New Linear Attacks on Block Cipher GOST

Defined in the standard GOST 28147-89, GOST is a Soviet and Russian government standard symmetric-key block cipher. GOST has the 64-bit block size and a key length of 256 bits. It is a Feistel network of 32 rounds. In 2010, GOST was submitted to ISO 18033 to become a worldwide industrial encryption standard. GOST 28147-89 has also been published as informational RFC 5830 with IETF. In this paper, we study linear attacks on GOST 28147-89. Prior to us, [Shorin-Jelezniakov-Gabidulin\u272001] did some analysis on the linear approximation of GOST without giving any detailed results. [Shorin-Jelezniakov-Gabidulin\u272001] claimed that the complexity of the linear attack on GOST is higher than $2^{256}$ after 5 rounds. In our work, we show that this is not true. First, we give the detailed bias analysis on the GOST round function for the first time. We show that the largest bias is $2^{-7}$. Secondly, we proposed the first known linear attacks on GOST. The recent idea of synthetic linear analysis [Lu-Vaudenay-Meier\u272012] is then successfully applied to improve the bias for the $r$-round linear approximation of GOST. In summary, our attack on 8-round GOST recovers the key in time $2^{37}$ with $2^{50}$ known plaintexts in the single-key setting. For the 16-round GOST with last 8 rounds using subkeys in reverse order, our distinguishing attack works in time $2^{85}$ using $2^{85}$ known plaintexts, in the plain multiple-key setting without the related-key assumption. That is, the plaintexts can be encrypted by arbitrary number of keys, with each key encrypting arbitrary number of plaintexts, as long as we have a total of $2^{85}$ known plaintexts. For the 32-round GOST with the slightly tweaked key schedule, i.e., assuming last 16 rounds using subkeys in reverse order, our distinguishing attack works in time $2^{170.8}$, given $2^{170.8}$ known plaintexts, in the plain multiple-key setting without the related-key assumption. To the best of our knowledge, our distinguishing attacks are the first known distinguishers on block ciphers in the plain multiple-key setting without the usual related-key assumption. Finally, for the 32-round GOST with the original key schedule, our distinguisher works in time $2^{173.8}$, given $2^{173.8}$ known plaintexts, in the related-key setting. This is the fastest attack known so far, compared with the best attacks [Dinur-Dunkelman-Shamir\u272012], [Courtois\u272012] on the full 32-round GOST