Watch your constants: malicious Streebog

In August 2012, the Streebog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). In this study, the authors investigate the new standard in the context of malicious hashing and present a practical collision for a malicious version of the full hash function. In particular, they apply the rebound attack to find three solutions for three different differential paths for four rounds. Then, using the freedom of the round constants they connect them to obtain a collision for the 12 rounds of the compression function. Additionally, and because of the simple processing of the counter, they bypass the barrier of the checksum finalisation step and transfer the compression function collision to the hash function output with no additional cost. The presented attack has a practical complexity and is verified by an example. Although the results of this study may not have a direct impact on the security of the current Streebog hash function, it presents an urge for the designers to publish the origin of the used parameters and the rational behind their choices in order for this function to gain enough confidence and widespread adoption by the security community.