Prototype of Russian Hash Function 'Stribog' · Prototype of Russian Hash Function "Stribog"...

Prototype of Russian Hash Function

”Stribog”

Oleksandr Kazymyrov

Selmer Center, Department of Informatics,University of Bergen, [email protected]

Spring 2013

Oleksandr Kazymyrov Prototype of Russian Hash Function ”Stribog”

Outline

1 Introduction

2 Description of Stribog

3 Representation over F28

4 Conclusions


Motivation

GOST 34.11-94 was theoretically broken in2008.

The complexities O(2192)/O(269) for preimage andsecond preimage attacks.

Increasing performance. Stribog is 20% fasterthan GOST 34.11-94.

Opposite to SHA-3 (Keccak).


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

20012007

20082001

1994

2010


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

2001

2007

20082001

1994

2010


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

20012007

20082001

1994

2010


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

20012007

2008

2001

1994

2010


Rijndael

AES

Other

Kalyna

Grøstl

Hash

SHA

GOST 34.11

Stribog

1998

20012007

2008

2001

1994

2010


Rijndael

AES

Other

Kalyna

Grøstl

HashSHA

GOST 34.11

Stribog

1998

20012007

20082001

1994

2010


Basic Operations and Functions

Stribog is based on SP-network block cipher with block andkey length equal 512 bits

SubBytes (S): nonlinear bijective mapping.

Transposition (P): byte permutation.

MixColumns (L): linear transformation.

AddRoundKey (X): addition with the round key usingbitwise XOR.

Other basic functions

�: addition modulo 2512.

MSBs(A): getting s most significant bits of vector A.

A||B: concatenation of two vectors A and B.


State Representation

Grøstl

a7

a6

a5

a4

a3

a2

a1

a0

a15

a14

a13

a12

a11

a10

a9

a8

a23

a22

a21

a20

a19

a18

a17

a16

a31

a30

a29

a28

a27

a26

a25

a24

a39

a38

a37

a36

a35

a34

a33

a32

a47

a46

a45

a44

a43

a42

a41

a40

a55

a54

a53

a52

a51

a50

a49

a48

a63

a62

a61

a60

a59

a58

a57

a56

A = a0||a1|| . . . ||a63

Stribog

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56

B = b63||b62|| . . . ||b0



Grøstl

a7

a6

a5

a4

a3

a2

a1

a0

a15

a14

a13

a12

a11

a10

a9

a8

a23

a22

a21

a20

a19

a18

a17

a16

a31

a30

a29

a28

a27

a26

a25

a24

a39

a38

a37

a36

a35

a34

a33

a32

a47

a46

a45

a44

a43

a42

a41

a40

a55

a54

a53

a52

a51

a50

a49

a48

a63

a62

a61

a60

a59

a58

a57

a56

Stribog

a56

a48

a40

a32

a24

a16

a8

a0

a57

a49

a41

a33

a25

a17

a9

a1

a58

a50

a42

a34

a26

a18

a10

a2

a59

a51

a43

a35

a27

a19

a11

a3

a60

a52

a44

a36

a28

a20

a12

a4

a61

a53

a45

a37

a29

a21

a13

a5

a62

a54

a46

a38

a30

a22

a14

a6

a63

a55

a47

a39

a31

a23

a15

a7

A = a0||a1|| . . . ||a63


Outline

1 Introduction



4 Conclusions


Merkle-Damg̊ard Scheme

IV

m1

g

m2

g

m3

gh h . . . g h

mt


Modification of Merkle-Damg̊ard Scheme

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

hg

�

�

512

mt


Hash Function Stribog

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h


Hash Function Stribog. Stage 1

N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256



N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1 Stage 2

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256

t =

⌊|M |512

⌋



N

IV

Σm1

�

�

512

g

m2

�

�

512

g

m3

�

�

512

gh h . . .

. . .

. . .

g g g gh h h

�

�

�

�

512 |M |

mt m

0 0

h

Stage 1 Stage 2 Stage 3

Σ = N = 0512

IV =

{0, Stribog-512

(00000001)64, Stribog-256

t =

⌊|M |512

⌋ m = 0512−|M |||1||M

H =

{h, Stribog-512

MSB256(h), Stribog-256


Compression Function Construction

Grøstl

P Q

hi

⊕

⊕hi−1 mi

f

Stribog

E

F

hi

⊕

⊕hi−1 N mi

g

L

P

S

hi−1N


Design of E

Compression function gN : F5122 × F512

2 7→ F5122 , N ∈ F512

2 isdefined as follows

gN(h,m) = E(L ◦ P ◦ S(h⊕N),m)⊕ h⊕m, h,m ∈ F5122

where

E(K,m) = X[K13] ◦12∏i=1

L ◦ P ◦ S ◦X[Ki]

KeySchedule function

Ki = L ◦ P ◦ S(Ki−1 ⊕ Ci−1), K1 = K, i ∈ {2, . . . , 13}.


Representation of E

Block Cipher of Stribog

F

r = 12

⊕

⊕L

P

S

Ki

K13

Message

Ciphertext

Key Schedule

F

r = 12

⊕L

P

S

Ci−1

K1 = K

Ki


SubBytes Transformation

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56

a35

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56

b35

S

bi = S-box(ai)

SubBytes


S-box of Stribog

0 1 2 3 4 5 6 7 8 9 A B C D E F0 FC EE DD 11 CF 6E 31 16 FB C4 FA DA 23 C5 04 4D1 E9 77 F0 DB 93 2E 99 BA 17 36 F1 BB 14 CD 5F C12 F9 18 65 5A E2 5C EF 21 81 1C 3C 42 8B 01 8E 4F3 05 84 02 AE E3 6A 8F A0 06 0B ED 98 7F D4 D3 1F4 EB 34 2C 51 EA C8 48 AB F2 2A 68 A2 FD 3A CE CC5 B5 70 0E 56 08 0C 76 12 BF 72 13 47 9C B7 5D 876 15 A1 96 29 10 7B 9A C7 F3 91 78 6F 9D 9E B2 B17 32 75 19 3D FF 35 8A 7E 6D 54 C6 80 C3 BD 0D 578 DF F5 24 A9 3E A8 43 C9 D7 79 D6 F6 7C 22 B9 039 E0 0F EC DE 7A 94 B0 BC DC E8 28 50 4E 33 0A 4AA A7 97 60 73 1E 00 62 44 1A B8 38 82 64 9F 26 41B AD 45 46 92 27 5E 55 2F 8C A3 A5 7D 69 D5 95 3BC 07 58 B3 40 86 AC 1D F7 30 37 6B E4 88 D9 E7 89D E1 1B 83 49 4C 3F F8 FE 8D 53 AA 90 CA D8 85 61E 20 71 67 A4 2D 2B 09 5B CB 9B 25 D0 BE E5 6C 52F 59 A6 74 D2 E6 F4 B4 C0 D1 66 AF C2 39 4B 63 B6


S-box Characteristics

Properties Stribog AESVectorial Boolean Function

Balancedness True TrueNonlinearity 100 112

Absolute Indicator 96 32SSI 258688 133120PC 0 0CI 0 0

Algebraic Degree 7 7Resiliency 0 0

SAC False FalseSubstitution

Bijection True TrueMDT 8 4MLT 28 16

Cycles 252:243, 46:1343:27, 242:87,

99:59, 124:81, 143:2Algebraic Immunity 3(441) 2(39)


Transposition

Transposition transformation has a form

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56

a0a8a16a24a32a40a48a56

a1a9a17a25a33a41a49a57

a2a10a18a26a34a42a50a58

a3a11a19a27a35a43a51a59

a4a12a20a28a36a44a52a60

a5a13a21a29a37a45a53a61

a6a14a22a30a38a46a54a62

a7a15a23a31a39a47a55a63

Transpose


MixColumns

MixColumns transformation has a form

a7

a15

a23

a31

a39

a47

a55

a63

a6

a14

a22

a30

a38

a46

a54

a62

a5

a13

a21

a29

a37

a45

a53

a61

a4

a12

a20

a28

a36

a44

a52

a60

a3

a11

a19

a27

a35

a43

a51

a59

a2

a10

a18

a26

a34

a42

a50

a58

a1

a9

a17

a25

a33

a41

a49

a57

a0

a8

a16

a24

a32

a40

a48

a56a63 a62 a61 a60 a59 a58 a57 a56

b7

b15

b23

b31

b39

b47

b55

b63

b6

b14

b22

b30

b38

b46

b54

b62

b5

b13

b21

b29

b37

b45

b53

b61

b4

b12

b20

b28

b36

b44

b52

b60

b3

b11

b19

b27

b35

b43

b51

b59

b2

b10

b18

b26

b34

b42

b50

b58

b1

b9

b17

b25

b33

b41

b49

b57

b0

b8

b16

b24

b32

b40

b48

b56b63 b62 b61 b60 b59 b58 b57 b56

M

Multiplying the vector by the constant 64×64 matrix M over F2

B = A ·M

MixColumns


Outline

1 Introduction



4 Conclusions


Motivation

Easier to proveproperties

Motivation

Modifiedstructure of

Rijndael

Moreunderstandable

form

Complex(diff. probability)

Individual(i.e. MDS)



Alternative representation

Reverse input bits

AES-like transformations (state as in Grøstl/AES)

Reverse output bits

B0, B1, . . . , B63 B′0, B

′1, . . . , B

′63

b0, b1, . . . , b511 b511, b510, . . . , b0(Inv)ReverseBits


Transposition and SubBytes Operations

Transposition is invariant operation.

Substitution has the form F (x) = D ◦G ◦D(x) forlinearized polynomial D : F2n 7→ F2n .

0 1 2 3 4 5 6 7 8 9 A B C D E F0 3F FB D7 E0 9F E5 A8 04 97 07 AD 87 A0 B5 4C 9A1 DF EB 4F 0C 81 58 CF D3 E8 3B FD B1 60 31 B6 8B2 F3 7C 57 61 47 78 08 B4 C9 5E 10 32 C7 E4 FF 673 C4 3E BF 11 D1 26 B9 7D 28 72 39 53 FE 96 C3 9C4 BB 24 34 CD A6 06 69 E6 0F 37 70 C1 40 62 98 2E5 5F 6B 16 D6 3C 1C 1E A4 8F 14 C8 55 B7 A5 63 F56 8C C2 12 B8 F7 46 59 90 99 0D 6E 1F F1 AA 51 2D7 20 9D 73 E7 71 64 4D 36 FA 50 BA A1 CB A9 B0 C68 77 AF 2C 1A 18 E9 85 8E EE F0 0E D8 21 A2 AE 659 23 9E 54 EC 38 1D 89 D9 6C 17 4E CA D0 C5 2A 66A 76 15 13 35 3A 00 DE D4 74 29 30 FC 56 7A AC 2FB A3 44 5C 9B 80 F9 79 A7 B3 CC ED 1B 2B AB BD D2C 88 95 8A 02 5A CE 94 25 DB 7B 6A 92 75 49 BC 4BD 5B 6F 45 27 42 41 F6 0B DD 0A E2 09 19 BE 01 43E 68 93 D5 EF 84 22 E3 DA 5D 3D 48 7F 05 F4 7E 03F B2 C0 33 91 F2 82 8D 4A 83 52 E1 86 F8 DC EA 6D

Table : The Substitution F for AES-like Description


Representation of MixColumns

The are exist at least three forms:

1 representation over F2n

2 representation over F2

1 matrix form2 system of equations

F2n F2

easy

hard



Any multiplication mapping F2n 7→ F2n is a lineartransformation of a vector space over F2 for specified basis.

Multiplication by arbitrary δ ∈ F28 can be represented asmultiplication on a matrix

δx =

k0,0 · · · k0,7k1,0 · · · k1,7

.... . .

...k7,0 · · · k7,7

·x0x1. . .x7

with xi, kj,s ∈ F2.



Let L : Fn2 7→ Fn

2 be a linear function of the form

L(x) =n−1∑i=0

δix2i .

Proposition [5]

Any linear function L : Fn2 7→ Fm

2 can be converted to a matrixwith the complexity O(n).

L(x) = δx, δi = 0, for 1 ≤ i ≤ n− 1.



The main steps of algorithm for obtaining MDS matrix overF28 from 64× 64 matrix over F2

1 for every irreducible polynomial (30)1 convert each 8× 8 submatrices to the element of the

filed2 check MDS property of the resulting matrix

Hint

It is necessary to transpose matrix of Stribog before applyingthe algorithm.


MixColumns

a7

a6

a5

a4

a3

a2

a1

a0

a15

a14

a13

a12

a11

a10

a9

a8

a23

a22

a21

a20

a19

a18

a17

a16

a31

a30

a29

a28

a27

a26

a25

a24

a39

a38

a37

a36

a35

a34

a33

a32

a47

a46

a45

a44

a43

a42

a41

a40

a55

a54

a53

a52

a51

a50

a49

a48

a63

a62

a61

a60

a59

a58

a57

a56

b7

b6

b5

b4

b3

b2

b1

b0

b15

b14

b13

b12

b11

b10

b9

b8

b23

b22

b21

b20

b19

b18

b17

b16

b31

b30

b29

b28

b27

b26

b25

b24

b39

b38

b37

b36

b35

b34

b33

b32

b47

b46

b45

b44

b43

b42

b41

b40

b55

b54

b53

b52

b51

b50

b49

b48

b63

b62

b61

b60

b59

b58

b57

b56

0E

2D

05

D4

E5

5F

04

71

02

F1

71

81

01

CB

88

05

F6

E7

5E

1C

54

AD

5B

09

8A

28

66

FA

BA

0F

B2

B9

15

55

17

39

0F

BA

E4

61

9D

A0

1C

5E

11

2C

36

A2

39

4C

D0

15

2A

04

5F

27

71

9A

02

24

76

A5

65

0E

a55

a54

a53

a52

a51

a50

a49

a48

b55

b54

b53

b52

b51

b50

b49

b48

Multiplying the vector by the constant 8×8 matrix G over F28

with the primitive polynomial f(x) = x8 + x6 + x5 + x4 + 1

B = G · A

×


Modified Compression Function

Original Function

E

F

hi

⊕

⊕hi−1 N mi

g

L

P

S

hi−1N

Modified Function

E

F

hi

⊕

⊕hi−1 N mi

D D D

D

g

L

P

S

hi−1N


Conclusions

Stribog is based on GOST 34.11-94 as well ason AES.

It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?

No, it is slower.

More details on github.


https://github.com/okazymyrov/stribog

Conclusions


It is planned to replace existing standard34.11-94 in 2013.

Is Stribog 20% faster than GOST 34.11-94?

No, it is slower.




Conclusions


It is planned to replace existing standard34.11-94 in 2013.Is Stribog 20% faster than GOST 34.11-94?

No, it is slower.




References

F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, andJ. Szmidt. Cryptanalysis of the GOST hash function. InD. Wagner, editor, Advances in Cryptology CRYPTO 2008,volume 5157 of LNCS, pages 162–178.

Matuhin D.V., Shyshkin V.A., Rudskoy V.I.: Prospectivehashing algorithm. RusCrypto’2010, 2010. (In Russian).

GOST 34.11-20 , Information technology. Cryptographic datasecurity. Hash function. Prototype (version 1).http://infotecs.ru/laws/gost/proj/gost3411.pdf. (InRussian).

R. Oliynykov, I. Gorbenko, V. Dolgov, V. Ruzhentsev, Resultsof Ukrainian National Public Cryptographic Competition,Tatra Mt. Math. Publ. 47 2010, 99–113. http://www.sav.sk/journals/uploads/0317154006ogdr.pdf.

L. Budaghyan, O. Kazymyrov, Verification of RestrictedEA-Equivalence for Vectorial Boolean Functions. WAIFI 2012,pp. 108-118.


http://infotecs.ru/laws/gost/proj/gost3411.pdf

http://www.sav.sk/journals/uploads/0317154006ogdr.pdf

http://www.sav.sk/journals/uploads/0317154006ogdr.pdf

Prototype of Russian Hash Function 'Stribog' · Prototype of Russian Hash Function "Stribog"...

Documents

Transcript of Prototype of Russian Hash Function 'Stribog' · Prototype of Russian Hash Function "Stribog"...