Cryptanalysis of the GOST Hash Function

Florian Mendel

Joint work with: Norbert Pramstaller, Christian Rechberger, Marcin Kontak, and Janusz Szmidt

Institute for Applied Information Processing and Communications (IAIK) - Krypto Group Faculty of Computer Science Graz University of Technology IAIK Krypto Group Outline

ƒ Motivation ƒ Description of GOST ƒ Related Work ƒ Cryptanalysis ƒA preimage attack on the hash function ƒA collision attack on the hash function ƒ Conclusion

Cryptanalysis of the GOST Hash Function 2 IAIK Krypto Group Motivation

ƒ Russian government standard (GOST-R-34.11-94)

ƒ Russian Digital Signature Algorithm (GOST-R-34.10-94 and GOST-R 34.10-2001)

ƒ Specified in several RFCs

ƒ Implemented in SSL (openSSL)

ƒ ….

Cryptanalysis of the GOST Hash Function 3 IAIK Krypto Group The GOST Hash Function

ƒ The GOST hash function was published 1994

ƒ Iterated Hash Function processes 256-bit blocks and produces a 256-bit hash value

Cryptanalysis of the GOST Hash Function 4 IAIK Krypto Group The compression function of GOST

ƒ The compression function of GOST consists of 3 parts

ƒ State Update Transformation

ƒ Key Generation

ƒ Output Transformation

Cryptanalysis of the GOST Hash Function 5 IAIK Krypto Group The State Update Transformation

Takes as input the intermediate

hash value Hi-1 and the key K to compute S

where E denotes an encryption with the GOST block cipher

Cryptanalysis of the GOST Hash Function 6 IAIK Krypto Group The Key Generation

ƒ Takes as input the intermediate hash value Hi-1 and the message block Mi to compute the 1024-bit key K

where A and P are linear transformations.

Cryptanalysis of the GOST Hash Function 7 IAIK Krypto Group The Output Transformation

ƒ The output transformation combines the intermediate hash

value Hi-1, the message block Mi and the output of the state update transformation S to compute the output Hi

The linear transformation is given by

where

Cryptanalysis of the GOST Hash Function 8 IAIK Krypto Group

Cryptanalysis

Cryptanalysis of the GOST Hash Function 9 IAIK Krypto Group Security requirements

ƒ Preimage resistance ƒ Attack complexity should be 2n

ƒ Second-Preimage resistance ƒ Attack complexity should be 2n

ƒ Collision resistance ƒ Attack complexity should be 2n/2

Cryptanalysis of the GOST Hash Function 10 IAIK Krypto Group Related Work

Cryptanalysis of the GOST Hash Function 11 IAIK Krypto Group Basic Attack Strategy

ƒ Construct pairs (Hi-1 , Mi) where parts of S (64 bits) are equal ƒ If we can construct these pairs efficiently then we can construct a pseudo-preimage with a complexity of about 2192

Cryptanalysis of the GOST Hash Function 12 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ Since the output transformation of GOST

is linear, it can be also written as

ƒ Furthermore, is invertible and hence, can be written as

X YZ

Cryptanalysis of the GOST Hash Function 13 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ Split the words X,Y,Z into 64-bit words

then the previous equation can be written as:

Cryptanalysis of the GOST Hash Function 14 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ We want to construct pairs (Hi-1 , Mi) where s0 = E(k0 , h0) is equal for each pair

ƒ k0 depends linearly on Hi-1 and Mi :

ƒ To keep s0 constant the following equations have to be fulfilled

Cryptanalysis of the GOST Hash Function 15 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ We want to construct pairs (Hi-1 , Mi) where s0 = E(k0 , h0) is equal for each pair

ƒ k0 depends linearly on Hi-1 and Mi :

ƒ To keep s0 constant the following equations have to be fulfilled

Cryptanalysis of the GOST Hash Function 16 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ We want to construct pairs (Hi-1 , Mi) where s0 = E(k0 , h0) is equal for each pair

ƒ k0 depends linearly on Hi-1 and Mi :

ƒ To keep s0 constant the following equations have to be fulfilled

Cryptanalysis of the GOST Hash Function 17 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ We want to construct pairs (Hi-1 , Mi) where s0 = E(k0 , h0) is equal for each pair

ƒ k0 depends linearly on Hi-1 and Mi :

ƒ To keep s0 constant the following equations have to be fulfilled

arbitrary

Cryptanalysis of the GOST Hash Function 18 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ Once we have fixed k0 and h0 and hence s0, we have to fix y0 and z0 to guarantee that

is correct with and

ƒ This adds the following equation

to the system of equations over GF(2)

Cryptanalysis of the GOST Hash Function 19 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ In total we get a system of 6*64 linear equations in 8*64 variables over GF(2)

ƒ We use this to construct a pseudo-preimage for the compression function of GOST

Cryptanalysis of the GOST Hash Function 20 IAIK Krypto Group Pseudo-Preimage for the Compression Function

ƒ By solving this system of equations over GF(2) we get 2128 pairs (Hi-1 , Mi), where x0 is correct.

ƒ For each pair compute X and check if x1, x2, x3 are correct

ƒ After testing all 2128 pairs we will find a correct pair with probability 2-64

ƒ By repeating the attack about 264 times (with different values for a, b0, b1, b2, b3) we will find a pseudo-preimage for the compression function of GOST

ƒ Constructing a pseudo-preimage has a complexity of 2192

Cryptanalysis of the GOST Hash Function 21 IAIK Krypto Group A Preimage for the Hash Function

How can we turn the pseudo-preimage attack on the compression function into a preimage attack on the hash function?

Cryptanalysis of the GOST Hash Function 22 IAIK Krypto Group A Preimage for the Hash Function

How can we turn the pseudo-preimage attack on the compression function into a preimage attack on the hash function?

Problems: ƒ Checksum over all message words ƒ Padding

Cryptanalysis of the GOST Hash Function 23 IAIK Krypto Group Outline of the Attack

ƒ Assume we want to construct a preimage for GOST consisting of 257 message blocks

ƒ The attack basically consist of 4 steps

Cryptanalysis of the GOST Hash Function 24 IAIK Krypto Group Outline of the Attack

ƒ STEP 1 ƒ Construct 232 pseudo-preimages for the last iteration of GOST and save the 232 pairs in the list L ƒ This has a complexity of about 2224 evaluations of the compression function of GOST

Cryptanalysis of the GOST Hash Function 25 IAIK Krypto Group Outline of the Attack

ƒ STEP 2 ƒ Construct a 2256 multicollision for the first 256 message blocks ƒ Thus, we have 2256 messages

which all lead to the same intermediate hash value H256.

Cryptanalysis of the GOST Hash Function 26 IAIK Krypto Group Outline of the Attack

ƒ STEP 3

ƒ Find a message block M257 such that for the given H256 and |M| we find a H258 which is also contained in the list L ƒ This has a complexity of about 2225 evaluations of the compression function of GOST

Cryptanalysis of the GOST Hash Function 27 IAIK Krypto Group Outline of the Attack

ƒ STEP 4 ƒ From the set of 2256 messages find a message that lead to ƒ This can be done by applying a meet-in-the-middle approach

Cryptanalysis of the GOST Hash Function 28 IAIK Krypto Group STEP 4: Constructing the needed value in the checksum

ƒ From a set of 2256 messages we have to find a message M* that leads to the needed value

Outline of the attack: ƒ Save all 2128 values for in the list L ƒ For all values check if there is a entry in the list L

After testing at most 2128 values we expect to find a matching entry in the list L

Cryptanalysis of the GOST Hash Function 29 IAIK Krypto Group Complexity of the Attack

ƒ The complexity of the attack is dominated by STEP 1 and STEP 3 of the attack.

STEP 1 STEP 2 STEP 3 STEP 4 2224 2137 2225 2129

ƒ Note that a memory less variant of the meet-in-the-middle attack can be used in STEP 4 of the attack to reduce the memory requirements.

Cryptanalysis of the GOST Hash Function 30 IAIK Krypto Group Complexity of the Attack

ƒ The complexity of the attack is dominated by STEP 1 and STEP 3 of the attack.

STEP 1 STEP 2 STEP 3 STEP 4 2224 2137 2225 2129

ƒ Note that a memory less variant of the meet-in-the-middle attack can be used in STEP 4 of the attack to reduce the memory requirements.

STEP 1 STEP 2 STEP 3 STEP 4 238 213 --

Cryptanalysis of the GOST Hash Function 31 IAIK Krypto Group Summary

ƒ We have shown a pseudo-preimage attack on the compression function of GOST with a complexity of 2192

ƒ We have shown a preimage attack on the GOST hash function with a complexity of about 2225 and memory requirements of 238 bytes

ƒ Both attacks are independent of the GOST block cipher

Cryptanalysis of the GOST Hash Function 32 IAIK Krypto Group The GOST Block Cipher

ƒ The block cipher was published in 1989 ƒ It is Russian government standard (GOST 28147-89)

ƒ Block size: 64 bits PLAINTEXT ƒ Key size of 256 bits 64

KEY 256 64

CIPHERTEXT

Cryptanalysis of the GOST Hash Function 33 IAIK Krypto Group The GOST Block Cipher

ƒ 32-round Feistel network

ƒ 32-bit round key sKi

ƒ Simple Key Schedule

where

Cryptanalysis of the GOST Hash Function 34 IAIK Krypto Group A fixed-point in the GOST Block Cipher

ƒ If we can construct a fixed-point in the first 8 rounds of GOST,

then we have also a fixed-point for 32 round if L0=R0

ƒ Construction a fixed-point in the first 8 rounds is easy, since each word of the key is only used once

ƒ Example: L0= R0= 0

1 34A451AA C2DF23D8 CAE90664 C3965FE0 E9298408 C5987119 5FC1DA30 B1A5E9DB 2 FF48B08A 3C3812E3 8F78C57E 9742312A 769D919D D269902E 5782AEAF B515779F 3 31E4AE5A E8FB14D0 47B5C0F1 3F07C5D9 CA156F01 CE2BEABB A20F384D 26776A13 4 A8E418B8 6C759B2C ADE4574B B7F93FA1 D40E9A48 6D324773 43ECC12D CBC28A89 5 1F27086C 524D5E31 07395FDE 7056AF86 D26A644D D2F37938 3D0BF7DE C5109C6D 6 4067D0F7 D31A7AD9 0DA7E0C2 F4975099 285C0267 8CB7C0A6 8A7FA3EC 62A65517 7 A222761E 6DB7D3CB 4A6C316B 65103CC8 75402050 DEB5DDC5 E470253F 487334D5 8 0ABDC454 18E4D226 6BDDFCC4 C477B694 5D39FB39 E50480CC B074FF43 3B388231

Cryptanalysis of the GOST Hash Function 35 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ We want to construct many message blocks Mi where s0 = E(k0 , h0) is equal for a fixed value of Hi-1 (h0 = 0)

ƒ Now x0 depends linearly on Hi-1 and Mi, to guarantee that x0 is correct the following equation has to be fulfilled:

Cryptanalysis of the GOST Hash Function 36 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ We want to construct many message blocks Mi where s0 = E(k0 , h0) is equal for a fixed value of Hi-1 (h0 = 0)

ƒ Now x0 depends linearly on Hi-1 and Mi, to guarantee that x0 is correct the following equation has to be fulfilled:

Cryptanalysis of the GOST Hash Function 37 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ We want to construct many message blocks Mi where s0 = E(k0 , h0) is equal for a fixed value of Hi-1 (h0 = 0)

ƒ Now x0 depends linearly on Hi-1 and Mi, to guarantee that x0 is correct the following equation has to be fulfilled:

Cryptanalysis of the GOST Hash Function 38 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ Since z0 depends linearly on Mi this restricts our choices of the key k0 =

ƒ Hence, constructing a fixed-point for gets more complicated

ƒ But still: ƒ To construct a fixed-point in the GOST block cipher we only

need to construct a fixed-point in the first 8 rounds if h0 = 0 ƒ In the first 8 rounds each word of the key is only used once

Cryptanalysis of the GOST Hash Function 39 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ Since z0 depends linearly on Mi this restricts our choices of the key k0 =

ƒ Hence, constructing a fixed-point for gets more complicated

ƒ But still: ƒ To construct a fixed-point in the GOST block cipher we only

need to construct a fixed-point in the first 8 rounds if h0 = 0 ƒ In the first 8 rounds each word of the key is only used once

Cryptanalysis of the GOST Hash Function 40 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

ƒ Since z0 depends linearly on Mi this restricts our choices of the key k0 =

ƒ Hence, constructing a fixed-point for gets more complicated

ƒ But still: ƒ To construct a fixed-point in the GOST block cipher we only

need to construct a fixed-point in the first 8 rounds if h0 = 0 ƒ In the first 8 rounds each word of the key is only used once

Cryptanalysis of the GOST Hash Function 41 IAIK Krypto Group Constructing many fixed-points

ƒ We use a meet in the middle attack to construct 264 fixed-points with a complexity of about 264 evaluations of the GOST block cipher

264 264

h0= 0 rounds 1-4 rounds 5-8 h0= 0 forward backward

sk0 , sk1 , sk2 , sk3 sk4 , sk5 , sk6 , sk7

Note that the choice of the 8 subkeys sk0 ,…,sk7 is restricted by 64 equations over GF(2)

Cryptanalysis of the GOST Hash Function 42 IAIK Krypto Group Improving the Preimage Attack on the Hash Function

64 ƒ With this method we get 2 message blocks Mi , where x0 is correct.

ƒ We can repeat the attack 264 times to construct 2128

message blocks Mi , where x0 is correct.

ƒ For each message block we compute X and check if x1, x2, x3 are correct

ƒ After testing all 2128 message blocks we will find a correct message block with probability 2-64

Cryptanalysis of the GOST Hash Function 43 IAIK Krypto Group Outline of the Attack

ƒ Again assume we want to construct a preimage for GOST consisting of 257 message blocks

ƒ The attack basically consist of 4 steps

Cryptanalysis of the GOST Hash Function 44 IAIK Krypto Group Outline of the Attack

ƒ STEP 1 ƒ Construct a 2256 multicollision for the first 256 message blocks ƒ Thus, we have 2256 messages

which all lead to the same intermediate hash value H256.

Cryptanalysis of the GOST Hash Function 45 IAIK Krypto Group Outline of the Attack

ƒ STEP 2

ƒ Find a message block M257 such that for the given H256 and |M| we find a H258 with h0 = 0 ƒ This has a complexity of about 264 evaluations of the compression function of GOST

Cryptanalysis of the GOST Hash Function 46 IAIK Krypto Group Outline of the Attack

ƒ STEP 3 ƒ Construct a preimage for the last iteration of the GOST hash function by constructing 2128 fixed-points (probability 2-64). ƒ If no preimage is found then go back to STEP 2

Cryptanalysis of the GOST Hash Function 47 IAIK Krypto Group Outline of the Attack

ƒ STEP 4 ƒ From the set of 2256 messages find a message that lead to ƒ This can be done by applying a meet-in-the-middle approach

Cryptanalysis of the GOST Hash Function 48 IAIK Krypto Group Complexity of the Attack

ƒ The complexity of the attack is dominated by STEP 3 of the attack.

STEP 1 STEP 2 STEP 3 STEP 4 2137 264 * 264 264 * 2128 2129

ƒ The memory requirements of the attack are dominated by STEP 3 of the attack

STEP 1 STEP 2 STEP 3 STEP 4 213 -269 -

Cryptanalysis of the GOST Hash Function 49 IAIK Krypto Group A Remark on Collision Attacks on GOST

96 ƒ Since we can construct 2 message blocks Mi which all produce the same x0 we can construct a collision for the compression function (birthday attack)

ƒ Again we can use multicollisions to turn the collision attack on the compression function into a collision attack on the hash function

ƒ To construct also a collision in the checksum we use a generalized birthday attack to reduce the complexity of this step of the attack

ƒ The collision attack has a complexity of about 2105 << 2128

Cryptanalysis of the GOST Hash Function 50 IAIK Krypto Group Summary of Results

ƒ By exploiting special properties of the compression function of GOST block cipher we can construct preimages for the hash function with a complexity of about 2225 and memory requirements of 238 bytes

ƒ By exploiting special properties of the GOST block cipher we can find ƒ Preimages for the GOST hash function with a complexity of about 2192 and memory requirements of 269 bytes ƒ Collisions GOST hash function with a complexity of about 2105 and memory requirements of 269 bytes

Cryptanalysis of the GOST Hash Function 51 IAIK Krypto Group

Thank you for your Attention

Cryptanalysis of the GOST Hash Function 52