Cryptanalysis of GOST R hash function

• The first cryptanalytic results on GOST R hash function are given.
• We achieve collision attacks on the reduced round GOST R compression function using rebound technique.
• A limited birthday distinguisher on 10 rounds GOST R compression function is presented.
• A k-collisions on 512-bit version of GOST R is constructed.

GOST R 34.11-2012 is the new Russian hash function standard. This paper presents some cryptanalytic results on GOST R. Using the rebound attack technique, we achieve collision attacks on the reduced round compression function. Result on up to 9.5 rounds is proposed, the time complexity is 2176 and the memory requirement is 2128 bytes. Based on the 9.5-round collision result, a limited birthday distinguisher is presented. More over, a k-collision on 512-bit version of GOST R is constructed which shows the weakness of the structure used in GOST R.