This project has moved. For the latest updates, please go here.

Camellia, STREEBOG and GOST89 (Magma). How secure are they?

Topics: Technical Issues
Jun 20, 2016 at 7:00 AM
Edited Jun 20, 2016 at 7:01 AM
I'd like to know more about these cipher and hash, are they secure?

Where can I read more about them, besides Wikipedia.

What do people say about them?
Jun 20, 2016 at 3:08 PM

I would recommend Google searching to learn more about Camellia, Streebog and GOST89. Please post the links to relevant websites from your research to help educate the VeraCrypt community.

Thank you.
Jun 22, 2016 at 6:35 AM
The detail is: There's no much information about these three ciphers, I want to learn more and compare these recently implemented ciphers with those that were there before.

All I know is Camellia being similar to AES.
Jun 23, 2016 at 8:15 AM
Edited Jun 23, 2016 at 8:16 AM
About Camellia:

About Streebog:

About Gost89: There's nothing about it, just github links.

I guess they're secure enough to be implemented in Veracrypt.
Jun 23, 2016 at 1:45 PM
Edited Jun 23, 2016 at 1:50 PM
CanaryRoaming wrote:
About Gost89: There's nothing about it, just github links.

Here is what the developer of VeraCrypt had to say about Camellia in this posting.
Jun 29, 2016 at 11:11 AM
Is Streebog more secure than SHA2?

From Wikipedia:

It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology.

"and as an asymmetric reply to SHA-3", given that SHA-3 is not yet implemented in Veracrypt, can we say that, besides the little time that it's been out there in comparison with SHA-2, Streebog is stronger?
Jun 29, 2016 at 3:01 PM
Edited Jun 30, 2016 at 1:42 PM
feeln wrote:
Is Streebog more secure than SHA2?
"SHA-3 is very different from SHA-2 in design," says NIST's Shu-jen Chang. "It doesn't replace SHA-2, which has not shown any problem, but offers a backup. It takes years to develop a new standard, and we wanted to be prepared in case problems do occur."
NIST SHA-3 Competition

NIST SHA-3 finalists:
BLAKE, Grøstl, JH, Skein and Keccak (winner)

Keccak website:

Keccak code package;

Independent Hash Competition

An independent hash competition which is purposely being held separate from NIST due to the heavy influence of the USA's NSA.

Finalists have been announced on December 8, 2014 and are (in alphabetical order): Argon, battcrypt, Catena, Lyra2, Makwa, Parallel, POMELO, Pufferfish, yescrypt.

Winner is Argon2.

Argon2 source code at:

New Hashes Ready for Production Usage

Are the new hashes mature enough for production usage?

I will leave that question for those more knowledgeable in the cryptography field to determine. :-)
Jun 30, 2016 at 10:57 AM
After reading all that it makes me doubt about Streebog and GOST89, I think it's OK to implement non-Western ciphers, but I guess it's safer to keep using previous ones.

Now, I just read this: CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

( )

About SHA-3 competition, I think Streebog will not compete there since it's russian and the won't care.

Isn't Keccak russian?
Jun 30, 2016 at 1:41 PM
Edited Jun 30, 2016 at 2:39 PM
feeln wrote:
About SHA-3 competition, I think Streebog will not compete there since it's russian and the won't care.
Streebog did not submit their hash for consideration for the NIST SHA-3 competition. I will remove my reference in my post above that Streebog was not among the finalists for NIST hash competition.

You can see from the link below the various NIST hash function submissions progression and elimination in the competition due to weaknesses discovered.

feeln wrote:
Isn't Keccak russian?
According to the Wiki page link I provided in my post, the designers are Belgium and Dutch cryptographers.
Jul 4, 2016 at 6:36 AM
Thank you for the links and answers!
Aug 21, 2016 at 11:52 AM
Is it normal that Streebog takes too much time to open? It takes 30 seconds with PIM 500.

Sha-512 and Whirlpool with PIM 500 take less than 10 seconds.
Aug 21, 2016 at 1:08 PM
It is possible to compare performance of hash and PRF in benchmarks dialog.

Current STREEBOG implementation is rather slow.
Aug 22, 2016 at 6:31 PM
Thanks for your answer!

On version 1.17 there were some optimizations:

Cut mount/boot time by half thanks to a clever optimization of key derivation (found by Xavier de Carné de Carnavalet)

Optimize Whirlpool PRF speed by using assembly (25% speed gain compared to previous code).

Could this be done to STREEBOG?
Aug 22, 2016 at 8:58 PM

Current version is from cppcrypto library. (written by kerukuro)

Probably the implementation is based on Alexey Degtyarev version. (

We do not know better implementation of STREEBOG,. (other versions are welcome)

Mounir did good optimization of PRF procedure of STREEBOG. There is improvement but it looks like we need to continue.

Note: Assembler optimization with SSE/AVX support is possible. It is research.