# Streebog

**Streebog** is a family of two hash functions, Streebog-256 and Streebog-512, that produce output 256-bit or 512-bit hash respectively from a bit string of arbitrary size using the Merkle–Damgård construction. The high-level structure of the new hash function resembles the one from GOST R 34.11-94, however, the compression function was changed significantly. The compression function operates in mode and employs a 12-round AES-like cipher.

The function was named **Streebog** after , the god of rash wind in ancient Slavic mythology,

## Contents

## Examples of Streebog hashes

Hash values of empty string.

Streebog-256("") 0x 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb Streebog-512("") 0x 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7 362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a

Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the . For example, adding a period to the end of the sentence:

Streebog-256("") 0x 3e7dea7f2384b6c5a3d0e24aaa29c05e89ddd762145030ec22c71a6db8b2c1f4 Streebog-256(".") 0x 36816a824dcbe7d6171aa58500741f2ea2757ae2e1784ab72c5c3c6c198d71da Streebog-512("") 0x d2b793a0bb6cb5904828b5b6dcfb443bb8f33efc06ad09368878ae4cdc8245b9 7e60802469bed1e7c21a64ff0b179a6a1e0bb74d92965450a0adab69162c00fe Streebog-512(".") 0x fe0c42f267d921f940faa72bd9fcf84f9f1bd7e9d055e9816e4c2ace1ec83be8 2d2957cd59b86e123d8f5adee80b3ca08a017599a9fc1a14d940cf87c77df070

## Cryptanalysis

In 2013 the Russian Technical Committee for Standardization “Cryptography and Security Mechanisms” (TC 26) with the participation of Academy of Cryptography of the Russian Federation declared an open competition for cryptanalysis of Streebog hash function, which attracted the international attention to the function.

Ma, *et al*, describe a that takes 2^{496} time and 2^{64} memory or 2^{504} time and 2^{11} memory to find a single preimage of GOST-512 reduced to 6 rounds. They also describe a collision attack with 2^{181} and 2^{64} memory requirement in the same paper.

Guo, *et al*, describe a on full Streebog-512 with total time complexity equivalent to 2^{266} compression function evaluations, if the message has more than 2^{259} blocks.

AlTawy and Youssef published an attack to a modified version of Streebog with different round constants. While this attack may not have a direct impact on the security of the original Streebog hash function, it raised a question about the origin of the used parameters in the function. The designers published a paper explaining that these are pseudorandom constants generated with Streebog-like hash function, provided with 12 different natural language input messages.

AlTawy, *et al*, found 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities 2^{8} and 2^{40}, respectively, as well as attacks on the compression function with 7.75 round semi free-start collision with time complexity 2^{184} and memory complexity 2^{8}, 8.75 and 9.75 round semi free-start near collisions with time complexities 2^{120} and 2^{196}, respectively.

Wang, *et al*, describe a collision attack on the compression function reduced to 9.5 rounds with 2^{176} time complexity and 2^{128} memory complexity.