GOST R 34.11-94 | |
Designers: | FAPSI and VNIIstandart (USSR) |
Publish Date: | 1994-05-23 (declassified) |
Derived From: | GOST block cipher |
Derived To: | Streebog |
Certification: | GOST standard |
Digest Size: | 256 bits |
Rounds: | 32 |
Cryptanalysis: | A 2008 attack breaks the full-round hash function. The paper presents a collision attack in 2105 time, and preimage attacks in 2192 time. |
The GOST hash function, defined in the standards GOST R 34.11-94 and GOST 34.311-95 is a 256-bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.11-94 Information Technology – Cryptographic Information Security – Hash Function. The equivalent standard used by other member-states of the CIS is GOST 34.311-95.
This function must not be confused with a different Streebog hash function, which is defined in the new revision of the standard GOST R 34.11-2012.[1]
The GOST hash function is based on the GOST block cipher.
GOST processes a variable-length message into a fixed-length output of 256 bits. The input message is broken up into chunks of 256-bit blocks (eight 32-bit little endian integers); the message is padded by appending as many zeros to it as are required to bring the length of the message up to 256 bits. The remaining bits are filled up with a 256-bit integer arithmetic sum of all previously hashed blocks and then a 256-bit integer representing the length of the original message, in bits.
The algorithm descriptions uses the following notation:
l{f}0l{g}j
l{j}Ml{j}
l{k}
+
⊕
Further we consider that the little-order bit is located at the left of a block, and the high-order bit at the right.
The input message
M
mn,mn-1,mn-2,\ldots,m1
mn
Each block is processed by the step hash function
Hout=f(Hin,m)
Hout
Hin
m
Each message block, starting the first one, is processed by the step hash function
f
Hi+1=f(Hi,mi)
H1
0256
After
Hn+1
Hn+2=f(Hn+1,L)
2256
h=f(Hn+2,K)
m1+m2+m3+\ldots+mn
The
h
So, the algorithm works as follows.
h:=initial
\Sigma:=0
L:=0
|M|>256
h:=f(h,mi)
L:=L+256
\Sigma:=\Sigma+mi
L:=L+l{j}mnl{j}
mn:={0}256mnl{j}}l{k}mn
\Sigma:=\Sigma+mn
h:=f(h,mn)
h:=f(h,L)
h:=f(h,\Sigma)
h
The step hash function
f
Hout=f(Hin,m)
It consist of three parts:
K1,K2,K3,K4
Hin
K1,K2,K3,K4
The keys generating algorithm uses:
A(Y)=A(y4 l{k} y3 l{k} y2 l{k} y1)=(y1 ⊕ y2) l{k} y4 l{k} y3 l{k} y2
y1,y2,y3,y4
P(Y)=P(y32l{k}y31l{k}...l{k}y1)=y\varphi(32)l{k}y\varphi(31)l{k}...l{k}y\varphi(1)
\varphi(i+1+4(k-1))=8i+k, i=0,...,3, k=1,...,8
y32,y31,...,y1
The algorithm:
U:=Hin, V:=m, W:=U ⊕ V, K1=P(W)
U:=A(U) ⊕ Cj, V:=A(A(V)), W:=U ⊕ V, Kj=P(W)
After the keys generation, the enciphering of
Hin
K1,K2,K3,K4
Hin
Hin=h4l{k}h3l{k}h2l{k}h1
s1=E(h1,K1)
s2=E(h2,K2)
s3=E(h3,K3)
s4=E(h4,K4)
S=s4l{k}s3l{k}s2l{k}s1
On the last step, the shuffle transformation is applied to
Hin
Hout
First we define the ψ function, doing LFSR on a 256-bit block:
\psi(Y)=\psi(y16l{k}y15l{k}\ldotsl{k}y2l{k}y1)=(y1 ⊕ y2 ⊕ y3 ⊕ y4 ⊕ y13 ⊕ y16)l{k}y16l{k}y15l{k}\ldotsl{k}y3l{k}y2
y16,y15,\ldots,y2,y1
The shuffle transformation is
Hout=\psi61d\left(Hin ⊕ \psi\left(m ⊕ \psi12(S)\right)\right)
\psii
\psi
There are two commonly used sets of initial parameters for GOST R 34.11 94. The starting vector for both the sets is
H1
Although the GOST R 34.11 94 standard itself doesn't specify the algorithm initial value
H1
E
RFC 5831 specifies only these parameters, but RFC 4357 names them as "test parameters" and does not recommend them for use in production applications.
S-box number ! colspan=16 | Value | - !1 | 4 | 10 | 9 | 2 | 13 | 8 | 0 | 14 | 6 | 11 | 1 | 12 | 7 | 15 | 5 | 3 | - !2 | 14 | 11 | 4 | 12 | 6 | 13 | 15 | 10 | 2 | 3 | 8 | 1 | 0 | 7 | 5 | 9 | - !3 | 5 | 8 | 1 | 13 | 10 | 3 | 4 | 2 | 14 | 15 | 12 | 7 | 6 | 0 | 9 | 11 | - !4 | 7 | 13 | 10 | 1 | 0 | 8 | 9 | 15 | 14 | 4 | 6 | 12 | 11 | 2 | 5 | 3 | - !5 | 6 | 12 | 7 | 1 | 5 | 15 | 13 | 8 | 4 | 10 | 9 | 14 | 0 | 3 | 11 | 2 | - !6 | 4 | 11 | 10 | 0 | 7 | 2 | 1 | 13 | 3 | 6 | 8 | 5 | 9 | 12 | 15 | 14 | - !7 | 13 | 11 | 4 | 1 | 3 | 15 | 5 | 9 | 0 | 10 | 14 | 7 | 6 | 8 | 2 | 12 | - !8 | 1 | 15 | 13 | 0 | 5 | 7 | 10 | 4 | 9 | 2 | 3 | 14 | 6 | 11 | 8 | 12 |
---|
The CryptoPro S-box comes from "production ready" parameter set developed by CryptoPro company, it is also specified as part of RFC 4357, section 11.2.
S-box number ! colspan=16 | Value | - !1 | 10 | 4 | 5 | 6 | 8 | 1 | 3 | 7 | 13 | 12 | 14 | 0 | 9 | 2 | 11 | 15 | - !2 | 5 | 15 | 4 | 0 | 2 | 13 | 11 | 9 | 1 | 7 | 6 | 3 | 12 | 14 | 10 | 8 | - !3 | 7 | 15 | 12 | 14 | 9 | 4 | 1 | 0 | 3 | 11 | 5 | 2 | 6 | 10 | 8 | 13 | - !4 | 4 | 10 | 7 | 12 | 0 | 15 | 2 | 8 | 14 | 1 | 6 | 5 | 13 | 11 | 9 | 3 | - !5 | 7 | 6 | 4 | 11 | 9 | 12 | 2 | 10 | 1 | 8 | 0 | 14 | 15 | 13 | 3 | 5 | - !6 | 7 | 6 | 2 | 4 | 13 | 9 | 15 | 0 | 10 | 1 | 5 | 11 | 8 | 14 | 12 | 3 | - !7 | 13 | 14 | 4 | 1 | 7 | 0 | 5 | 10 | 3 | 12 | 8 | 15 | 6 | 2 | 9 | 11 | - !8 | 1 | 3 | 10 | 9 | 5 | 11 | 4 | 15 | 8 | 6 | 7 | 14 | 13 | 0 | 2 | 12 |
---|
In 2008, an attack was published that breaks the full-round GOST hash function. The paper presents a collision attack in 2105 time, and first and second preimage attacks in 2192 time (2n time refers to the approximate number of times the algorithm was calculated in the attack).[3]
The 256-bit (32-byte) GOST hashes are typically represented as 64-digit hexadecimal numbers.
Here are test vectors for the GOST hash with "test parameters"
GOST("The quick brown fox jumps over the lazy og") = 77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294
Even a small change in the message will, with overwhelming probability, result in a completely different hash due to the avalanche effect. For example, changing to :
GOST("The quick brown fox jumps over the lazy og") = a3ebc4daaab78b0be131dab5737a7f67e602670d543521319150d2e14eeec445
Two samples coming from the GOST R 34.11-94 standard:[2]
GOST("This is message, length=32 bytes") = b1c466d37519b82e8319819ff32595e047a28cb6f83eff1c6916a815a637fffa GOST("Suppose the original message has length = 50 bytes") = 471aba57a60a770d3a76130635c1fbea4ef14de51f78b4ae57dd893b62f55208
More test vectors: GOST("") = ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d GOST("a") = d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd GOST("message digest") = ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d GOST(128 characters of 'U') = 53a3a3ed25180cef0c1d85a074273e551c25660a87062a52d926a9e8fe5733a4 GOST(1000000 characters of 'a') = 5c00ccc2734cdd3332d3d4749576e3c1a7dbaf0e7ea74e9fa602413c90a129fa
GOST algorithm with CryptoPro S-box generates different set of hash values.
GOST("") = 981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0 GOST("a") = e74c52dd282183bf37af0079c9f78055715a103f17e3133ceff1aacf2f403011 GOST("abc") = b285056dbf18d7392d7677369524dd14747459ed8143997e163b2986f92fd42c GOST("message digest") = bc6041dd2aa401ebfa6e9886734174febdb4729aa972d60f549ac39b29721ba0 GOST("The quick brown fox jumps over the lazy dog") = 9004294a361a508c586fe53d1f1b02746765e71b765472786e4770d565830a76 GOST("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 73b70a39497de53a6e08c67b6d4db853540f03e9389299d9b0156ef7e85d0f61 GOST("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = 6bc7b38989b28cf93ae8842bf9d752905910a7528a61e5bce0782de43e610c90 GOST("This is message, length=32 bytes") = 2cefc2f7b7bdc514e18ea57fa74ff357e7fa17d652c75f69cb1be7893ede48eb GOST("Suppose the original message has length = 50 bytes") = c3730c5cbccacf915ac292676f21e8bd4ef75331d9405e5f1a61dc3130a65011 GOST(128 of "U") = 1c4ac7614691bbf427fa2316216be8f10d92edfd37cd1027514c1008f649c4e8 GOST(1000000 of "a") = 8693287aa62f9478f7cb312ec0866b6c4e4a0f11160441e8f4ffcd2715dd554f