Template:Infobox cryptographic hash function The GOST hash function, defined in the standards GOST R 34.1194 and GOST 34.31195, is a 256bit cryptographic hash function. It was initially defined in the Russian national standard GOST R 34.1194 Information Technology  Cryptographic Information Security  Hash Function. The equivalent standard used by other memberstates of the CIS is GOST 34.31195.
The hash function is based on the GOST block cipher.
Algorithm[]
GOST processes a variablelength message into a fixedlength output of 256 bits. The input message is broken up into chunks of 256bit blocks (eight 32bit little endian integers); the message is padded by appending as many zeros to it as are required to bring the length of the message up to 256 bits. The remaining bits are filled up with a 256bit integer arithmetic sum of all previously hashed blocks and then a 256bit integer representing the length of the original message, in bits.
Basic notations[]
The algorithm descriptions uses the following notations:
 — jbit block filled with zeroes.
 — length of the M block in bits modulo 2^{256}.
 — concatenation of two blocks.
 — arithmetic sum of two blocks modulo 2^{256}
 — logical xor of two blocks
Further we consider that the littleorder bit is located at the left of a block, and the highorder bit at the right.
Description[]
The input message is split into 256bit blocks . In the case the last block contains less than 256 bits, it is prepended left by zero bits to achieve the desired length.
Each block is processed by the step hash function , where , , are a 256bit blocks.
Each message block, starting the first one, is processed by the step hash function , to calculate intermediate hash value
The value can be arbitrary chosen, and usually is .
After is calculated, the final hash value is obtained in the following way
 , where L — is the length of the message M in bits modulo
 , where K — is 256bit control sum of M:
The is the desired value of the hash function of the message M.
File:GOSThashcalculation.gif
So, the algorithm works as follows.
 Initialization:
 — Initial 256bit value of the hash function, determined by user.
 — Control sum
 — Message length
 Compression function of internal iterarions: for i = 1 … n — 1 do the following (while ):
  apply step hash function
  recalculate message length
  calculate control sum
 Compression function of final iteration:
  calculate the full message lentgh in bits
  pad the last message with zeroes
  update control sum
  process the last message block
  MD  strengthen up by hashing message length
  hash control sum
 The output value is .
The step hash function[]
The step hash function maps two 256bit blocks into one: . It consist of three parts:
 Generating of keys
 Enciphering transformation using keys
 Shuffle transformation
Generating of keys[]
The keys generating algorithm uses:
 Two transformations of 256bit blocks:
 Transformation , where are 64bit subblocks of Y.
 Transformation , where , and are 8bit subblocks of Y.
 Three constants:
C_{2} = 0 C_{3} = 0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00 C_{4} = 0
The algorithm:
 For j = 2,3,4 do the following:
Enciphering transformation[]
After the keys generation, the enciphering of is done using GOST 2814789 in the mode of simple substitution on keys . Let's denote the enciphering transformation as E (Note: the E transformation enciphers 64bit data using 256bit key). For enciphering, the is split into four 64bit blocks: , and each of these blocks is enciphered as:
After this, the result blocks are concatenated into one 256bit block: .
Shuffle transformation[]
On the last step, the shuffle transformation is applied to , S and m using a Linear feedback shift register. In the result, the intermediate hash value is obtained.
First we define the ψ function, doing LSFR on a 256bit block: , where are 16bit subblocks of the Y.
The shuffle transformation is , where denotes an ith power of the function.
File:GOSTR34.1194shuffletransformation.gif
Initial values[]
The GOST R 34.11 94 standard itself doesn't specify the algorithm initial value and SBox of the enciphering transformation , but uses the following values in the samples sections ^{[1]}. It should be noted that these parameters are specified by RFC 4357 as test parameters and are not recommended for use in production applications. A "production ready" parameter set is also specified as part of RFC 4357 (see section 11.2).
The starting vector
h=0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000.
The SBox for the transformation
Sbox number  Value  

1  4  10  9  2  13  8  0  14  6  11  1  12  7  15  5  3 
2  14  11  4  12  6  13  15  10  2  3  8  1  0  7  5  9 
3  5  8  1  13  10  3  4  2  14  15  12  7  6  0  9  11 
4  7  13  10  1  0  8  9  15  14  4  6  12  11  2  5  3 
5  6  12  7  1  5  15  13  8  4  10  9  14  0  3  11  2 
6  4  11  10  0  7  2  1  13  3  6  8  5  9  12  15  14 
7  13  11  4  1  3  15  5  9  0  10  14  7  6  8  2  12 
8  1  15  13  0  5  7  10  4  9  2  3  14  6  11  8  12 
Cryptanalysis[]
In 2007, an attack was published by M.I.T that breaks the fullround GOST hash function. The paper presents a collision attack in 2^{105} time, and first and second preimage attacks in 2^{192} time.^{[2]}
GOST hashes[]
The following are some examples of GOST hashes:
GOST("The quick brown fox jumps over the lazy dog") = 77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294
Even a small change in the message will, with overwhelming probability, result in a completely different hash due to the avalanche effect. For example, changing d to c:
GOST("The quick brown fox jumps over the lazy cog") = a3ebc4daaab78b0be131dab5737a7f67e602670d543521319150d2e14eeec445
Samples from the GOST R 34.1194 standard:
GOST("This is message, length=32 bytes") = b1c466d37519b82e8319819ff32595e047a28cb6f83eff1c6916a815a637fffa
GOST("Suppose the original message has length = 50 bytes") = 471aba57a60a770d3a76130635c1fbea4ef14de51f78b4ae57dd893b62f55208
Other samples:
GOST("") = ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d
GOST("a") = d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd
GOST("message digest") = ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d
GOST( 128 characters of 'U' ) = 53a3a3ed25180cef0c1d85a074273e551c25660a87062a52d926a9e8fe5733a4
GOST( 1000000 characters of 'a' ) = 5c00ccc2734cdd3332d3d4749576e3c1a7dbaf0e7ea74e9fa602413c90a129fa
See also[]
 GOST standards
 List of hash functions
References[]
 Template:Cite web
 Template:Cite web The full text of the GOST R 34.1194 standard (in Russian).
External links[]
 C implementation and test vectors for GOST hash function from MarkkuJuhani Saarinen, also contains draft translations into English of the GOST 2814789 and GOST R 34.1194 standards. Bugfixed version, see [1].
 Ecrypt page
 RHash, an open source commandline tool, which can calculate and verify GOST hash.

it:GOST (hash) ru:ГОСТ Р 34.1194