# BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION

### Nicolas T. Courtois, Theodosis Mourouzis

#### Abstract

The GOST hash function and more precisely GOST 34.11-94 is a cryptographic hash function and the official government standard of the Russian Federation. It is a key component in the national Russian digital signature standard. The GOST hash function is a 256-bit iterated hash function with an additional checksum computed over all input message blocks. Inside the GOST compression function, we find the standard GOST block cipher, which is an instantiation of the official Russian national encryption standard GOST 28147-89. In this paper we focus mostly on the problem of finding collisions on the GOST compression function. At Crypto 2008 a collision attack on the GOST compression function requiring $2^{96}$ evaluations of this function was found. In this paper, we present a new collision attack on the GOST compression function which is fundamentally different and more general than the attack published at Crypto 2008. Our new attack is a black-box attack which does not need any particular weakness to exist in the GOST block cipher, and works also if we replace GOST by another cipher with the same block and key size. Our attack is also slightly faster and we also show that the complexity of the previous attack can be slightly improved as well. Since GOST has an additional checksum computed over all blocks, it is not obvious how a collision attack on the GOST compression function can be extended to a collision attack on the hash function. In 2008 Gauravaram and Kelsey develop a technique to achieve this, in the case in which the checksum is linear or additive, using the Camion-Patarin-Wagner generalized birthday algorithm. Thus at Crypto 2008 the authors were also able to break the collision resistance of the complete GOST Hash function. Our attack is more generic and shows that the GOST compression function can be broken whatever is the underlying block cipher, but remains an attack on the compression function. It remains an open problem how and if this new attack can be extended to a collision attack on the full GOST hash function.

#### References

- A. Poschmann, S. Ling, H. W. (2010). 256 bit standardized crypto for 650 ge gost revisited. In CHES 2010 Proceedings.
- Courtois, N. Algebraic complexity reduction and cryptanalysis of gost. Unpublished manuscript, 17 February 2011. 28 pages. MD5=d1e272a75601405d156618176cf98218.
- Courtois, N. Security evaluation of gost 28147-89 in view of international standardisation. Unpublished manuscript, 2011. Available: http:// www.nicolas courtois.com/papers/gostreport.pdf (2011/05/01).
- Damga°rd, I. (1990). A Design Principle for Hash Functions. In Brassard, G., editor, Advances in Cryptology - CRYPTO 7889, Proceedings, volume 435 of LNCS, pages 416-427. Springer.
- F. Mendel N. Pramstaller, C. Rechberger, M. K. J. S. (2008). Cryptanalysis of the GOST Hash Function. In Wagner, D., editor, Advances in Cryptology - CRYPTO 2008, Proceedings, volume 5157 of LNCS, pages 162-178. Springer.
- GOST, C. R. F. (1994). GOST R 34.11-94, the Russian hash function standard. Government Standard of the Russian Federation, Government Committee of Russia for Standards, in Russian. English translation by Michael Roe available as gost34.11.ps inside: http://www.autochthonous.org/crypto/gosthash.tar.gz.
- I.A. Zabotin, G.P. Glazkov, V. I. (1989). Gost 28147-89, cryptographic protection for information processing systems. Government Standard of the USSR, Government Committee of the USSR for Standards, in Russian. English translation gost28147.ps by Aleksandr Malchik available inside: http://www.autochthonous.org/crypto/gosthash.tar.gz.
- Isobe, T. (2011). A single-key attack on the full gost block cipher. In Fast Software Encryption 2011, Proceedings, LNCS. Springer.
- J. Talbot, D. W. (2006). Complexity and Cryptography. Cambridge University Press, Cambridge, 1st edition.
- Kara, O. (2008). Reflection cryptanalysis of some ciphers. In Indocrypt 2008 Proceedings, volume 5365 of LNCS, pages 294-307. Springer.
- P. Camion, J. P. (1991). The Knapsack Hash Function proposed at Crypto'89 can be broken. In Davies, D. W., editor, Advances in Cryptology - EUROCRYPT 7891, Proceedings, volume 547 of LNCS, pages 39-53. Springer.
- P. Gauravaram, J. K. (2008). Linear-XOR and Additive Checksums Don't Protect Damga°rd-Merkle Hashes from Generic Attacks. In Malkin, T., editor, Topics in Cryptology - CT-RSA 2008, volume 4964 of LNCS, pages 36-51. Springer.
- Schneier, B. (1996). Applied Cryptography: Protocols, Algorithms and Source Code in C. John Willey, New York, 2nd edition.
- Wagner, D. (2002). A Generalized Birthday Problem. In Yung, M., editor, Advances in Cryptology - CRYPTO 2002, Proceedings, volume 2442 of LNCS, pages 288-303. Springer.

#### Paper Citation

#### in Harvard Style

T. Courtois N. and Mourouzis T. (2011). **BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION** . In *Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)* ISBN 978-989-8425-71-3, pages 325-332. DOI: 10.5220/0003525103250332

#### in Bibtex Style

@conference{secrypt11,

author={Nicolas T. Courtois and Theodosis Mourouzis},

title={BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION},

booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},

year={2011},

pages={325-332},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0003525103250332},

isbn={978-989-8425-71-3},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)

TI - BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION

SN - 978-989-8425-71-3

AU - T. Courtois N.

AU - Mourouzis T.

PY - 2011

SP - 325

EP - 332

DO - 10.5220/0003525103250332