GOST R 34.11-2012: Streebog Hash Function Abstract This site provides information and source code for the Russian Federal standard hash function "GOST R 34.11-2012", which is one of the Russian cryptographic standard algorithms (called GOST algorithms). This hash function is called "Streebog". Streebog supposed to be the god of rash wind in ancient Slavic mythology. The standard published as RFC 6986. Source code The C source code for Streebog CLI utility available on this site. The program can calculate GOST R 34.11-2012 for string, files and arbitrary stream data. It outputs the resulting hash digest in hexadecimal format. General Information 1. GOST R 34.11-2012 was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the Russian Federation with participation of the Open joint-stock company "Information Technologies and Communication Systems" (InfoTeCS JSC). 2. GOST R 34.11-2012 was approved and introduced by Decree #216 of the Federal Agency on Technical Regulating and Metrology on 07.08.2012. 3. GOST R 34.11-2012 intended to replace GOST R 34.11-94 national standard of Russian Federation. Scope GOST R 34.11-2012 establishes the hash-function algorithm and the hash-function calculation procedure for any sequence of binary symbols used in cryptographic methods of information processing and information security, including techniques for providing data integrity and authenticity, and for digital signatures during information transfer, information processing and information storage in computer-aided systems The hash-function provides operation of digital signature systems using the asymmetric cryptographic algorithm in compliance with GOST R 34.10-2012. Internals Actually Streebog is a family of cryptographic hash-functions: one with hash-code length 512 bits and another with hash-code length 256 bits. The only difference between these hash-functions is different IVs and truncation of the output in 256-bit variant. As a basic construction simplified HAIFA framework is used with Streebog. Each compression function which takes the message block depends on the number of bits hashed so far. Together with finalization part of the algorithm this prevents from second pre-image attacks like Kelsey and Schneier and herding attack. Finalization part of Streebog consists of two consecutive invocations of a compression function. Message blocks for them are: the length for the whole processed message (MD-strengthening) and the sum of all precessed message blocks modulo 2^512. Proposed finalization part makes many attacks harder to apply. These attacks include multi-collision attacks, differential attacks, rebound attack etc. Likewise finalization part and counter of the number of bits hashed so far prevents length-extension attack. The main difference of Streebog hash-function from its predecessor, GOST R 34.11-94 is in compression function. Compression function in Streebog is built from a block cipher with Miyaguchi-Preneel mode, where block cipher is AES- and Whirlpool-like substitution-permutation network with block and key length equal to 512. There are 12 full and one (the last one) simplified rounds. Full round consists of xoring round key, substitution step - the S-box applies to each byte of the state, and linear transformation for the whole state. Simplified round is just xoring round key. Compression function Base primitive operation in compression function denoted LPS is a chained application of three transforms: 1. S - nonlinear bijection. Treats 512 operand bits as an array of 64 bytes and replaces each of them according to the predefined substitution table; 2. P - byte reordering. Rearranges operand bytes as per the standard; 3. L - linear transformation. Operand is treated as 8 64-bit vectors and each of them is replaced by the result of multiplication over GF(2) with a predefined 64x64 matrix. Transformation P, as specified in the standard, is essentially a transpose operation on a 8x8 byte matrix. Pre-calculations can be made for the matrix multiplication calculation to be done per byte. Only LPS and bitwise XOR of 512-bit blocks are used in compression function. Together with addition modulo 2^512, these are the only operations used in Streebog hash-function. Every output of the compression function depends on its output for the previous block, it is impossible to distribute its calculation for blocks of the same message. This problem is not specific to Streebog and is shared by most hash-functions, limiting the set of applications where parallel hash-function calculation is beneficial. References * RFC6986: GOST R 34.11-2012: Hash Function * Assymetric Reply to SHA-3: Russian Hash Function Draft Standard by Sergey Grebnev, Andrey Dmukh, Denis Dygin, Dmirty Matyukhin, Vladimir Rudskoy and Vasily Shishkin. * Implementation of Streebog cryptographic hash function family on NVIDIA CUDA platform by Pavel A. Lebedev.