Streebog is a new Russian hash function standard. It follows the HAIFA
framework as domain extension algorithm and claims to resist recent generic
second-preimage attacks with long messages. However, we demonstrate in this
article that the specific instantiation of the HAIFA framework used in Streebog
makes it weak against such attacks. More precisely, we observe that Streebog
makes a rather poor usage of the HAIFA counter input in the compression
function, which allows to construct second-preimages on the full Streebog-512
with a complexity as low as 2^{266} compression function evaluations for long
messages. This complexity has to be compared with the expected 2^{512}
computations bound that an ideal hash function should provide. Our work is a
good example that one must be careful when using a design framework for which
not all instances are secure. HAIFA helps designers to build a secure hash
function, but one should pay attention to the way the counter is handled inside
the compression function.
↧