Dmitry Baryshkov dbaryshkov@gmail.com writes:
Is there any consensus on the cryptographic strength and general quality of streebog? I wonder if it really should go in the section "Recommended hash functions" with SHA2 and SHA3, or in the "Legacy hash functions" section.
I wouldn't call it legacy (since it is an actual standard). What about adding the "Other hash functions" section? It can further receive algorithms such as SM3 (if somebody submits it)?
"Other" sounds goood to me. Would you like to do that?
Yes, this is interesting research which has raised a lot of controversion here. However it did not result in demonstration of theoretical or practical weakness of such constructions.
And https://en.wikipedia.org/wiki/Hash_function_security_summary lists a "theoretical" preimage attack on the full hash function, referencing https://eprint.iacr.org/2014/675.
As I read the numbers there, it sounds like streebog 512 is significantly weaker then the claimed security level, and not much more secure than streebog 256. But I haven't looked into the details. And as far as I'm aware, attacks on a good hash function with 256 bit output are completely not practical today.
Regards, /Niels