First published 2014 Certification DSTU standard | Related to Digest sizes arbitrary (8-512 bit) | |
Rounds 10 (digest size 8-256) or 14 (digest size 257-512) | ||
Kupyna is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014. It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.
Contents
In addition to the hash function, the standard also describes message authentication code generation using Kupyna with digest sizes 256, 384 and 512 bits.
Description
Kupyna hash function uses Davies-Meyer compression function based on Even-Mansour cipher. The compression function consists of two fixed permutations, T⊕ and T+, which are taken from the Kalyna block cipher and consist of four operations: AddRoundConstant, SubBytes, ShiftBytes and MixColumns. The round function uses four different S-Boxes.
The function can return a digest of arbitrary length from 8 to 512 bits; function which returns n-bit digest is called Kupyna-n. The recommended digest lengths are 256, 384 and 512 bits.
The designers claim that differential and rebound attacks are ineffective after 4 rounds of the compression function.
Kupyna is Ukrainian name for Polygonatum odoratum. The plant is listed in The Red Book of Ukraine.
Examples of Kupyna hashes
Hash values of empty string.
Kupyna-256("")0x cd5101d1ccdf0d1d1f4ada56e888cd724ca1a0838a3521e7131d4fb78d0f5eb6Kupyna-512("")0x 656b2f4cd71462388b64a37043ea55dbe445d452aecd46c3298343314ef04019 \ bcfa3f04265a9857f91be91fce197096187ceda78c9c1c021c294a0689198538Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the avalanche effect. For example, adding a period to the end of the sentence:
Kupyna-256("The quick brown fox jumps over the lazy dog")0x 996899f2d7422ceaf552475036b2dc120607eff538abf2b8dff471a98a4740c6Kupyna-256("The quick brown fox jumps over the lazy dog.")0x 88ea8ce988fe67eb83968cdc0f6f3ca693baa502612086c0dcec761a98e2fb1fCryptanalysis
Christoph Dobraunig, Maria Eichlseder, and Florian Mendel describe a collision attack using rebound attack on Kupyna-256 reduced to 4 rounds with time complexity 267 and on Kupyna-256 reduced to 5 rounds with time complexity 2120, based on rebound attacks on Grøstl.
Jian Zou and Le Dong also describe a collision attack on Kupyna-256 reduced to 5 rounds with time complexity 2120, as well as pseudo-preimage attack on 6-round Kupyna-256 with time and memory complexities 2250 and on 8-round Kupyna-512 with time and memory complexities 2498. They note that these attacks do not threat any security claims of Kupyna.