Low-Complexity Key Recovery Attacks on GOST Block Cipher

GOST is a well-known Russian government block cipher. Until 2010, there was no attack on GOST used in encryption, cf. [9]. More recently, quite a few distinct key recovery attacks on full GOST have been found: [1-4, 6, 7]. Most of these attacks work by so-called “complexity reduction” [1]; they reduce the problem of breaking the full 32-round GOST to an attack with 2,3,4 KP for 8 rounds of GOST. In this article, we develop an alternative last step for these attacks. We present a new meet-in-the-middle attack for eight rounds, which is faster than any previous attack. Then we present a guess-then-determine attack with software using an SAT solver, which, for the same running time, requires much less memory. As a result we are able to improve by a factor of up to 226 various attacks from [1, 3]

An Improved Differential Attack on Full GOST (extended version)

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and it is becoming increasingly popular. Until 2010 researchers unanimously agreed that: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST can be broken and it is insecure on more than one account. There is a substantial variety of recent innovative attacks on GOST. We have reflection attacks, attacks with double, triple and even quadruple reflections, a large variety of self-similarity and black-box reduction attacks, some of which do not use any reflections whatsoever and few other. The final key recovery step in various attacks is in many cases a software algebraic attack or/and a Meet-In-The-Middle attack. In differential attacks key bits are guessed and confirmed by the differential properties and there have already been quite a few papers about advanced differential attacks on GOST. There is also several even more advanced “combination” attacks which combine the complexity reduction approach based on high-level self-similarity of with various advanced differential properties with 2,3 or 4 points. In this paper we consider some recent differential attacks on GOST and show how to further improve them. We present a single-key attack against full 32-round 256-bit GOST with time complexity of 2^179 which is substantially faster than any previous single key attack on GOST

Differential Cryptanalysis of GOST

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and thus increasingly popular and used. Until 2010 researchers unanimously agreed that: despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST is insecure on more than one account. There is an amazing variety of recent attacks on GOST. We have reflection attacks, attacks with double reflection, and various attacks which does not use reflections. All these methods follow a certain general framework called Algebraic Complexity Reduction , a new general umbrella paradigm. The final key recovery step is in most cases a software algebraic attack and sometimes a Meet-In-The-Middle attack. In this paper we show that GOST is NOT SECURE even against (advanced forms of) differential cryptanalysis (DC). Previously Russian researchers postulated that GOST will be secure against DC for as few as 7 rounds out of 32 and Japanese researchers were already able to break about 13 rounds. In this paper we show a first advanced differential attack faster than brute force on full 32-round GOST. This paper is just a sketch and a proof of concept. More results of this kind will be published soon

Algebraic Complexity Reduction and Cryptanalysis of GOST

GOST 28147-89 is a well-known Russian government encryption standard. Its large key size of 256 bits at a particularly low implementation cost make that it is widely implemented and used, in OpenSSL and elsewhere. In 2010 GOST was submitted to ISO to become an international standard. GOST was analysed by Schneier, Biham, Biryukov, Dunkelman, Wagner, various Australian, Japanese, and Russian scientists, and all researchers seemed to agree that it looks quite secure. Though the internal structure of GOST seems quite weak compared to DES, and in particular the diffusion is not quite as good, it is always stipulated that this should be compensated by a large number of 32 rounds and by the additional non-linearity and diffusion provided by modular additions. At Crypto 2008 the hash function based on this cipher was broken. Yet as far as traditional encryption applications with keys generated at random are concerned, until 2011 no cryptographically significant attack on GOST was found. In this paper we present several new attacks on full 32-rounds GOST. Our methodology is derived from the idea of conditional algebraic attacks on block ciphers which can be defined as attacks in which the problem of key recovery is written as a problem of solving a large system of algebraic equations, and where the attacker makes some clever assumptions on the cipher which lead to an important simplification in the algebraic description of the problem, which makes it solvable in practice if the assumptions hold. Our methods work by black box reduction and allow to literally break the cipher apart into smaller pieces and reduce breaking GOST to a low data complexity software/algebraic/MITM attack on 8 or less rounds. Overall we obtain some 60 distinct attacks faster than brute force on the full 32-round GOST and we provide five nearly practical attacks on two major 128-bit variants of GOST (cf. Table 6). Our single key attacks are summarized in Table 3 p.53 and Table 7 p.153 and attacks with multiple keys in Table 4 page 128

Decryption oracle slide attacks on T-310

T-310 is an important Cold War cipher (Schmeh 2006). It was the principal encryption algorithm used to protect various state communication lines in Eastern Germany throughout the 1980s. The cipher seems to be quite robust, and until now no researcher has proposed an attack on T-310. This article studies decryption oracle and slide attacks on T-310

On multiple symmetric fixed points in GOST

In this article the author revisits the oldest attack on GOST known, the Kara Reflection attack, and another totally unrelated truncated differential attack by Courtois and Misztal. It is hard to imagine that there could be any relationship between two so remote attacks which have nothing in common. However, there is one: Very surprisingly, both properties can be combined and lead the fastest attack on GOST ever found, which is nearly feasible to execute in practice

Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources

An Improved Differential Attack on Full GOST

GOST 28147-89 is a well-known block cipher. Its large key size of 256 bits and incredibly low implementation cost make it a plausible alternative for AES-256 and triple DES. Until 2010 \despite considerable cryptanalytic efforts spent in the past 20 years", GOST was not broken see [30]. Accordingly, in 2010 GOST was submitted to ISO 18033 to become a worldwide industrial encryption standard. In paper we focus on the question of how far one can go in a dedicated Depth-First-Search approach with several stages of progressive guessing and filtering with successive distinguishers. We want to design and optimized guess-then-truncated differential attack on full 32-bit GOST and make as as efficient as we can. The main result of this paper is a single key attack against full 32-round 256-bit GOST with time complexity of 2^179 which is substantially faster than any other known single key attack on GOS

Security Evaluation of GOST 28147-89 In View Of International Standardisation

GOST 28147-89 is is a well-known 256-bit block cipher which is a plausible alternative for AES-256 and triple DES, which however has a much lower implementation cost. GOST is implemented in standard crypto libraries such as OpenSSL and Crypto++ and is increasingly popular and used also outside its country of origin and on the Internet. In 2010 GOST was submitted to ISO, to become a worldwide industrial encryption standard. Until 2011 researchers unanimously agreed that GOST could or should be very secure, which was summarized in 2010 in these words: despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken . Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher. There is a very considerable amount of recent not yet published work on cryptanalysis of GOST known to us. One simple attack was already presented in February at FSE 2011. In this short paper we describe another attack, to illustrate the fact that there is now plethora of attacks on GOST, which require much less memory, and don\u27t even require the reflection property to hold, without which the recent attack from FSE 2011 wouldn\u27t work. We are also aware of many substantially faster attacks and of numerous special even weaker cases. These will be published in appropriate peer-reviewed cryptography conferences but we must warn the ISO committees right now. More generally, our ambition is to do more than just to point out that a major encryption standard is flawed. We would like to present and suggest a new general paradigm for effective symmetric cryptanalysis of so called Algebraic Complexity Reduction which in our opinion is going to structure and stimulate substantial amounts of academic research on symmetric cryptanalysis for many years to come. In this paper we will explain the main ideas behind it and explain also the precise concept of Black-box Algebraic Complexity Reduction . This new paradigm builds on many already known attacks on symmetric ciphers, such as fixed point, slide, involution, cycling, reflection and other self-similarity attacks but the exact attacks we obtain, could never be developed previously, because only in the recent 5 years it became possible to show the existence of an appropriate last step for many such attacks, which is a low data complexity software algebraic attack. This methodology leads to a large number of new attacks on GOST, way more complex, better and more efficient than at FSE 2011. One example of such an attack is given in the present paper