AES- and Whirlpool-like
substitution-permutation network with block and key length equal to
512. There are 12 full and one (the last one) simplified rounds.
Full round consists of xoring round key, substitution step - the
S-box applies to each byte of the state, and linear transformation
for the whole state. Simplified round is just xoring round key.
Compression function
Base primitive operation in compression function denoted LPS is a
chained application of three transforms:
1. S - nonlinear bijection. Treats 512 operand bits as an array of 64
bytes and replaces each of them according to the predefined
substitution table;
2. P - byte reordering. Rearranges operand bytes as per the standard;
3. L - linear transformation. Operand is treated as 8 64-bit vectors
and each of them is replaced by the result of multiplication over
GF(2) with a predefined 64x64 matrix.
Transformation P, as specified in the standard, is essentially a
transpose operation on a 8x8 byte matrix. Pre-calculations can be
made for the matrix multiplication calculation to be done per byte.
Only LPS and bitwise XOR of 512-bit blocks are used in compression
function. Together with addition modulo 2^512, these are the only
operations used in Streebog hash-function.
Every output of the compression function depends on its output for
the previous block, it is impossible to distribute its calculation
for blocks of the same message. This problem is not specific to
Streebog and is shared by most hash-functions, limiting the set of
applications where parallel hash-function calculation is beneficial.
References
* RFC6986: GOST R 34.11-2012: Hash Function
* Assymetric Reply to SHA-3: Russian Hash Function Draft Standard
by Sergey Grebnev, Andrey Dmukh, Denis Dygin, Dmirty Matyukhin,
Vladimir Rudskoy and Vasily Shishkin.
* Implementation of Streebog cryptographic hash function family
on NVIDIA CUDA platform
by Pavel A. Lebedev.