Cryptanalysis of the GOST Hash Function

Transcription

1 Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications (IAIK), Graz University o Technology, Ineldgasse 16a, 8010 Graz, Austria Florian.Mendel@iaik.tugraz.at 2 Institute o Mathematics and Cryptology, Faculty o Cybernetics, Military University o Technology, ul. Kaliskiego 2, Warsaw, Poland Abstract. In this article, we analyze the security o the GOST hash unction. The GOST hash unction, deined in the Russian standard GOST , is an iterated hash unction producing a -bit hash value. As opposed to most commonly used hash unctions such as MD5 and SHA-1, the GOST hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks. This checksum is then part o the inal hash value computation. As a result o our security analysis o the GOST hash unction, we present the irst collision attack with a complexity o about evaluations o the compression unction. Furthermore, we are able to signiicantly improve upon the results o Mendel et al. with respect to preimage and second preimage attacks. Our improved attacks have a complexity o about evaluations o the compression unction. Keywords: cryptanalysis, hash unction, collision attack, second preimage attack, preimage attack 1 Introduction A cryptographic hash unction H maps a message M o arbitrary length to a ixed-length hash value h. Inormally, a cryptographic hash unction has to ulill the ollowing security requirements: Collision resistance: it is practically ineasible to ind two messages M and M, with M M, such that H(M) = H(M ). Second preimage resistance: or a given message M, it is practically ineasible to ind a second message M M such that H(M) = H(M ). Preimage resistance: or a given hash value h, it is practically ineasible to ind a message M such that H(M) = h. The resistance o a hash unction to collision and (second) preimage attacks depends in the irst place on the length n o the hash value. Regardless o how a hash unction is designed, an adversary will always be able to ind preimages or second preimages ater trying out about 2 n dierent messages. Finding collisions

2 requires a much smaller number o trials: about 2 n/2 due to the birthday paradox. I the internal structure o a particular hash unction allows collisions or (second) preimages to be ound more eiciently than what could be expected based on its hash length, then the unction is considered to be broken. For a ormal treatment o the security properties o cryptographic hash unctions we reer to [18, 22]. Recent cryptanalytic results on hash unctions mainly ocus on collision attacks. Collisions have been shown or many commonly used hash unctions (see or instance [5, 6, 16, 24 26]), but we are not aware o any published collision attack on the GOST hash unction. In this article, we will present a security analysis o the GOST hash unction with respect to both collision and (second) preimage resistance. The GOST hash unction is widely used in Russia and is speciied in the Russian national standard GOST [3]. This standard has been developed by GUBS o Federal Agency Government Communication and Inormation and All-Russian Scientiic and Research Institute o Standardization. The GOST hash unction is the only hash unction that can be used in the Russian digital signature algorithm GOST [2]. Thereore, it is also used in several RFCs and implemented in various cryptographic applications (as or instance openssl). The GOST hash unction is an iterated hash unction producing a -bit hash value. As opposed to most commonly used hash unctions such as MD5 and SHA-1, the GOST hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks. This checksum is then part o the inal hash value computation. The GOST standard also speciies the GOST block cipher [1], which is the main building block o the hash unction. Thereore, it can be considered as a block-cipher-based hash unction. While there have been published several cryptanalytic results regarding the block cipher (see or instance [4, 11, 14, 19, 20]), only a ew results regarding the hash unction have been published to date. Note that or the remainder o this article we reer to the GOST hash unction simply as GOST. Related Work. In [7], Gauravaram and Kelsey show that the generic attacks on hash unctions based on the Merkle-Damgård design principle can be extended to hash unctions with linear/modular checksums independent o the underlying compression unction. Hence, second preimages can be ound or long messages (consisting o 2 t message blocks) or GOST with a complexity o 2 n t evaluations o the compression unction. At FSE 2008, Mendel et al. have presented the irst attack on GOST exploiting the internal structure o the compression unction. The authors exploit weaknesses in the internal structure o GOST to construct pseudo-preimages or the compression unction o GOST with a complexity o about compression unction evaluations. Furthermore, they show how the attack on the compression unction o GOST can be extended to a (second) preimage attack on the hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Both attacks are structural attacks in the sense that they are independent o the underlying block cipher.

3 Our Contribution. We improve upon the state o the art as ollows. First, we show that or plaintexts o a speciic structure, we can construct ixed-points in the GOST block cipher eiciently. Second, based on this property in the GOST block cipher we then show how to construct collisions in the compression unction o GOST with a complexity o 2 96 compression unction evaluations. This collision attack on the compression unction is then extended to a collision attack on the GOST hash unction. The extension is possible by combining a multicollision attack and a generalized birthday attack on the checksum. The attack has a complexity o about evaluations o the compression unction o GOST. Furthermore, we show that due to the generic nature o our attack we can construct meaningul collisions, i.e. collisions in the chosen-preix setting with the same complexity. Note that in most cases constructing meaningul collisions is more complicated than constructing (random) collisions (see or instance MD5 [21]). Third, we show how the (second) preimage attack o Mendel et al. can be improved by additionally exploiting weaknesses in the GOST block cipher. The new improved (second) preimage attack has a complexity o evaluations o the compression unction o GOST. Table 1. Comparison o results or the GOST hash unction. source attack complexity attack Gauravaram and Kelsey second preimages or long CT-RSA 2008 [7] 2 t messages (2 t blocks) Mendel et al. preimages and FSE 2008 [15] second preimages collisions meaningul collisions this work (chosen-preix) preimages and second preimages The remainder o this article is structured as ollows. In Section 2, we give a short description o the GOST hash unction. In Section 3, we describe the GOST block cipher and show how to construct ixed-points eiciently. We use this in the collision attack on the hash unction in Section 4. In Section 5, we show a new improved (second) preimage attack or the hash unction. Finally, we present conclusions in Section 6. 2 The Hash Function GOST GOST is an iterated hash unction that processes message blocks o bits and produces a -bit hash value. I the message length is not a multiple o,

4 STEP STEP 1 STEP 3 STEP t Fig. 1. Structure o the GOST hash unction. an unambiguous padding method is applied. For the description o the padding method we reer to [3]. Let M = M 1 M 2 M t be a t-block message (ater padding). The hash value h = H(M) is computed as ollows (see Fig. 1): H 0 = IV (1) H i = (H i 1, M i ) or 0 < i t (2) H t+1 = (H t, M ) (3) H t+2 = (h t+1, Σ) = h, (4) where Σ = M 1 M 2 M t, and denotes addition modulo 2. IV is a predeined initial value and M represents the bit-length o the entire message prior to padding. As can be seen in (4), GOST speciies a checksum (Σ) consisting o the modular addition o all message blocks, which is then input to the inal application o the compression unction. Computing this checksum is not part o most commonly used hash unctions such as MD5 and SHA-1. The compression unction o GOST basically consist o three parts (see also Fig. 2): the state update transormation, the key generation, and the output transormation. In the ollowing, we will describe these parts in more detail. 2.1 State Update Transormation The state update transormation o GOST consists o 4 parallel instances o the GOST block cipher, denoted by E. The intermediate hash value H i 1 is split into our 64-bit words h 3 h 2 h 1 h 0. Each 64-bit word is used in one stream o the state update transormation to construct the -bit value S = s 3 s 2 s 1 s 0 in the ollowing way: s 0 = E(k 0, h 0 ) (5) s 1 = E(k 1, h 1 ) (6) s 2 = E(k 2, h 2 ) (7) s 3 = E(k 3, h 3 ) (8) where E(K, P ) denotes the encryption o the 64-bit plaintext P under the - bit key K. We reer to Section 3, or a detailed description o the GOST block cipher.

5 i i i Fig. 2. The compression unction o GOST 2.2 Key Generation The key generation o GOST takes as input the intermediate hash value H i 1 and the message block M i to compute a 1024-bit key K. This key is split into our -bit keys k i, i.e. K = k 3 k 0, where each key k i is used in one stream as the key or the GOST block cipher E in the state update transormation. The our keys k 0, k 1, k 2, and k 3 are computed in the ollowing way: k 0 = P (H i 1 M i ) (9) k 1 = P (A(H i 1 ) A 2 (M i )) (10) k 2 = P (A 2 (H i 1 ) Const A 4 (M i )) (11) k 3 = P (A(A 2 (H i 1 ) Const) A 6 (M i )) (12) where A and P are linear transormations and Const is a constant. Note that A 2 (x) = A(A(x)). For the deinition o the linear transormation A and P as well as the value o Const, we reer to [3], since we do not need it or our analysis. 2.3 Output Transormation The output transormation o GOST combines the intermediate hash value H i 1, the message block M i, and the output o the state update transormation S to

6 compute the output value H i o the compression unction. It is deined as ollows. H i = ψ 61 (H i 1 ψ(m i ψ 12 (S))) (13) The linear transormation ψ : {0, 1} {0, 1} is given by: ψ(γ ) = (γ 0 γ 1 γ 2 γ 3 γ 12 γ 15 ) γ 15 γ 14 γ 1 (14) where Γ is split into sixteen 16-bit words, i.e. Γ = γ 15 γ 14 γ 0. 3 The GOST Block Cipher The GOST block cipher is speciied by the Russian government standard GOST [1]. Several cryptanalytic results have been published or the block cipher (see or instance [4, 11, 14, 19, 20]). However, i the block cipher is used in a hash unction then we are acing a dierent attack scenario: the attacker has ull control over the key. First results considering this act or the security analysis o hash unctions have been presented or instance in [13]. We will exploit having ull control over the key or constructing ixed-points or the GOST block cipher. 3.1 Description o the block cipher The GOST block cipher is a 32 round Feistel network with a block size o 64 bits and a key length o bits. The round unction o the GOST block cipher consists o a key addition, eight dierent 4 4 S-boxes S j (0 j < 8) and a cyclic rotation (see also Figure 3). For the deinition o the S-boxes we reer to [3], since we do not need them or our analysis. L i 32 <<< 11 S 7 S 6 sk i R i 32 S 0 L i+1 R i+1 Fig. 3. One round o the GOST block cipher. The key schedule o the GOST block cipher deines the subkeys sk i derived rom the -bit K = k 7 k 6 k 0 as ollows { k i mod 8, i = 0,..., 23, sk i = (15) k 7 (i mod 8), i = 24,..., 31.

7 3.2 Constructing a Fixed-Point In the ollowing, we will show how to eiciently construct ixed-points in the GOST block cipher. It is based on the ollowing observation. Note that a similar observation was used by Kara in [10] or a chosen plaintext attack on the GOST block cipher. Observation 1 Assume we are given a plaintext P = L 0 R 0 with L 0 = R 0. Then we can construct a ixed-point or the block cipher by constructing a ixedpoint in the irst 8 rounds. In the ollowing, we reer to a plaintext P = L 0 R 0 with L 0 = R 0 as a symmetric plaintext (or or short as symmetric). Note that by using the block cipher or constructing a hash unction, an attacker has ull control over the key. Furthermore, each word o the key is only used once in the irst 8 rounds o the block cipher. Hence, constructing a ixed-point in the irst 8 rounds can be done eiciently. First, we choose random values or the irst 6 words o the key (subkeys sk 0,..., sk 5 ) and compute L 6 and R 6. Next, we choose the last 2 words o the key (subkeys sk 6 and sk 7 ) such that L 8 = L 0 and R 8 = R 0. With this method we can construct a ixed-point in the irst 8 rounds o the block cipher with a computational cost o 8 round computations. It is easy to see that i we have a ixed-point in the irst 8 rounds, then this is also a ixed-point or rounds 9-16 and since the same subkeys are used in these rounds. In the last 8 rounds the subkey is put in the opposite order, see (15). However, since the GOST block cipher is a Feistel network, we have here (rounds 25-32) a decryption i L 24 = R 24. This implies that we have a ixedpoint or the GOST block cipher (or all 32 rounds) i the plaintext is symmetric. Hence, or symmetric plaintexts we can eiciently construct ixed-points or the GOST block cipher. 4 Collision Attack on GOST In this section, we present a collision attack on the GOST hash unction with a complexity o about evaluations o the compression unction. First, we will show how to construct collisions or the compression unction o GOST, and based on this attack we then describe the collision attack or the hash unction. For the remainder o this article we ollow the notation o [15]. 4.1 Constructing a Collision in the Compression Function In the ollowing, we show how to construct a collision in the compression unction o GOST. The attack is based on structural weaknesses o the compression unction. These weaknesses have been used in [15] to construct pseudo-collisions and pseudo-preimages or the compression unction o GOST with a complexity o 2 96 and 2 192, respectively.

8 Now we show a collisions attack on the compression unction by additionally exploiting weaknesses in the underlying GOST block cipher. Since the transormation ψ is linear, (13) can be written as: H i = ψ 61 (H i 1 ) ψ 62 (M i ) ψ 74 (S) (16) Furthermore, ψ is invertible and hence (16) can be written as: ψ 74 (H i ) = ψ 13 (H i 1 ) ψ 12 (M i ) S (17) }{{}}{{}}{{} X Y Z Note that Y depends linearly on H i 1 and Z depends linearly on M i. As opposed to Y and Z, S depends on both H i 1 and M i processed by the block cipher E. For the ollowing discussion, we split the -bit words X, Y, Z deined in (17) into 64-bit words: X = x 3 x 2 x 1 x 0 Y = y 3 y 2 y 1 y 0 Z = z 3 z 2 z 1 z 0 Now, (17) can be written as: x 0 = y 0 z 0 s 0 (18) x 1 = y 1 z 1 s 1 (19) x 2 = y 2 z 2 s 2 (20) x 3 = y 3 z 3 s 3 (21) Now assume, that we can ind 2 96 message blocks M j i, where M i k Mi t with k t, such that all message blocks produce the same value x 0. Then we know that due to the birthday paradox two o these message blocks also lead to the same values x 1, x 2, and x 3. In other words, we have constructed a collision or the compression unction o GOST. The attack has a complexity o about 2 96 evaluations o the compression unction o GOST. Based on this short description, we will show now how to construct message blocks M j i, which all produce the same value x 0. Assume, we want to keep the value s 0 in (18) constant. Since s 0 = E(k 0, h 0 ) and k 0 depends linearly on the message block M i, we have to ind keys k j 0 and hence, message blocks M j i, which all produce the same value s 0. This can be done by exploiting the act that in the GOST block cipher ixed-points can be constructed eiciently or symmetric plaintexts (see Section 3.2). In other words, i h 0 is symmetric then we can construct 2 96 message blocks M j i where s 0 = h 0, and (18) becomes x 0 = y 0 z 0 h 0. (22) However, to ind message blocks M j i or which x 0 has the same value, we still have to ensure that also the term y 0 z 0 in (22) has the same value or all message blocks. Thereore, we get the ollowing equation (64 equations over GF (2)) y 0 z 0 = c (23)

9 where c is an arbitrary 64-bit value. We know that y 0 depends linearly on H i 1 and z 0 depends linearly on M i, see (17). Thereore, the choice o the message block M i and accordingly, the choice o the key k 0, is restricted by 64 equations over GF (2). Hence, or constructing a ixed-point in the GOST block cipher we have to consider these restrictions. For the ollowing discussion let A k 0 = d (24) denote the set o 64 equations over GF (2) which restricts the choice o the key k 0, where A is a 64 matrix over GF (2) and d is a 64-bit vector. It ollows rom Observation 1 that or constructing a ixed-point in the GOST block cipher (or symmetric plaintexts), it is suicient to construct a ixed-point in the irst 8 rounds. Hence, one method to construct an appropriate ixed-point would be to construct many arbitrary ixed-points and then check i (24) holds. With this method we ind an appropriate ixed-point with a complexity o about Since we need 2 96 such ixed-points or the collision attack, this would lead to a complexity o evaluations o the compression unction o GOST. However, we can improve this complexity by using a meet-in-the-middle approach (see also Fig. 4). L 0 = R 0 sk 0 sk 1 sk 2 sk 3 sk 0 A 1 sk 1 sk 2 d 1 sk 3 sk 0 sk 1 sk 2 A 1 A 2 sk 3 sk 4 d 1 d 2 d sk 4 sk 5 sk 6 sk 7 sk 4 A 2 sk 5 sk 6 d 2 sk 7 sk 5 sk 6 sk 7 L 8 = R 8 = L 0 Fig. 4. Constructing a ixed-point in the GOST block cipher. We split the irst 8 rounds o the GOST block cipher into 2 parts P 1 (rounds 1-4) and P 2 (rounds 5-8). Since the subkey used in the irst 8 rounds is restricted by A k 0, we also split this system o 64 equations over GF (2) into two parts: sk 0 sk 4 A 1 sk 1 sk 2 = d 1 A 2 sk 5 sk 6 = d 2 (25) sk 3 sk 7

10 where A = [A 1 A 2 ] and d = d 1 d 2. Now we can apply a meet-in-the-middle attack to construct 2 64 appropriate ixed-points or the GOST block cipher with a complexity o It can be summarized as ollows. 1. Choose a random value or d 1. This determines also d 2 = d d For all 2 64 subkeys sk 0,..., sk 3 which ulill (25) compute L 4, R 4 and save the result in the list L. 3. For all 2 64 subkeys sk 4,..., sk 7 which ulill (25) compute rounds 4-8 backward to get L 4, R 4 and check or a matching entry in the list L. Note that since there are 2 64 entries in the list L we expect to always ind a matching entry in the list L. Hence, we get 2 64 appropriate ixed-points or the GOST block cipher with a complexity o about 2 64 and memory requirements o bytes. By repeating this attack about 2 32 times or dierent choices o d 1, we get 2 96 appropriate ixed-points. In other words, we ound 2 96 keys k j 0 which all produce the same value s 0 = E(k j 0, h 0) and additionally ulill (24). Consequentially, we have 2 96 message blocks M j i which all result in the same value x 0 with X = ψ 74 (H i ). By applying a birthday attack we will ind two message blocks Mi k and Mi t with k t where also x 1, x 2, and x 3 are equal. In other words, we can ind a collision or the compression unction o GOST with a complexity o about 2 96 instead o evaluations o the compression unction o GOST. 4.2 Constructing Collisions or the Hash Function In this section, we show how the collision attack on the compression unction can be extended to the hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Note that the hash unction deines, in addition to the common iterative structure, a checksum computed over all input message blocks which is then part o the inal hash computation. Thereore, to construct a collision in the hash unction we have to construct a collision in the iterative structure (i.e. chaining variables) as well as in the checksum. To do this we use multicollisions. A multicollision is a set o messages o equal length that all lead to the same hash value. As shown in [9], constructing a 2 t collision, i.e. 2 t messages consisting o t message blocks which all lead to the same hash value, can be done with a complexity o about t 2 x or any iterated hash unction, where 2 x is the cost o constructing a collision in the compression unction. As shown in Section 4.1, collisions or the compression unction o GOST can be constructed with a complexity o 2 96 i h 0 is symmetric in H i 1 = h 3 h 2 h 1 h 0. Note that by using an additional message block M i 1 we ind a chaining variable H i 1 = (H i 2, M i 1 ), where h 0 is symmetric with a complexity o 2 32 compression unction evaluations. Hence, we can construct a collision with a complexity o about 128 ( ) evaluations o the compression unction o GOST. With this method we get messages M that all lead to the same value H as depicted in Figure 5.

11 M 2 2 M M H 0 H 1 H 2 H 3 H 4 H 254 H 255 H M 1 M 3 M 255 M 2 1 M M Fig. 5. Constructing a multicollision or GOST. To construct a collision in the checksum o GOST we have to ind 2 distinct messages which produce the same value Σ = M 1 M j2 2 M 255 M j with j 2, j 4,... j {1, 2}. By applying a birthday attack we can ind these 2 messages with a complexity o about additions over GF () and memory requirements o bytes. Due to the high complexity and memory requirements o the birthday attack, one could see this part as the bottleneck o the attack. However, the runtime and memory requirements can signiicantly be reduced by applying a generalized birthday attack introduced by Wagner in [23]. Wagner shows that i l is a power o two then the memory requirements and the running time or the generalized birthday problem is given by 2 n/(1+lg l) and l 2 n/(1+lg l), respectively. Note that in the standard birthday attack we have l = 2 1. Let us now consider the case l = 2 3. Then the birthday attack in the second part o the attack has a complexity o /4 = 2 67 and uses lists o size 2 /4 = In detail, we need to construct 8 lists o size 2 64 in the irst step o the attack. Hence, we need to construct a collision in the irst part o the attack to get 8 lists o the needed size. Constructing this multicollision has a complexity o about 8 64 ( ) = compression unction evaluations and memory requirements o 8 64 (2 64) = 2 16 bytes. Hence, we can construct a collision or the GOST hash unction with a complexity o about and memory requirements o = 2 70 bytes by using a generalized birthday attack with l = 8 lists. Furthermore, the colliding message pair consists o 8 (2 64) = 1024 message blocks. Note that l = 8 is the best choice or the attack. On one hand i we choose l > 8 then the memory requirements o the attack would decrease but the attack complexity would increase. Since we need about 2 70 bytes o memory or constructing ixed-points in the GOST block cipher, this does not improve the attack. On the other hand i we choose l < 8 then the memory requirements o the attack would be signiicantly higher. A Remark on the Length Extension Property. Once, we have ound a collision, i.e. collision in the iterative part (chaining variables) and the checksum, we can construct many more collisions by appending an arbitrary message block. Note that this is not necessarily the case or a straight-orward birthday attack. By applying a birthday attack we construct a collision in the inal hash value (ater the last iteration) and appending a message block is not possible. Hence,

12 we need a collision in the iterative part as well as in the checksum or the extension property. Note that by combining the generic birthday attack and multicollisions, one can construct collisions in both parts with a complexity o about = while our attack has a complexity o A Remark on Meaningul Collisions. In a chosen-preix setting, an attacker searches or a message pair (M, M ) such that or a given hash unction H H(M pre M) = H(M pre M ) (26) or any pair (M pre, M pre). In [21], Stevens et al. show that such a more powerul attack exists or MD5. Furthermore, they describe an application o this attack or colliding X.509 certiicates. Note that their attack (in a chosen-preix setting) has a complexity o 2 50, while the currently best published collision attack or MD5 has a complexity o about 2 30 evaluations o the compression unction [12]. However, in the case o GOST the collision attack in the chosen-preix setting has the same complexity as the collision attack. Due to the generic nature o the collision attack, dierences in the chaining variables can be canceled eiciently. Assume that the chosen preix (M pre, M pre) consists o t message blocks resulting in the chaining variables H t and H t. Then the attack can be summarized as ollows. 1. We have to ind two message blocks M t+1 and M t+1 such that h 0 = h 0 = 0, where H t+1 = h 3 h 2 h 1 h 0 and H t+1 = h 3 h 2 h 1 h 0. This has a complexity o about evaluations o the compression unction o GOST. 2. Now we have to ind two message blocks M t+2 and M t+2 such that H t+2 = H t+2. This can be done similar as constructing a collision in the compression unction o GOST (see Section 4.1). First, we choose a random value or c in (22) and construct 2 96 message blocks M t+2, where x 0 is equal. Second, we construct 2 96 message blocks M t+2, where x 0 = x 0. To guarantee that x 0 = x 0 we have to adjust c in (22) such that the ollowing equation holds. x 0 = x 0 = y 0 z 0 h 0 = c h 0 By applying a meet-in-the-middle attack we will ind two message blocks M t+2 and M t+2 which produce the same chaining variables (H t+2 = H t+2). This step o the attack has a complexity o evaluations o the compression unction o GOST. 3. Once we have constructed a collision in the iterative part (chaining variables), we have to construct a collision in the checksum as well. Thereore, we proceed as described in Section 4.2. By generating a collision and applying a generalized birthday attack with l = 8 we can construct a collision in the checksum o GOST with a complexity o compression unction evaluations and memory requirements o 2 70 bytes. Hence, we can construct meaningul collisions, i.e. collisions in the chosen-preix setting, or the GOST hash unction with a complexity o about compression unction evaluations.

13 5 Improved Preimage Attack or the Hash Function In a preimage attack, we want to ind, or a given hash value h, a message M such that H(M) = h. As we will show in the ollowing, or GOST we can construct preimages o h with a complexity o about evaluations o the compression unction o GOST. Beore describing the attack, we will irst show how to construct preimages or the compression unction o GOST. Based on this attack we then present the preimage attack or the hash unction. 5.1 A Preimage Attack or the Compression Function In a similar way as we have constructed a collision in Section 4.1, we can construct a preimage or the compression unction o GOST. In the attack, we have to ind a message block M i, such that (H i 1, M i ) = H i or the given values H i 1 and H i. Note that the value o H i determines x 3,..., x 0, since X = ψ 74 (H i ). Furthermore, assume that h 0 (in H i 1 = h 3 h 0 ) is symmetric. Then the attack can be summarized as ollows. 1. Since we will construct ixed-points or the GOST block cipher such that s 0 = E(k 0, h 0 ) = h 0, we have to adjust c in (22) such that x 0 = y 0 z 0 h 0 = c h 0 holds with X = ψ 74 (H i ). Once c is ixed, this also determines d in (24). 2. Choose a random value or d 1 (this also determines d 2 = d d 1 ) and apply a meet-in-the-middle attack to obtain 2 64 message blocks M j i or which x 0 is correct. Note that this step o the attack has memory requirements o 2 70 bytes. 3. For each message block compute X and check i x 3, x 2, and x 1 are correct. This holds with a probability o Thus, ater testing all 2 64 message blocks, we will ind a correct message block with a probability o = Note that we can repeat the attack about 2 64 times or dierent choices o d 1. Hence, we will ind a preimage or the compression unction o GOST with a probability o about 2 64 and a complexity o about evaluations o the compression unction o GOST and memory requirements o 2 70 bytes. 5.2 Extending the Attack to the Hash Function Now, we show how the preimage attack on the compression unction can be extended to the GOST hash unction. The attack has a complexity o about evaluations o the compression unction o GOST. Moreover, the preimage consists o 257 message blocks, i.e. M = M 1 M 257. The preimage attack consists o our steps as also shown in Figure 6.

14 m t 1 STEP STEP 1 STEP 2 STEP 3 Fig. 6. Preimage Attack on GOST. STEP 1: Multicollisions or GOST. For the preimage attack on the hash unction, we construct a 2 collision. This means, we have 2 messages M = M j1 j2 j 1 M2 1 M or 2 j 1, j 2,..., jt {1, 2} consisting o blocks that all lead to the same hash value H. This results in a complexity o about = evaluations o the compression unction o GOST. Furthermore, the memory requirement is about 2 message blocks, i.e. we need to store 2 14 bytes. With these multicollisions, we are able to construct the needed value o Σ m in STEP 4 o the attack (where the superscript m stands or multicollision ). STEP 2: Constructing H 258 Including the Length Encoding. In this step, we have to ind a message block M 257 such that or the given H determined in STEP 1, and or M determined by our assumption that we want to construct preimages consisting o 257 message blocks, we ind a H 258 = h 3 h 0 where h 0 is symmetric. Note that since we want to construct a message that is a multiple o bits, we choose M 257 to be a ull message block and hence no padding is needed. We proceed as ollows. Choose an arbitrary message block M 257 and compute H 258 as ollows: H 257 = (H, M 257 ) H 258 = (H 257, M ) where M = ( + 1). Then we check i h 0 in the resulting value H 258 is symmetric. This has a probability o Hence, this step o the attack requires evaluations o the compression unction o GOST. STEP 3: Preimages or the Last Iteration. To construct a preimage or the last iteration o GOST we proceed as described in Section 5.1. Since h 0 in H 258 is symmetric, we will ind a preimage or the last iteration o GOST with a probability o 2 64 (and a complexity o about ). Thereore, we have to repeat this step o the attack about 2 64 times or dierent values o H 258 (where h 0 is symmetric) to ind a preimage or the last iteration. Hence, inishing this step o the attack has a complexity o about 2 64 ( ) evaluations o the compression unction o GOST. Once we have ound a preimage or the last iteration, also the value Σ m is determined, since Σ m = Σ t M 257.

15 STEP 4: Constructing Σ m. In STEP 1, we constructed a 2 collision in the irst iterations o the hash unction. From this set o messages that all lead to the same H, we now have to ind a message M = M j1 j2 j 1 M2 M or j 1, j 2,..., j {1, 2} that leads to the value o Σ m = Σ t M 257. This can be done by applying a meet-in-the-middle attack. First, we save all values or Σ 1 = M j1 1 M j2 2 M j in the list L. Note that we have in total 2128 values in L. Second, we compute Σ 2 = M j M j M j and check i Σ m Σ 2 is in the list L. Ater testing all values, we expect to ind a matching entry in the list L and hence a message M = M j1 j2 j 1 M2 M that leads to Σ m = Σ t M 257. This step o the attack has a complexity o and a memory requirement o = bytes. Once we have ound M, we ound a preimage or GOST consisting o +1 message blocks, namely M M 257. The Attack Complexity. The complexity o the preimage attack is determined by the computational eort o STEP 2 and STEP 3, i.e. a preimage o h can be ound in about evaluations o the compression unction. The memory requirements or the preimage attack are determined by inding M in STEP 4, since we need to store bytes or the meet-in-the-middle attack. Due to the high memory requirements o STEP 4, one could see this part as the bottleneck o the attack. However, the memory requirements o STEP 4 can signiicantly be reduced by applying a memory-less variant o the meet-in-the-middle attack introduced by Quisquater and Delescaille in [17]. Hence, a preimage can be constructed or the GOST hash unction with a complexity o evaluations o the compression unction and memory requirements o about 2 70 bytes. 5.3 A Remark on Second Preimages Note that the presented preimage attack on GOST also implies a second preimage attack. In this case, we are not given only the hash value h but also a message M that results in this hash value. We can construct or any given message a second preimage in the same way as we construct preimages. The dierence is, that the second preimage will always consist o at least 257 message blocks. Thus, we can construct a second preimage or any message M (o arbitrary length) with a complexity o about evaluations o the compression unction o GOST. 6 Conclusion In this article, we have presented a collision attack and a (second) preimage attack on the GOST hash unction. Both the collision and the (second) preimage attack are based on weaknesses in the GOST block cipher, namely ixed-points can be constructed eiciently or plaintexts o a speciic structure. The internal structure o the compression unction allows to construct collisions with a complexity o about 2 96 evaluations o the compression unction. This alone would

16 not render the hash unction insecure. The act that we can construct multicollisions or any iterated hash unction including the GOST hash unction and the possibility o applying a (generalized) birthday attack to construct also a collision in the checksum make the collision attack on the hash unction possible. The attack has a complexity o about compression unction evaluations. Furthermore, the generic nature o the attack allows us to construct meaningul collisions, i.e. collisions in the chosen-preix setting, with the same complexity. In a similar way as we construct collisions or the hash unction, we can construct (second) preimages or the hash unction with a complexity o about evaluations o the compression unction. This improves the previous (second) preimage attack o Mendel et al. by a actor o Even though the complexities o our attacks are ar beyond o being practical, they point out weaknesses in the design principles o the hash unction GOST. Acknowledgements The authors wish to thank Mario Lamberger, Vincent Rijmen, and the anonymous reerees or useul comments and discussions. The work in this paper has been supported in part by the Secure Inormation Technology Center - Austria (A-SIT) and by the Austrian Science Fund (FWF), project P Reerences 1. GOST , Systems o the Inormation Treatment. Cryptographic Security. Algorithms o the Cryptographic Transormation, (In Russian). 2. GOST , Inormation Technology Cryptographic Data Security Produce and Check Procedures o Electronic Digital Signature Based on Asymmetric Cryptographic Algorithm, (In Russian). 3. GOST , Inormation Technology Cryptographic Data Security Hashing Function, (In Russian). 4. Alex Biryukov and David Wagner. Advanced Slide Attacks. In Bart Preneel, editor, EUROCRYPT, volume 1807 o LNCS, pages Springer, Christophe De Cannière, Florian Mendel, and Christian Rechberger. Collisions or 70-Step SHA-1: On the Full Cost o Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 o LNCS, pages Springer, Christophe De Cannière and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Keei Chen, editors, ASIACRYPT, volume 4284 o LNCS, pages Springer, Praveen Gauravaram and John Kelsey. Linear-XOR and Additive Checksums Don t Protect Damgård-Merkle Hashes rom Generic Attacks. In Tal Malkin, editor, CT-RSA, volume 4964 o LNCS, pages Springer, Daniel Joscák and Jirí Tuma. Multi-block Collisions in Hash Functions Based on 3C and 3C+ Enhancements o the Merkle-Damgård Construction. In Min Surp Rhee and Byoungcheon Lee, editors, ICISC, volume 4296 o LNCS, pages Springer, 2006.

17 9. Antoine Joux. Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In Matthew K. Franklin, editor, CRYPTO, volume 3152 o LNCS, pages Springer, Orhun Kara. Relection Attacks on Product Ciphers. Cryptology eprint Archive, Report 2007/043, John Kelsey, Bruce Schneier, and David Wagner. Key-Schedule Cryptoanalysis o IDEA, G-DES, GOST, SAFER, and Triple-DES. In Neal Koblitz, editor, CRYPTO, volume 1109 o LNCS, pages Springer, Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology eprint Archive, Report 2006/105, Lars R. Knudsen and Vincent Rijmen. Known-Key Distinguishers or Some Block Ciphers. In Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 o LNCS, pages Springer, Youngdai Ko, Seokhie Hong, Wonil Lee, Sangjin Lee, and Ju-Sung Kang. Related Key Dierential Attacks on 27 Rounds o XTEA and Full-Round GOST. In Bimal K. Roy and Willi Meier, editors, FSE, volume 3017 o LNCS, pages Springer, Florian Mendel, Norbert Pramstaller, and Christian Rechberger. A (Second) Preimage Attack on the GOST Hash Function. In Kaisa Nyberg, editor, FSE, volume 5086 o LNCS, pages Springer, Florian Mendel and Vincent Rijmen. Cryptanalysis o the Tiger Hash Function. In Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 o LNCS, pages Springer, Jean-Jacques Quisquater and Jean-Paul Delescaille. How Easy is Collision Search. New Results and Applications to DES. In Gilles Brassard, editor, CRYPTO, volume 435 o LNCS, pages Springer, Phillip Rogaway and Thomas Shrimpton. Cryptographic Hash-Function Basics: Deinitions, Implications, and Separations or Preimage Resistance, Second- Preimage Resistance, and Collision Resistance. In Bimal K. Roy and Willi Meier, editors, FSE, volume 3017 o LNCS, pages Springer, Markku-Juhani O. Saarinen. A chosen key attack against the secret S-boxes o GOST, unpublished manuscript. 20. Haruki Seki and Toshinobu Kaneko. Dierential Cryptanalysis o Reduced Rounds o GOST. In Douglas R. Stinson and Staord E. Tavares, editors, Selected Areas in Cryptography, volume 2012 o LNCS, pages Springer, Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-Preix Collisions or MD5 and Colliding X.509 Certiicates or Dierent Identities. In Moni Naor, editor, EUROCRYPT, volume 4515 o LNCS, pages Springer, Douglas R. Stinson. Some Observations on the Theory o Cryptographic Hash Functions. Des. Codes Cryptography, 38(2): , David Wagner. A Generalized Birthday Problem. In Moti Yung, editor, CRYPTO, volume 2442 o LNCS, pages Springer, Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Cryptanalysis o the Hash Functions MD4 and RIPEMD. In Ronald Cramer, editor, EUROCRYPT, volume 3494 o LNCS, pages Springer, Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 o LNCS, pages Springer, Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Ronald Cramer, editor, EUROCRYPT, volume 3494 o LNCS, pages Springer, 2005.