Second-Preimage Attack on New Russian Standardized Hash Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Jérémy Jean1

joint work with: Jian Guo1 Gaëtan Leurent2 Thomas Peyrin1 Lei Wang1

1Nanyang Technological University, Singapore

2INRIA, France

SAC 2014 – August 14, 2014 Introduction Our observation Diamond attack Expandable message attack Conclusion Streebog: new Russian hash function.

I New hash function standard in Russia.

I Standardized name: GOST R 34.11-2012

I Nickname of that function: Streebog.

I Previous standard: GOST R 34.11-94. I Theoretical weaknesses. I Rely on the GOST block cipher from the same standard. I This block cipher has also been weakened by third-party cryptanalysis.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 2/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Speciﬁcations: domain extension.

I Two versions: Streebog-256 and Streebog-512. ∗ I 10 padding: m1|| · · · ||mt ||m (blocks of 512 bits). I Compression function: g. 512 I Checksum: Σ, over the message blocks mi (addition modulo 2 ). I Counter: N, HAIFA input to g over the number of processed bits. I Three stages: initialization, message processing and ﬁnalization.

Σ ...

m1 m2 mt m

h1 h2 ht−1 ht ht+1 ht+2 h0 = IV g g ... g g g g h

N ...

512 512 512 |M| 0 0 Stage 1 Stage 2 Stage 3

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 3/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Speciﬁcations: compression function.

I Simpliﬁcation: the counter counts #blocks, not #bits. I g compresses (hi−1, i, mi ) to hi using: hi = f (hi−1 ⊕ i, mi ) ⊕ hi−1. I Our attack is independent of the speciﬁcations of f (deterministic).

i mi g

hi−1 f hi

I g is one instantiation of a HAIFA compression function. I The counter is simply XORed to the input of the f function.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 4/19 ( hi = F (hi−1 ⊕ i, mi ) ⊕ i,

F (x, mi ) = f (x, mi ) ⊕ x.

i mi i

hi−1 f hi ⊕ i

F The function F is independent of the counter value!

Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function.

i mi

hi−1 f hi

hi =hi−1 ⊕ f (hi−1 ⊕ i, mi ) ⇐⇒

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19 ( hi = F (hi−1 ⊕ i, mi ) ⊕ i,

F (x, mi ) = f (x, mi ) ⊕ x.

hi ⊕ i

F The function F is independent of the counter value!

Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function.

i mi

hi−1 f hi

hi =hi−1 ⊕ f (hi−1 ⊕ i, mi ) ⇐⇒

i mi

hi−1 f

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19 ( hi = F (hi−1 ⊕ i, mi ) ⊕ i,

F (x, mi ) = f (x, mi ) ⊕ x.

F The function F is independent of the counter value!

Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function.

i mi

hi−1 f hi

hi =hi−1 ⊕ f (hi−1 ⊕ i, mi ) ⇐⇒

i mi

hi−1 f hi ⊕ i

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19 ( hi = F (hi−1 ⊕ i, mi ) ⊕ i,

F (x, mi ) = f (x, mi ) ⊕ x.

hi ⊕ i

F The function F is independent of the counter value!

Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function.

i mi

hi−1 f hi

hi =hi−1 ⊕ f (hi−1 ⊕ i, mi ) ⇐⇒

i mi i

hi−1 f hi

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19 hi ⊕ i

Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function.

i mi

hi−1 f hi

( hi = F (hi−1 ⊕ i, mi ) ⊕ i, hi =hi−1 ⊕ f (hi−1 ⊕ i, mi ) ⇐⇒ F (x, mi ) = f (x, mi ) ⊕ x.

i mi i

hi−1 f hi

F The function F is independent of the counter value!

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Iteration of the equivalent compression function.

I We have an equivalent representation of the compression function. I Its iteration allows to combine the counter additions.

i mi i i + 1 mi+1 i + 1

hi−1 f f hi+1

F F

∆(i) def= i ⊕ (i + 1), def F∆(i)(X , Y ) = F (X , Y ) ⊕ ∆(i).

i i i + 1 i + 1 i + 2

hi−1 F F hi+1

∆(i) ∆(i+1)

F∆(i) F∆(i+1)

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 6/19 Introduction Our observation Diamond attack Expandable message attack Conclusion

Relations between functions F∆(i) for 1 ≤ i ≤ t (1/2).

Recall that t is the number of full blocks m1|| · · · ||mt ||m, |m| < 512. We observe that:

I For all even i, ∆(i) = i ⊕ (i + 1) = 1. =⇒ The same function F1 is used every other time.

I Sequence of ∆(i) is very structured.

i: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ∆(i):1317131 151317131 311317131 15

Let s > 0, and denoting hii the s-bit binary representation of i < 2s − 1:

∆(i + 2s )= 1||hii ⊕ 1||hi + 1i = hii ⊕ hi + 1i = ∆(i).

s More generally: F∆(i) = F∆(i+j·2s ) for all 0 ≤ i ≤ 2 − 1 and j ≥ 0.

For example, with s = 2, F1 and F1+22 = F5 are equal.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 7/19 Introduction Our observation Diamond attack Expandable message attack Conclusion

Relations between functions F∆(i) for 1 ≤ i ≤ t (2/2).

Given an integer s > 0, we have:

s ∀i ∈ {0,..., 2 − 2}, ∀j > 0 : F∆(i) = F∆(j·2s +i)

512 − s bits s bits 512 − s bits s bits

0 j

0 j

= 0 = 0

∆(i) ∆(i + j · 2s )

Consequently: s I The same sequence of 2 − 1 functions are used in the domain extension algorithm.

I This seems weaker than a true HAIFA mode.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 8/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent description of stage 2 of the domain extension.

s I The last function diﬀers in each 2 -chunk. =⇒ We call it Gj = F∆(j×2s −1). s I We deﬁne l as the number of (2 − 1)-chains of F functions: t s l = 2s . Moreover, let p be the remainder of t modulo 2 . I That is: the function F2s −2 ◦ · · · F1 ◦ F0 is reused l times.

0 F2s −2 ◦ · · · F1 ◦ F0

IV F0 F1 ... F2s −2 G1 ......

F0 F1 ... F2s −2 Gl

F0 F1 ... Fp ht

t + 1

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 9/19 Our second-preimage attacks on Streebog (security level: 2512): I Using a diamond structure: 179 I Original message of at least 2 blocks. 342 I 2 compression function evaluations. I Using a expandable message: 259 I Original message of at least 2 blocks. 266 I 2 compression function evaluations.

Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation.

Streebog is one choice of counter usage from the HAIFA framework.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation.

Streebog is one choice of counter usage from the HAIFA framework.

Consequences of this choice: I Counters at steps i and i + 1 can be combined. I Distinction of compression function calls in the HAIFA framework not achieved. I Domain extension similar to a Merkle-Damgård scheme. =⇒ Possibility to apply existing known second-preimage attacks. Our second-preimage attacks on Streebog (security level: 2512): I Using a diamond structure: 179 I Original message of at least 2 blocks. 342 I 2 compression function evaluations. I Using a expandable message: 259 I Original message of at least 2 blocks. 266 I 2 compression function evaluations. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (1/2)

F ◦···◦F F Diamond structure: F0 2s −3 1 2s −2

I Introduced in [KK06].

Complete binary tree. 0 I h1 Nodes: chaining values. I 0 m1

Edges: 1-block n-bit messages. s I 22 −1 h

1 I Depth d. m1

1 Construction: h1

I Levels constructed sequentially. (n+d)/2 I Complexity: 2 calls. I Evaluation done in [KK13].

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 11/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (2/2)

F ◦···◦F F Diamond used in our attack: F0 2s −3 1 2s −2

I Root h. s Depth d = 2 − 1. 0 I h1

Fi ’s used to join the levels. I 0 m1 2s −1 #leaves=2 . s I 22 −1 h

1 Remarks: m1

1 I Same function at each level in h1 the original attack on Merkle-Damgård.

I Here, full control of the counter eﬀect in the (2s − 1)-chains with diﬀerent functions Fi .

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 12/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

1. Construction of the diamond. 5. Randomize L blocks to match |M|. & 0 n−d % 2. Randomize m to hit h. 6. Pick about 2 m to hit the diamond. 3. Deduce the counter value N. 7. Evaluate reduced checksum σ. 4. Construct 2512-multicollision. 8. Use multicollision to match Σ − σ.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 % m h ... L random blocks h˜0

& 2d -diamond m

0 h

Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the diamond attack.

1024 L 1 d = 2s − 1 1

h0 h1 h511 % m ˜ h h IV 20 21 ... 2511 L random blocks h˜0 h0 h0 h0 0 1 511 & 2d -diamond m

G1 ◦ (F2s −2 ◦ · · · ◦ F0) G2 ◦ (F2s −2 ◦ · · · ◦ F0) F2s −2 ◦ · · · F0 F Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s p 1 1

l 0 × 2s t − l 0 × 2s

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 13/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Complexity analysis of the diamond attack.

Time complexity T

T = 2(n+d)/2 + 512 × 2n/2 + 2n−log2(l) + 2n−d ,

with:

Construction of the diamond. Joux’s multicollision using 512 two-block messages. Connect the root of the diamond to the original message. Connect the multicollision to one leaf of the diamond.

Minimize with:

s I d = n/3 = 2 − 1 the depth of the diamond, i.e. s = dlog2(n/3)e.

t n/3 n/3+log2(n/3) I as long as l = 2s is l ≥ 2 , i.e. t ≥ d2 e. 342 179 I For Streebog-512: T = 2 for |M| ≥ 2 .

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 14/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 15/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Complexity analysis.

Time complexity T

T = 512 × 2n/2 + 256 × 2n/2 + 2n−l ,

with:

Joux’s multicollision using 512 two-block messages. Construction of the expandable message. t Connect the expandable message to the challenge (l = b 2s c).

Minimize with:

n/2 259 I l > 2 /n, i.e. more than 2 blocks in the original message. n/2 266 I T about n · 2 , i.e.2 CF evaluations (s = 11).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 16/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Comparison of the two attacks

512 Shorter messages

Diamond ).

2 342 Expandable message 266 Time (log

0 179 259 512

Number of blocks (log2).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 17/19 Thank you!

Introduction Our observation Diamond attack Expandable message attack Conclusion Conclusion

I We study Streebog, the Russian hashing standard. I The hash function instantiates the HAIFA framework. I We propose an equivalent representation that hijack the counter eﬀect of Streebog-512.

I Consequently, one can reuse previous second-preimage attack strategies:

I using a diamond structure, I using an expandable message. I The two attacks have time complexity T for message length > L: 342 179 I T = 2 and L = 2 , 266 259 I T = 2 and L = 2 .

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 18/19 Introduction Our observation Diamond attack Expandable message attack Conclusion Conclusion

I We study Streebog, the Russian hashing standard. I The hash function instantiates the HAIFA framework. I We propose an equivalent representation that hijack the counter eﬀect of Streebog-512.

I Consequently, one can reuse previous second-preimage attack strategies:

I using a diamond structure, I using an expandable message. I The two attacks have time complexity T for message length > L: 342 179 I T = 2 and L = 2 , 266 259 I T = 2 and L = 2 . Thank you!

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 18/19 Expandable message attack Bibliography Expandable message

I Expandable messages due to [KS05] I Multicollision with diﬀerent lengths: k I t pairs with lengths (1, 2 + 1), 0 ≤ k < t. t t I Set of 2 messages with length in [t, 2 + t − 1]. I All reach the same ﬁnal chaining value x∗. I Construction of a message m of length t + L using the binary representation of L, that link IV to x∗. I Second-preimage attack on MD: I Link x∗ to original message using random blocks. I This gives the length to use in the expandable message. I HAIFA prevents using an expandable message with the counter input.

27 + 1 bl. 26 + 1 bl. 25 + 1 bl. 24 + 1 bl. 23 + 1 bl. 22 + 1 bl. 21 + 1 bl. 0 0 0 0 0 0 0 IV m7/m7 m6/m6 m5/m5 m4/m4 m3/m3 m2/m2 m1/m1 x∗ 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. 1 bl. 1 bl.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 19/19 Expandable message attack Bibliography Expandable messages in Streebog

I Here, the counter input is weak. I We can still apply the expandable message technique: I The functions F∆(i) are independent of the counter, I but the inner calls are not the same (HAIFA, not MD). ˜ I Small example: 4 messages from h to x2. 0 3 I Find (m3, m3) of lengths (1, 2 + 1) colliding on x3. 0 2 I Find (m2, m2) of lengths (1, 2 + 1) colliding on x2. I The 4-message structure has lengths in {2, 6, 10, 14}. m3

x3 x2 m2 x2 x3 x2 m2 x2 h˜ 1 3 1 7 1 3 1 15 1 3 1 7 1 3 1 31 ... 0 0 0 m3 m2 m2 0 0 m3km2 length: 2 0 m3km2 length: 6 0 m3km2 length: 10 m3km2 length: 14

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 20/19 ... expandable message: length L

m∗

Expandable message attack Bibliography Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19 ... expandable message: length L

m∗

Expandable message attack Bibliography Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19 ... expandable message: length L

m∗

Expandable message attack Bibliography Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19 ... expandable message: length L

m∗

Expandable message attack Bibliography Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19 ... expandable message: length L

m∗

Expandable message attack Bibliography Overview of the attack using an expandable message.

1024 L 1

h0 h1 h511 ˜ h h∗ IV 20 21 ... 2511 expandable message: length L 0 0 0 h0 h1 h511 m∗

Fp−1 ◦ · · · ◦ F0 |M| Σ IV h ...... h0 2s 2s ∗ p 1 1

N 1. Construct the 2512-multicollision. 2. Construct the expandable message. 0 3. Randomize m∗ to hit h∗. 4. Deduce the counter value. 5. Choose the valid length L and solve the checksum.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 21/19 Expandable message attack Bibliography Complexity analysis.

Time complexity T

T = 512 × 2n/2 + 256 × 2n/2 + 2n−l ,

with:

Joux’s multicollision using 512 two-block messages. Construction of the expandable message. t Connect the expandable message to the challenge (l = b 2s c).

Minimize with:

n/2 259 I l > 2 /n, i.e. more than 2 blocks in the original message. n/2 266 I T about n · 2 , i.e.2 CF evaluations (s = 11).

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 22/19 Expandable message attack Bibliography BibliographyI

John Kelsey and Tadayoshi Kohno. Herding hash functions and the Nostradamus attack. In Serge Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 183–200. Springer, May / June 2006. Tuomas Kortelainen and Juha Kortelainen. On diamond structures and trojan message attacks. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT (2), volume 8270 of Lecture Notes in Computer Science, pages 524–539. Springer, 2013. John Kelsey and Bruce Schneier. Second preimages on n-bit hash functions for much less than 2n work. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 474–490. Springer, May 2005.

SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 19/19