Differential Fault Analysis of Streebog

  • Riham AlTawy
  • Amr M. Youssef
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


In August 2012, the Streebog hash function was selected as the new Russian federal hash function standard (GOST R 34.11-2012). In this paper, we present a fault analysis attack on this new hashing standard. In particular, our attack considers the compression function in the secret key setting where both the input chaining value and the message block are unknown. The fault model adopted is the one in which an attacker is assumed to be able to cause a bit-flip at a random byte in the internal state of the underlying cipher of the compression function. We also consider the case where the position of the faulted byte can be chosen by the attacker. In the sequel, we propose a two-stage approach that recovers the two secret inputs of the compression function using an average number of faults that varies between 338-1640, depending on the assumptions of our employed fault model. Moreover, we show that the attack can be extended to the iterated hash function using a feasible pre-computation stage. Finally, we analyze Streebog in different MAC settings and demonstrate how our attack can be used to recover the secret key of HMAC/NMAC-GOST.


Differential fault analysis Hash functions Cryptanalysis HMAC NMAC GOST R 34.11-2012 Streebog 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The National Hash Standard of the Russian Federation GOST R 34.11-2012. Russian Federal Agency on Technical Regulation and Metrology report (2012),
  2. 2.
    AlTawy, R., Kircanski, A., Youssef, A.M.: Rebound attacks on stribog. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 175–188. Springer, Heidelberg (2014)Google Scholar
  3. 3.
    AlTawy, R., Youssef, A.M.: Integral distinguishers for reduced-round Stribog. Information Processing Letters 114(8), 426 (2014)CrossRefzbMATHGoogle Scholar
  4. 4.
    AlTawy, R., Youssef, A.M.: Preimage attacks on reduced-round stribog. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 109–125. Springer, Heidelberg (2014), CrossRefGoogle Scholar
  5. 5.
    AlTawy, R., Youssef, A.M.: Watch your Constants: Malicious Streebog. IET Information Security (2015) (to appear)Google Scholar
  6. 6.
    Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the Grain family of stream ciphers. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission to NIST, Round 2 (2009)Google Scholar
  9. 9.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997), CrossRefGoogle Scholar
  11. 11.
    Chang, S.-J., Perlner, R., Burr, W.E., Turan, M.S., Kelsey, J.M., Paul, S., Bassham, L.E.: Third-round report of the SHA-3 cryptographic hash algorithm competition (2012)Google Scholar
  12. 12.
    Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: Adjusting laser injections for fully controlled faults. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 229–242. Springer, Heidelberg (2014)Google Scholar
  13. 13.
    Fischer, W., Reuter, C.A.: Differential fault analysis on Grøstl. In: IEEE Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 44–54 (2012)Google Scholar
  14. 14.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Guo, J., Jean, J., Leurent, G., Peyrin, T., Wang, L.: The usage of counter revisited: Second-preimage attack on new russian standardized hash function. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 195–211. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA1 compression function. In: IEEE Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 54–62 (2011)Google Scholar
  17. 17.
    IETF. GOST R 34.11-2012: Hash Function, RFC6896 (2013)Google Scholar
  18. 18.
    Zou, J., Wu, W., Wu, S.: Cryptanalysis of the round-reduced GOST hash function. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 307–320. Springer, Heidelberg (2014)Google Scholar
  19. 19.
    Kazymyrov, O., Kazymyrova, V.: Algebraic aspects of the russian hash standard GOST R 34.11-2012. In: CTCrypt, pp. 160–176 (2013),
  20. 20.
    Keccak team. Strengths of Keccak - Design and security, (last accessed: December 2, 2014)
  21. 21.
    Kim, C.H., Quisquater, J.-J.: New differential fault analysis on AES key schedule: Two faults are enough. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 48–60. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Li, R., Li, C., Gong, C.: Differential fault analysis on SHACAL-1. In: IEEE Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 120–126 (2009)Google Scholar
  23. 23.
    Ma, B., Li, B., Hao, R., Li, X.: Improved cryptanalysis on reduced-round GOST and Whirlpool hash function. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 289–307. Springer, Heidelberg (2014)Google Scholar
  24. 24.
    Matyukhin, D., Rudskoy, V., and Shishkin, V. A perspective hashing algorithm. In: RusCrypto (2010) (in Russian)Google Scholar
  25. 25.
    Mendel, F., Pramstaller, N., Rechberger, C.: A (Second) preimage attack on the GOST hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 224–234. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Transactions on Information Theory 45(1), 188–199 (1999)CrossRefzbMATHGoogle Scholar
  28. 28.
    Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  29. 29.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the Advanced Encryption Standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  30. 30.
    Wang, Z., Yu, H., Wang, X.: Cryptanalysis of GOST R hash function. Information Processing Letters 114(12), 655–662 (2014)CrossRefzbMATHGoogle Scholar
  31. 31.
    Zou, J., Wu, W., Wu, S.: Cryptanalysis of the round-reduced GOST hash function. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 307–320. Springer, Heidelberg (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Riham AlTawy
    • 1
  • Amr M. Youssef
    • 1
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontréalCanada

Personalised recommendations