Abstract
Streebog is the cryptographic hash function standard of the Russian Federation. It comprises two hash functions corresponding to two digest sizes, 256 bits and 512 bits. This paper presents a side channel attack that uses processor flag information to speed up message recovery by a factor of 2. Success is nearly guaranteed if the flag is set; the probability is 0.668 otherwise.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The for-loop of Algorithm 1 is implemented differently in [5]. To obtain \(M_0\), the least significant 512-bit word of the padded message is extracted. The leftover message replaces the padded message and its 512 LSBs are extracted as \(M_1\). This process is repeated until all the message blocks have been extracted. The carry flag is evidently unaffected by the process.
- 2.
Therefore, even if we go with the for-loop implementation (Algorithm 1), it will have no bearing on the carry flag.
- 3.
Since the distribution of \(|M_{k}|\) is uniform, given the padding scheme employed, the distribution of \(M_{k}\) is not uniform. This makes it tedious to compute the distribution of the carry vector C. Hence the assumption.
- 4.
This does not apply to \(M_{k}\) unless \(|pad| = 0\). Knowing |pad| and \(M_0, M_1, \ldots , M_{k - 1}\), the attacker can recover \(M_{k}\) in \(2^{512 - |pad|}\) time. Our attack is not intended to recover \(M_{k}\).
- 5.
A similar assumption is made in [8].
References
AlTawy, R., Kircanski, A., Youssef, A.M.: Rebound attacks on Stribog. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 175–188. Springer, Heidelberg (2014)
AlTawy, R., Youssef, A.M.: Integral distinguishers for reduced-round Stribog. Inf. Process. Lett. 114(8), 426–431 (2014)
AlTawy, R., Youssef, A.M.: Preimage attacks on reduced-round Stribog. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 109–125. Springer, Heidelberg (2014)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Federal Agency on Technical Regulation and Metrology, “NATIONAL STAN-DARD OF THE RUSSIAN FEDERATION GOST R 34.11-2012” (English Version), 1 January 2013
Guo, J., Jean, J., Leurent, G., Peyrin, T., Wang, L.: The usage of counter revisited: second-preimage attack on new Russian standardized hash function. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 195–211. Springer, Heidelberg (2014)
Intel, “IA-32 Intel Architecture Software Developer’s Manual”, vol. 1 (Basic Architecture), p. 426 (2003). http://flint.cs.yale.edu/cs422/doc/24547012.pdf
Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. J. Comput. Secur. 8, 141–158 (2000)
Preneel, B.: Analysis and Design of Cryptographic Hash Functions, PhD thesis, Katholieke Universiteit Leuven (1993)
Wang, Z., Yu, H., Wang, X.: Cryptanalysis of GOST R hash function. Inf. Process. Lett. 114(12), 655–662 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Sekar, G. (2015). Side Channel Cryptanalysis of Streebog. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-27152-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27151-4
Online ISBN: 978-3-319-27152-1
eBook Packages: Computer ScienceComputer Science (R0)