Preimage Attacks on Reduced-Round Stribog

In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. Specifically, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of 2 and memory complexity of 2. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of 2 and 2, respectively. Finally, employing 2 multicollision, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of 2 and 2, respectively. The two preimage attacks have equal memory complexity of 2.