Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
GOST (hash function)
open-in-new
<h2 id="algorithm">Algorithm</h2> <p>GOST processes a variable-length message into a fixed-length output of 256 bits. The input message is broken up into chunks of 256-bit blocks (eight 32-bit <a href="/facts/Endianness/wbrQnyu3">little endian</a> integers); the message is <a href="/facts/Padding_(cryptography)/okxl18q9">padded</a> by appending as many zeros to it as are required to bring the length of the message up to 256 bits. The remaining bits are filled up with a 256-bit integer arithmetic sum of all previously hashed blocks and then a 256-bit integer representing the length of the original message, in bits. </p> <h3>Basic notation</h3> <p>The algorithm descriptions uses the following notation: </p> <ul><li> f 0 g j {\displaystyle {\mathcal {f}}0{\mathcal {g}}^{j}} — j-bit block filled with zeroes.</li> <li> j M j {\displaystyle {\mathcal {j}}M{\mathcal {j}}} — length of the M block in bits modulo 2256.</li> <li> k {\displaystyle {\mathcal {k}}} — concatenation of two blocks.</li> <li> + {\displaystyle +} — arithmetic sum of two blocks modulo 2256.</li> <li> ⊕ {\displaystyle \oplus } — logical xor of two blocks.</li></ul> <p>Further we consider that the little-order bit is located at the left of a block, and the high-order bit at the right. </p> <h3>Description</h3> <p>The input message M {\displaystyle M} is split into 256-bit blocks m n , m n − 1 , m n − 2 , … , m 1 {\displaystyle m_{n},\,m_{n-1},\,m_{n-2},\,\ldots ,\,m_{1}} . In the case the last block m n {\displaystyle m_{n}} contains less than 256 bits, it is prepended left by zero bits to achieve the desired length. </p><p>Each block is processed by the step hash function H out = f ( H in , m ) {\displaystyle H_{\text{out}}=f(H_{\text{in}},\,m)} , where H out {\displaystyle H_{\text{out}}} , H in {\displaystyle H_{\text{in}}} , m {\displaystyle m} are a 256-bit blocks. </p><p>Each message block, starting the first one, is processed by the step hash function f {\displaystyle f} , to calculate intermediate hash value </p> H i + 1 = f ( H i , m i ) {\displaystyle \!H_{i+1}=f(H_{i},\,m_{i})} <p>The H 1 {\displaystyle H_{1}} value can be arbitrary chosen, and usually is 0 256 {\displaystyle 0^{256}} . </p><p>After H n + 1 {\displaystyle H_{n+1}} is calculated, the final hash value is obtained in the following way </p> <ul><li> H n + 2 = f ( H n + 1 , L ) {\displaystyle H_{n+2}=f(H_{n+1},\,L)} , where L — is the length of the message M in bits modulo 2 256 {\displaystyle 2^{256}} </li> <li> h = f ( H n + 2 , K ) {\displaystyle h=f(H_{n+2},\,K)} , where K — is 256-bit control sum of M: m 1 + m 2 + m 3 + … + m n {\displaystyle m_{1}+m_{2}+m_{3}+\ldots +m_{n}} </li></ul> <p>The h {\displaystyle h} is the desired value of the hash function of the message M. </p><p>So, the algorithm works as follows. </p> <ol><li>Initialization: <ol><li> h := initial {\displaystyle h:={\text{initial}}} — Initial 256-bit value of the hash function, determined by user.</li> <li> Σ := 0 {\displaystyle \Sigma :=0} — Control sum</li> <li> L := 0 {\displaystyle L:=0} — Message length</li></ol></li> <li>Compression function of internal iterations: for i = 1 … n — 1 do the following (while | M | > 256 {\displaystyle |M|>256} ): <ol><li> h := f ( h , m i ) {\displaystyle h:=f(h,\,m_{i})} – apply step hash function</li> <li> L := L + 256 {\displaystyle L:=L+256} – recalculate message length</li> <li> Σ := Σ + m i {\displaystyle \Sigma :=\Sigma +m_{i}} – calculate control sum</li></ol></li> <li>Compression function of final iteration: <ol><li> L := L + j m n j {\displaystyle L:=L+{\mathcal {j}}\,m_{n}\,{\mathcal {j}}} – calculate the full message length in bits</li> <li> m n := 0 256 − j m n j k m n {\displaystyle m_{n}:={0}^{256-{\mathcal {j}}m_{n}{\mathcal {j}}}{\mathcal {k}}m_{n}} – pad the last message with zeroes</li> <li> Σ := Σ + m n {\displaystyle \Sigma :=\Sigma +m_{n}} – update control sum</li> <li> h := f ( h , m n ) {\displaystyle h:=f(h,\,m_{n})} – process the last message block</li> <li> h := f ( h , L ) {\displaystyle h:=f(h,\,L)} – MD – strengthen up by hashing message length</li> <li> h := f ( h , Σ ) {\displaystyle h:=f(h,\,\Sigma )} – hash control sum</li></ol></li> <li>The output value is h {\displaystyle h} .</li></ol> <h3>Step hash function</h3> <p>The step hash function f {\displaystyle f} maps two 256-bit blocks into one: H out = f ( H in , m ) {\displaystyle H_{\text{out}}=f(H_{\text{in}},\,m)} . </p><p>It consist of three parts: </p> <ul><li>Generating of keys K 1 , K 2 , K 3 , K 4 {\displaystyle K_{1},\,K_{2},\,K_{3},\,K_{4}} </li> <li>Enciphering transformation H in {\displaystyle H_{\text{in}}} using keys K 1 , K 2 , K 3 , K 4 {\displaystyle K_{1},\,K_{2},\,K_{3},\,K_{4}} </li> <li>Shuffle transformation</li></ul> <h4>Key generation</h4> <p>The keys generating algorithm uses: </p> <ul><li>Two transformations of 256-bit blocks: <ul><li>Transformation A ( Y ) = A ( y 4 k y 3 k y 2 k y 1 ) = ( y 1 ⊕ y 2 ) k y 4 k y 3 k y 2 {\displaystyle A(Y)=A(y_{4}\ {\mathcal {k}}\ y_{3}\ {\mathcal {k}}\ y_{2}\ {\mathcal {k}}\ y_{1})=(y_{1}\oplus y_{2})\ {\mathcal {k}}\ y_{4}\ {\mathcal {k}}\ y_{3}\ {\mathcal {k}}\ y_{2}} , where y 1 , y 2 , y 3 , y 4 {\displaystyle y_{1},\,y_{2},\,y_{3},\,y_{4}} are 64-bit sub-blocks of <i>Y</i>.</li> <li>Transformation P ( Y ) = P ( y 32 k y 31 k … k y 1 ) = y φ ( 32 ) k y φ ( 31 ) k … k y φ ( 1 ) {\displaystyle P(Y)=P(y_{32}{\mathcal {k}}y_{31}{\mathcal {k}}\dots {\mathcal {k}}y_{1})=y_{\varphi (32)}{\mathcal {k}}y_{\varphi (31)}{\mathcal {k}}\dots {\mathcal {k}}y_{\varphi (1)}} , where φ ( i + 1 + 4 ( k − 1 ) ) = 8 i + k , i = 0 , … , 3 , k = 1 , … , 8 {\displaystyle \varphi (i+1+4(k-1))=8i+k,\quad i=0,\,\dots ,\,3,\quad k=1,\,\dots ,\,8} , and y 32 , y 31 , … , y 1 {\displaystyle y_{32},\,y_{31},\,\dots ,\,y_{1}} are 8-bit sub-blocks of <i>Y</i>.</li></ul></li> <li>Three constants: <ul><li><i>C</i>2 = 0</li> <li><i>C</i>3 = 0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00</li> <li><i>C</i>4 = 0</li></ul></li></ul> <p>The algorithm: </p> <ol><li> U := H in , V := m , W := U ⊕ V , K 1 = P ( W ) {\displaystyle U:=H_{\text{in}},\quad V:=m,\quad W:=U\ \oplus \ V,\quad K_{1}=P(W)} </li> <li>For <i>j</i> = 2, 3, 4 do the following: U := A ( U ) ⊕ C j , V := A ( A ( V ) ) , W := U ⊕ V , K j = P ( W ) {\displaystyle U:=A(U)\oplus C_{j},\quad V:=A(A(V)),\quad W:=U\oplus V,\quad K_{j}=P(W)} </li></ol> <h4>Enciphering transformation</h4> <p>After the keys generation, the enciphering of H in {\displaystyle H_{\text{in}}} is done using <a href="/facts/GOST_(block_cipher)/AVDEpgqH">GOST 28147-89</a> in the mode of simple substitution on keys K 1 , K 2 , K 3 , K 4 {\displaystyle K_{1},\,K_{2},\,K_{3},\,K_{4}} . Let's denote the enciphering transformation as E (enciphering 64-bit data using 256-bit key). For enciphering, the H in {\displaystyle H_{\text{in}}} is split into four 64-bit blocks: H in = h 4 k h 3 k h 2 k h 1 {\displaystyle H_{\text{in}}=h_{4}{\mathcal {k}}h_{3}{\mathcal {k}}h_{2}{\mathcal {k}}h_{1}} , and each of these blocks is enciphered as: </p> <ul><li> s 1 = E ( h 1 , K 1 ) {\displaystyle s_{1}=E(h_{1},\,K_{1})} </li> <li> s 2 = E ( h 2 , K 2 ) {\displaystyle s_{2}=E(h_{2},\,K_{2})} </li> <li> s 3 = E ( h 3 , K 3 ) {\displaystyle s_{3}=E(h_{3},\,K_{3})} </li> <li> s 4 = E ( h 4 , K 4 ) {\displaystyle s_{4}=E(h_{4},\,K_{4})} </li></ul> <p>After this, the result blocks are concatenated into one 256-bit block: S = s 4 k s 3 k s 2 k s 1 {\displaystyle S=s_{4}{\mathcal {k}}s_{3}{\mathcal {k}}s_{2}{\mathcal {k}}s_{1}} . </p> <h4>Shuffle transformation</h4> <p>On the last step, the shuffle transformation is applied to H in {\displaystyle H_{\text{in}}} , S and m using a <a href="/facts/Linear-feedback_shift_register/22pktBbX">linear-feedback shift register</a>. In the result, the intermediate hash value H out {\displaystyle H_{\text{out}}} is obtained. </p><p>First we define the ψ function, doing <a href="/facts/LFSR/22pktBbX">LFSR</a> on a 256-bit block: </p> ψ ( Y ) = ψ ( y 16 k y 15 k … k y 2 k y 1 ) = ( y 1 ⊕ y 2 ⊕ y 3 ⊕ y 4 ⊕ y 13 ⊕ y 16 ) k y 16 k y 15 k … k y 3 k y 2 {\displaystyle \psi (Y)=\psi (y_{16}{\mathcal {k}}y_{15}{\mathcal {k}}\ldots {\mathcal {k}}y_{2}{\mathcal {k}}y_{1})=(y_{1}\oplus y_{2}\oplus y_{3}\oplus y_{4}\oplus y_{13}\oplus y_{16}){\mathcal {k}}y_{16}{\mathcal {k}}y_{15}{\mathcal {k}}\ldots {\mathcal {k}}y_{3}{\mathcal {k}}y_{2}} , <p>where y 16 , y 15 , … , y 2 , y 1 {\displaystyle y_{16},y_{15},\ldots ,y_{2},y_{1}} are 16-bit sub-blocks of the <i>Y</i>. </p><p>The shuffle transformation is H out = ψ 61 ( H in ⊕ ψ ( m ⊕ ψ 12 ( S ) ) ) {\displaystyle H_{\text{out}}=\psi ^{61}{\mathord {\left(H_{\text{in}}\oplus \psi \left(m\oplus \psi ^{12}(S)\right)\right)}}} , where ψ i {\displaystyle \psi ^{i}} denotes an i-th power of the ψ {\displaystyle \psi } function. </p> <h3>Initial values</h3> <p>There are two commonly used sets of initial parameters for GOST R 34.11 94. The starting vector for both the sets is </p> H 1 {\displaystyle H_{1}} = 0x00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000. <p>Although the GOST R 34.11 94 standard itself doesn't specify the algorithm initial value H 1 {\displaystyle H_{1}} and <a href="/facts/S-box/9xKgnLCF">S-box</a> of the enciphering transformation E {\displaystyle E} , but uses the following "test parameters" in the samples sections.<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> </p> <h4>"Test parameters" S-box</h4> <p>RFC 5831 specifies only these parameters, but RFC 4357 names them as "test parameters" and does not recommend them for use in production applications. </p> <table><tbody><tr><th>S-box number</th><th colspan="16">Value</th></tr><tr><th>1</th><td>4</td><td>10</td><td>9</td><td>2</td><td>13</td><td>8</td><td>0</td><td>14</td><td>6</td><td>11</td><td>1</td><td>12</td><td>7</td><td>15</td><td>5</td><td>3</td></tr><tr><th>2</th><td>14</td><td>11</td><td>4</td><td>12</td><td>6</td><td>13</td><td>15</td><td>10</td><td>2</td><td>3</td><td>8</td><td>1</td><td>0</td><td>7</td><td>5</td><td>9</td></tr><tr><th>3</th><td>5</td><td>8</td><td>1</td><td>13</td><td>10</td><td>3</td><td>4</td><td>2</td><td>14</td><td>15</td><td>12</td><td>7</td><td>6</td><td>0</td><td>9</td><td>11</td></tr><tr><th>4</th><td>7</td><td>13</td><td>10</td><td>1</td><td>0</td><td>8</td><td>9</td><td>15</td><td>14</td><td>4</td><td>6</td><td>12</td><td>11</td><td>2</td><td>5</td><td>3</td></tr><tr><th>5</th><td>6</td><td>12</td><td>7</td><td>1</td><td>5</td><td>15</td><td>13</td><td>8</td><td>4</td><td>10</td><td>9</td><td>14</td><td>0</td><td>3</td><td>11</td><td>2</td></tr><tr><th>6</th><td>4</td><td>11</td><td>10</td><td>0</td><td>7</td><td>2</td><td>1</td><td>13</td><td>3</td><td>6</td><td>8</td><td>5</td><td>9</td><td>12</td><td>15</td><td>14</td></tr><tr><th>7</th><td>13</td><td>11</td><td>4</td><td>1</td><td>3</td><td>15</td><td>5</td><td>9</td><td>0</td><td>10</td><td>14</td><td>7</td><td>6</td><td>8</td><td>2</td><td>12</td></tr><tr><th>8</th><td>1</td><td>15</td><td>13</td><td>0</td><td>5</td><td>7</td><td>10</td><td>4</td><td>9</td><td>2</td><td>3</td><td>14</td><td>6</td><td>11</td><td>8</td><td>12</td></tr></tbody></table> <h4>CryptoPro S-box</h4> <p>The CryptoPro <a href="/facts/S-box/9xKgnLCF">S-box</a> comes from "production ready" parameter set developed by CryptoPro company, it is also specified as part of RFC 4357, section 11.2. </p> <table><tbody><tr><th>S-box number</th><th colspan="16">Value</th></tr><tr><th>1</th><td>10</td><td>4</td><td>5</td><td>6</td><td>8</td><td>1</td><td>3</td><td>7</td><td>13</td><td>12</td><td>14</td><td>0</td><td>9</td><td>2</td><td>11</td><td>15</td></tr><tr><th>2</th><td>5</td><td>15</td><td>4</td><td>0</td><td>2</td><td>13</td><td>11</td><td>9</td><td>1</td><td>7</td><td>6</td><td>3</td><td>12</td><td>14</td><td>10</td><td>8</td></tr><tr><th>3</th><td>7</td><td>15</td><td>12</td><td>14</td><td>9</td><td>4</td><td>1</td><td>0</td><td>3</td><td>11</td><td>5</td><td>2</td><td>6</td><td>10</td><td>8</td><td>13</td></tr><tr><th>4</th><td>4</td><td>10</td><td>7</td><td>12</td><td>0</td><td>15</td><td>2</td><td>8</td><td>14</td><td>1</td><td>6</td><td>5</td><td>13</td><td>11</td><td>9</td><td>3</td></tr><tr><th>5</th><td>7</td><td>6</td><td>4</td><td>11</td><td>9</td><td>12</td><td>2</td><td>10</td><td>1</td><td>8</td><td>0</td><td>14</td><td>15</td><td>13</td><td>3</td><td>5</td></tr><tr><th>6</th><td>7</td><td>6</td><td>2</td><td>4</td><td>13</td><td>9</td><td>15</td><td>0</td><td>10</td><td>1</td><td>5</td><td>11</td><td>8</td><td>14</td><td>12</td><td>3</td></tr><tr><th>7</th><td>13</td><td>14</td><td>4</td><td>1</td><td>7</td><td>0</td><td>5</td><td>10</td><td>3</td><td>12</td><td>8</td><td>15</td><td>6</td><td>2</td><td>9</td><td>11</td></tr><tr><th>8</th><td>1</td><td>3</td><td>10</td><td>9</td><td>5</td><td>11</td><td>4</td><td>15</td><td>8</td><td>6</td><td>7</td><td>14</td><td>13</td><td>0</td><td>2</td><td>12</td></tr></tbody></table> <h2 id="cryptanalysis">Cryptanalysis</h2> <p>In 2008, an attack was published that breaks the full-round GOST hash function. The paper presents a <a href="/facts/Collision_attack/6aXFAMbW">collision attack</a> in 2105 time, and first and second <a href="/facts/Preimage_attack/dDktzjys">preimage attacks</a> in 2192 time (2<i>n</i> time refers to the approximate number of times the algorithm was calculated in the attack).<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> </p> <h2 id="gost-hash-test-vectors">GOST hash test vectors</h2> <h3>Hashes for "test parameters"</h3> <p>The 256-bit (32-byte) GOST hashes are typically represented as 64-digit hexadecimal numbers. </p><p>Here are test vectors for the GOST hash with "test parameters" </p> GOST("The quick brown fox jumps over the lazy dog") = 77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294 <p>Even a small change in the message will, with overwhelming probability, result in a completely different hash due to the <a href="/facts/Avalanche_effect/hpYX5zu5">avalanche effect</a>. For example, changing d to c: </p> GOST("The quick brown fox jumps over the lazy cog") = a3ebc4daaab78b0be131dab5737a7f67e602670d543521319150d2e14eeec445 <p>Two samples coming from the GOST R 34.11-94 standard:<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> GOST("This is message, length=32 bytes") = b1c466d37519b82e8319819ff32595e047a28cb6f83eff1c6916a815a637fffa GOST("Suppose the original message has length = 50 bytes") = 471aba57a60a770d3a76130635c1fbea4ef14de51f78b4ae57dd893b62f55208 <p>More test vectors: </p> GOST("") = ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d GOST("a") = d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd GOST("message digest") = ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d GOST( 128 characters of 'U' ) = 53a3a3ed25180cef0c1d85a074273e551c25660a87062a52d926a9e8fe5733a4 GOST( 1000000 characters of 'a' ) = 5c00ccc2734cdd3332d3d4749576e3c1a7dbaf0e7ea74e9fa602413c90a129fa <h3>Hashes for CryptoPro parameters</h3> <p>GOST algorithm with CryptoPro S-box generates different set of hash values. </p> GOST("") = 981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0 GOST("a") = e74c52dd282183bf37af0079c9f78055715a103f17e3133ceff1aacf2f403011 GOST("abc") = b285056dbf18d7392d7677369524dd14747459ed8143997e163b2986f92fd42c GOST("message digest") = bc6041dd2aa401ebfa6e9886734174febdb4729aa972d60f549ac39b29721ba0 GOST("The quick brown fox jumps over the lazy dog") = 9004294a361a508c586fe53d1f1b02746765e71b765472786e4770d565830a76 GOST("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 73b70a39497de53a6e08c67b6d4db853540f03e9389299d9b0156ef7e85d0f61 GOST("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = 6bc7b38989b28cf93ae8842bf9d752905910a7528a61e5bce0782de43e610c90 GOST("This is message, length=32 bytes") = 2cefc2f7b7bdc514e18ea57fa74ff357e7fa17d652c75f69cb1be7893ede48eb GOST("Suppose the original message has length = 50 bytes") = c3730c5cbccacf915ac292676f21e8bd4ef75331d9405e5f1a61dc3130a65011 GOST(128 of "U") = 1c4ac7614691bbf427fa2316216be8f10d92edfd37cd1027514c1008f649c4e8 GOST(1000000 of "a") = 8693287aa62f9478f7cb312ec0866b6c4e4a0f11160441e8f4ffcd2715dd554f <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Kupyna/G1rxIYmg">Kupyna</a></li> <li><a href="/facts/Hash_function_security_summary/lksNR2aq">Hash function security summary</a></li> <li><a href="/facts/GOST/Ith9dFHs">GOST standards</a></li> <li><a href="/facts/List_of_hash_functions/fdTqDa9l">List of hash functions</a></li></ul> <h3>Further reading</h3> <ul><li>Dolmatov, V. (March 2010). Dolmatov, V (ed.). <a href="http://tools.ietf.org/html/rfc5831">"GOST R 34.11-94: Hash Function Algorithm"</a>. IETF. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.17487%2FRFC5831">10.17487/RFC5831</a>. {{cite journal}}: Cite journal requires |journal= (help)</li> <li><a href="http://protect.gost.ru/document.aspx?control=7&id=134550">"Information technology. Cryptographic data security. Hashing function"</a>. 2010-02-20. The full text of the GOST R 34.11-94 standard (in Russian).</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://www.autochthonous.org/crypto/gosthash.tar.gz">C implementation and test vectors</a> for GOST hash function from Markku-Juhani Saarinen, also contains draft translations into English of the GOST 28147-89 and GOST R 34.11-94 standards. Bugfixed version, see <a href="http://www.autochthonous.org/crypto/">[1]</a>.</li> <li><a href="http://garbage.us.to/static/GostShifr.zip">C++ implementation with STL streams</a>[<i>permanent dead link</i>].</li> <li><a href="http://rhash.sourceforge.net/">RHash</a>, an <a href="/facts/Open_source/7X9rCdz4">open source</a> command-line tool, which can calculate and verify GOST hash (supports both parameter sets).</li> <li><a href="https://web.archive.org/web/20120526072318/http://ideone.com/QNhxW">Implementation of the GOST R 34.11-94 in JavaScript</a> (<a href="https://web.archive.org/web/20120526072333/http://ideone.com/LYNnw">CryptoPro parameters</a>)</li> <li><a href="http://ehash.iaik.tugraz.at/wiki/GOST">The GOST Hash Function Ecrypt page</a></li> <li><a href="https://quickhash.com/hash-gost-online">Online GOST Calculator</a> <a href="https://web.archive.org/web/20141106001314/https://quickhash.com/hash-gost-online">Archived</a> 2014-11-06 at the <a href="/facts/Wayback_Machine/nmQ3a6JC">Wayback Machine</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>GOST R 34.11-2012: Streebog Hash Function <a href="https://www.streebog.net/" target="_blank">https://www.streebog.net/</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"GOST R 34.11-94 standard. Information technology. Cryptographic data security. Hashing function. Addition A." 1994. {{cite journal}}: Cite journal requires |journal= (help) <a href="http://protect.gost.ru/document.aspx?control=7&id=134550" target="_blank">http://protect.gost.ru/document.aspx?control=7&id=134550</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Mendel, Florian; Pramstaller, Norbert; Rechberger, Christian; Kontak, Marcin; Szmidt, Janusz (2008). "Cryptanalysis of the GOST Hash Function". In Wagner, David (ed.). Advances in Cryptology – CRYPTO 2008. Lecture Notes in Computer Science. Vol. 5157. Germany: Springer Berlin Heidelberg. pp. 162–178. doi:10.1007/978-3-540-85174-5_10. ISBN 978-3-540-85173-8. <a href="978-3-540-85173-8" target="_blank">978-3-540-85173-8</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"GOST R 34.11-94 standard. Information technology. Cryptographic data security. Hashing function. Addition A." 1994. {{cite journal}}: Cite journal requires |journal= (help) <a href="http://protect.gost.ru/document.aspx?control=7&id=134550" target="_blank">http://protect.gost.ru/document.aspx?control=7&id=134550</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> </ol>