This page uses content from Wikipedia and is licensed under CC BY-SA.

General | |
---|---|

First published | 2014 |

Related to | GOST |

Certification | DSTU standard |

Detail | |

Digest sizes | arbitrary (8–512 bit) |

Rounds | 10 (digest size 8–256) or 14 (digest size 257–512) |

Best public cryptanalysis | |

A rebound attack that presents collisions against 4 rounds of Kupyna-256 in 2^{67} time and against 5 rounds in 2^{120} time.^{[1]} |

**Kupyna** is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014.^{[2]}^{[3]} It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.

In addition to the hash function, the standard also describes message authentication code generation using Kupyna with digest sizes 256, 384 and 512 bits.

Kupyna hash function uses Davies–Meyer compression function based on Even–Mansour cipher. The compression function consists of two fixed permutations, T^{⊕} and T^{+}, which are taken from the Kalyna block cipher^{[4]} and consist of four operations: AddRoundConstant, SubBytes, ShiftBytes and MixColumns. The round function uses four different S-boxes.^{[5]}

The function can return a digest of arbitrary length from 8 to 512 bits; function which returns n-bit digest is called Kupyna-n. The recommended digest lengths are 256, 384 and 512 bits.

The designers claim that differential and rebound attacks are ineffective after 4 rounds of the compression function.^{[6]}

*Kupyna* is Ukrainian name for *Polygonatum odoratum*.

Hash values of empty string.

Kupyna-256("") 0x cd5101d1ccdf0d1d1f4ada56e888cd724ca1a0838a3521e7131d4fb78d0f5eb6 Kupyna-512("") 0x 656b2f4cd71462388b64a37043ea55dbe445d452aecd46c3298343314ef04019 \ bcfa3f04265a9857f91be91fce197096187ceda78c9c1c021c294a0689198538

As with all cryptographic hash functions, even a small change in the message will (with overwhelming^{[clarification needed]} probability) result in a hash differing from the original in, on average, half of the output bits, due to the avalanche effect. For example, adding a period to the end of the sentence:

Kupyna-256("The quick brown fox jumps over the lazy dog") 0x 996899f2d7422ceaf552475036b2dc120607eff538abf2b8dff471a98a4740c6 Kupyna-256("The quick brown fox jumps over the lazy dog.") 0x 88ea8ce988fe67eb83968cdc0f6f3ca693baa502612086c0dcec761a98e2fb1f

Christoph Dobraunig, Maria Eichlseder, and Florian Mendel describe a collision attack using rebound attack on Kupyna-256 reduced to 4 rounds with time complexity 2^{67} and on Kupyna-256 reduced to 5 rounds with time complexity 2^{120}, based on rebound attacks on Grøstl.^{[1]}

Jian Zou and Le Dong also describe a collision attack on Kupyna-256 reduced to 5 rounds with time complexity 2^{120}, as well as pseudo-preimage attack on 6-round Kupyna-256 with time and memory complexities 2^{250} and on 8-round Kupyna-512 with time and memory complexities 2^{498}. They note that these attacks do not threat any security claims of Kupyna.^{[7]}

Onur Duman published differential fault analysis on Kupyna when it is used for MAC schemes. According to the paper, recovering one byte of the state requires 2.21–2.42 faults.^{[8]}

- ^
^{a}^{b}Christoph Dobraunig, Maria Eichlseder, and Florian Mendel (2015-10-01). "Analysis of the Kupyna-256 Hash Function" (PDF). **^**[jurliga.ligazakon.ua] Extension of national standards for cryptographic algorithms and protocols (in Russian)**^**[eprint.iacr.org] A New Standard of Ukraine: The Kupyna Hash Function**^**[eprint.iacr.org] A New Encryption Standard of Ukraine: The Kalyna Block Cipher**^**[github.com] Reference implementation of the Kupyna hash function (DSTU 7564:2014)**^**[www.slideshare.net] Main properties of the new Ukrainian national standard on cryptographic hash function**^**Jian Zou, Le Dong (2015-10-02). "Cryptanalysis of the Round-Reduced Kupyna Hash Function" (PDF).**^**Onur Duman (2016-06-15). "Application of Fault Analysis to Some Cryptographic Standards" (PDF).