[In english | На русском]

           GOST R 34.11-2012: Streebog Hash Function


   This site provides information and source code for the Russian
   Federal standard hash function "GOST R 34.11-2012", which is one of
   the Russian cryptographic standard algorithms (called GOST
   algorithms).  This hash function is called "Streebog".  Streebog
   supposed to be the god of rash wind in ancient Slavic mythology.

   The standard published as RFC 6986.

Source code

   The C source code for Streebog CLI utility available on this
   site.  The program can calculate GOST R 34.11-2012 for string, files
   and arbitrary stream data.  It outputs the resulting hash digest in
   hexadecimal format.
   Latest version is 0.12.
   Browse the source code and usage instructions on GitHub:

   Checksums of 0.12.tar.gz:

   GOST R 34.11-2012 (256 bit):

General Information

   1. GOST R 34.11-2012 was developed by the Center for Information
      Protection and Special Communications of the Federal Security
      Service of the Russian Federation with participation of the Open
      joint-stock company "Information Technologies and Communication
      Systems" (InfoTeCS JSC).

   2. GOST R 34.11-2012 was approved and introduced by Decree #216 of
      the Federal Agency on Technical Regulating and Metrology on

   3. GOST R 34.11-2012 intended to replace GOST R 34.11-94 national
      standard of Russian Federation.


   GOST R 34.11-2012 establishes the hash-function algorithm and the
   hash-function calculation procedure for any sequence of binary
   symbols used in cryptographic methods of information processing and
   information security, including techniques for providing data
   integrity and authenticity, and for digital signatures during
   information transfer, information processing and information storage
   in computer-aided systems

   The hash-function provides operation of digital signature systems
   using the asymmetric cryptographic algorithm in compliance with 
   GOST R 34.10-2012.


   Actually Streebog is a family of cryptographic hash-functions: one
   with hash-code length 512 bits and another with hash-code length 256
   bits.  The only difference between these hash-functions is different
   IVs and truncation of the output in 256-bit variant.

   As a basic construction simplified HAIFA framework is used with
   Streebog.  Each compression function which takes the message block
   depends on the number of bits hashed so far.  Together with
   finalization part of the algorithm this prevents from second
   pre-image attacks like Kelsey and Schneier and herding attack.

   Finalization part of Streebog consists of two consecutive invocations
   of a compression function.  Message blocks for them are: the length
   for the whole processed message (MD-strengthening) and the sum of all
   precessed message blocks modulo 2^512.  Proposed finalization part
   makes many attacks harder to apply.  These attacks include
   multi-collision attacks, differential attacks, rebound attack etc.
   Likewise finalization part and counter of the number of bits hashed
   so far prevents length-extension attack.

   The main difference of Streebog hash-function from its predecessor,
   GOST R 34.11-94 is in compression function.  Compression function in
   Streebog is built from a block cipher with Miyaguchi-Preneel mode,
   where block cipher is AES- and Whirlpool-like
   substitution-permutation network with block and key length equal to
   512.  There are 12 full and one (the last one) simplified rounds.
   Full round consists of xoring round key, substitution step - the
   S-box applies to each byte of the state, and linear transformation
   for the whole state.  Simplified round is just xoring round key.

Compression function

   Base primitive operation in compression function denoted LPS is a
   chained application of three transforms:

   1. S - nonlinear bijection.  Treats 512 operand bits as an array of 64
      bytes and replaces each of them according to the predefined
      substitution table;

   2. P - byte reordering.  Rearranges operand bytes as per the standard;

   3. L - linear transformation.  Operand is treated as 8 64-bit vectors
      and each of them is replaced by the result of multiplication over
      GF(2) with a predefined 64x64 matrix.

   Transformation P, as specified in the standard, is essentially a
   transpose operation on a 8x8 byte matrix.  Pre-calculations can be
   made for the matrix multiplication calculation to be done per byte.

   Only LPS and bitwise XOR of 512-bit blocks are used in compression
   function.  Together with addition modulo 2^512, these are the only
   operations used in Streebog hash-function.

   Every output of the compression function depends on its output for
   the previous block, it is impossible to distribute its calculation
   for blocks of the same message.  This problem is not specific to
   Streebog and is shared by most hash-functions, limiting the set of
   applications where parallel hash-function calculation is beneficial.


   * RFC6986: GOST R 34.11-2012: Hash Function

   * Assymetric Reply to SHA-3: Russian Hash Function Draft Standard 
     by Sergey Grebnev, Andrey Dmukh, Denis Dygin, Dmirty Matyukhin,
     Vladimir Rudskoy and Vasily Shishkin.

   * Implementation of Streebog cryptographic hash function family
     on NVIDIA CUDA platform
     by Pavel A. Lebedev.