International Workshop on Selected Areas in Cryptography

SAC 2014: Selected Areas in Cryptography -- SAC 2014 pp 195-211 | Cite as

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

  • Jian Guo
  • Jérémy Jean
  • Gaëtan Leurent
  • Thomas Peyrin
  • Lei Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8781)


Streebog is a new Russian hash function standard. It follows the HAIFA framework as domain extension algorithm and claims to resist recent generic second-preimage attacks with long messages. However, we demonstrate in this article that the specific instantiation of the HAIFA framework used in Streebog makes it weak against such attacks. More precisely, we observe that Streebog makes a rather poor usage of the HAIFA counter input in the compression function, which allows to construct second-preimages on the full Streebog-512 with a complexity as low as \(n \times 2^{n/2}\) (namely \(2^{266}\)) compression function evaluations for long messages. This complexity has to be compared with the expected \(2^{512}\) computations bound that an ideal hash function should provide. Our work is a good example that one must be careful when using a design framework for which not all instances are secure. HAIFA helps designers to build a secure hash function, but one should pay attention to the way the counter is handled inside the compression function.


Streebog Cryptanalysis Second-preimage attack Diamond structure Expandable message HAIFA 



We would like to thank the anonymous reviewers for their detailed feedback and comments. Jian Guo, Jérémy Jean, Thomas Peyrin and Lei Wang were supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).


  1. 1.
    AlTawy, R., Kircanski, A., Youssef, A.M.: Rebound attacks on Stribog. IACR Cryptology ePrint Archive 2013, 539 (2013)Google Scholar
  2. 2.
    AlTawy, R., Youssef, A.M.: Preimage attacks on reduced-round stribog. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 109–125. Springer, Heidelberg (2014)Google Scholar
  3. 3.
    Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008)Google Scholar
  4. 4.
    Aumasson, J.-P., Guo, J., Knellwolf, S., Matusiewicz, K., Meier, W.: Differential and invertibility properties of BLAKE. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 318–332. Springer, Heidelberg (2010)Google Scholar
  5. 5.
    Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to NIST (Round 3) (2010)Google Scholar
  6. 6.
    Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO. Submission to NIST (updated) (2009)Google Scholar
  7. 7.
    Biham, E., Dunkelman, O.: A framework for iterative hash functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007)Google Scholar
  8. 8.
    Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009)Google Scholar
  9. 9.
    Biryukov, A., Gauravaram, P., Guo, J., Khovratovich, D., Ling, S., Matusiewicz, K., Nikolić, I., Pieprzyk, J., Wang, H.: Cryptanalysis of the LAKE hash family. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 156–179. Springer, Heidelberg (2009)Google Scholar
  10. 10.
    Bouillaguet, C., Fouque, P.A.: Practical hash functions constructions resistant to generic second preimage attacks beyond the birthday bound. Submitted to Information Processing Letters (2010)Google Scholar
  11. 11.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Bresson, E., Canteaut, A., Chevallier-Mames, B., Clavier, C., Fuhr, T., Gouget, A., Icart, T., Misarsky, J.F., Naya-Plasencia, M., Paillier, P., Pornin, T., Reinhard, J.R., Thuillet, C., Videau, M.: Shabal, a submission to NIST’s cryptographic hash algorithm competition. Submission to NIST (2008)Google Scholar
  13. 13.
    Damgård, I.: A design principle for hash functions. In: [11], pp. 416–427Google Scholar
  14. 14.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The skein hash function family. Submission to NIST (Round 3) (2010)Google Scholar
  15. 15.
    Gauravaram, P., Kelsey, J.: Linear-XOR and additive checksums don’t protect Damgård-Merkle hashes from generic attacks. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 36–51. Springer, Heidelberg (2008)Google Scholar
  16. 16.
    Gauravaram, P., Leurent, G., Mendel, F., Naya-Plasencia, M., Peyrin, T., Rechberger, C., Schläffer, M.: Cryptanalysis of the 10-round hash and full compression function of SHAvite-3-512. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 419–436. Springer, Heidelberg (2010)Google Scholar
  17. 17.
    Grebnev, S., Dmukh, A., Dygin, D., Matyukhin, D., Rudskoy, V., Shishkin, V.: Asymmetrical reply to SHA-3: Russian hash function draft standard. CTCrypt 2012, abstract available from
  18. 18.
    Guo, J.: A program confirmation of the diamond construction by Kortelainen and Kortelainen (Feburary 2014).
  19. 19.
    Guo, J., Karpman, P., Nikolic, I., Wang, L., Wu, S.: Analysis of BLAKE2. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 402–423. Springer, Heidelberg (2014)Google Scholar
  20. 20.
    IETF: GOST R 34.11-2012: Hash Function. RFC6896 (2013)Google Scholar
  21. 21.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  22. 22.
    Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)Google Scholar
  23. 23.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  24. 24.
    Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 524–539. Springer, Heidelberg (2013)Google Scholar
  25. 25.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)Google Scholar
  26. 26.
    Merkle, R.C.: One way hash functions and DES. In: [11], pp. 428–446Google Scholar
  27. 27.
    REGULATION, F.A.O.T., METROLOGY: Information technology - CRYPTOGRAPHIC DATA SECURITY - Hash-function. GOST R 34.11-2012 (2012)Google Scholar
  28. 28.
    Rijmen, V., Barreto, P.S.L.M.: The WHIRLPOOL hashing function. Submitted to NISSIE, September 2000Google Scholar
  29. 29.
    Sasaki, Y., Wang, L., Wu, S., Wu, W.: Investigating fundamental security requirements on whirlpool: improved preimage and collision attacks. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 562–579. Springer, Heidelberg (2012)Google Scholar
  30. 30.
    GOST R 34.11-2012: Streebog Hash Function.
  31. 31.
    Wang, Z., Yu, H., Wang, X.: Cryptanalysis of GOST R hash function. Cryptology ePrint Archive, Report 2013/584 (2013).

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Jian Guo
    • 1
  • Jérémy Jean
    • 1
  • Gaëtan Leurent
    • 2
  • Thomas Peyrin
    • 1
  • Lei Wang
    • 1
  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  2. 2.INRIAParisFrance

Personalised recommendations