Academia.eduAcademia.edu

Outline

Title
Abstract
Dark Side of Research: Peer Review
Background
Sat Solvers in Cryptanalysis
Our Reductions: Methodology and Key Steps
Related Research and History
New Directions and New Methods
Introduction to Weak Key Attacks on Gost
Another Weak Key Attack with More Data
Double, Related and Approximate Fixed Points
Conclusion
Conclusion -Multiple Key Attacks
Additional Low-Data Attacks for 8 Rounds
References
All Topics
Computer Science
Cryptography

Algebraic Complexity Reduction and Cryptanalysis of GOST

Profile image of Nicolas CourtoisNicolas Courtois

2011, IACR Cryptology ePrint Archive

Abstract

GOST 28147-89 is a well-known Russian government encryption standard. Its large key size of 256 bits at a particularly low implementation cost make that it is widely implemented and used . In 2010 GOST was submitted to ISO to become an international standard. GOST was analysed by Schneier, Biham, Biryukov, Dunkelman, Wagner, various Australian, Japanese, and Russian scientists, and all researchers seemed to agree that it looks quite secure. Though the internal structure of GOST seems quite weak compared to DES, and in particular the diffusion is not quite as good, it is always stipulated that this should be compensated by a large number of 32 rounds cf. 8] and by the additional non-linearity and diffusion provided by modular additions . At Crypto 2008 the hash function based on this cipher was broken. Yet as far as traditional encryption applications with keys generated at random are concerned, until 2011 no cryptographically significant attack on GOST was found. In this paper we present several new attacks on full 32-rounds GOST. Our methodology is derived from the idea of conditional algebraic attacks on block ciphers [25, 20] which can be defined as attacks in which the problem of key recovery is written as a problem of solving a large system of algebraic equations, and where the attacker makes some "clever" assumptions on the cipher which lead to an important simplification in the algebraic description of the problem, which makes it solvable in practice if the assumptions hold. Our methods work by black box reduction and allow to literally break the cipher apart into smaller pieces and reduce breaking GOST to a low data complexity software/algebraic/MITM attack on 8 or less rounds. We obtain some 50 distinct attacks faster than brute force on the full 32-round GOST and we provide five nearly practical attacks on two major 128-bit variants of GOST (cf. Table ). Recent updates: Our latest attacks combine all of [higher-order] truncated differentials, complexity reduction, [approximate] fixed points, reflections, MITM and software/algebraic attacks. Single key attacks are summarized in Table p. 53 and Table p. 153 and the fastest of these is a differential attack in 2 179 by Courtois . In the multiple random key scenario the cost of recovering one full 256-bit GOST key decreases in a spectacular way at the expense of further growing data requirements. In Table page 128 we summarize all our attacks in this space. Our fastest attack achieves a nearly feasible T= 2 101 (cf. Section 28.6 and [34]).

Related papers

New Fixed Point Attacks on GOST2 Block Cipher with Memory Complexity Improvements
ISECURE Journal

The ISC International Journal of Information Security, 2019

GOST block cipher designed in the 1970s and published in 1989 as the Soviet and Russian standard GOST 28147-89. In order to enhance the security of GOST block cipher after proposing various attacks on it, designers published a modified version of GOST, namely GOST2, in 2015 which has a new key schedule and explicit choice for S-boxes. In this paper, by using three exactly identical portions of GOST2 and fixed point idea, more enhanced fixed point attacks for filtration of wrong keys are presented. More precisely, the focus of the new attacks is on reducing memory complexity while keeping other complexities unchanged as well. The results show a significant reduction in the memory complexity of the attacks, while the time complexity slightly increased in comparison to the previous fixed point attacks. To the best of our knowledge, the lowest memory complexity for an attack on full-round GOST2 block cipher is provided here. https://www.isecure-journal.com/article_89623.html

View PDFchevron_right
New Fixed Point Attacks on GOST2 Block Cipher
siavash ahmadi

ISC Int. J. Inf. Secur., 2019

GOST block cipher designed in the 1970s and published in 1989 as the Soviet and Russian standard GOST 28147-89. In order to enhance the security of GOST block cipher after proposing various attacks on it, designers published a modified version of GOST, namely GOST2, in 2015 which has a new key schedule and explicit choice for S-boxes. In this paper, by using three exactly identical portions of GOST2 and fixed point idea, more enhanced fixed point attacks for filtration of wrong keys are presented. More precisely, the focus of the new attacks is on reducing memory complexity while keeping other complexities unchanged as well. The results show a significant reduction in the memory complexity of the attacks, while the time complexity slightly increased in comparison to the previous fixed point attacks. To the best of our knowledge, the lowest memory complexity for an attack on full-round GOST2 block cipher is provided here.

View PDFchevron_right
Differential Cryptanalysis of GOST
Adrian Apaza Flores

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and thus increasingly popular and used . Until 2010 researchers unanimously agreed that: "despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken", see and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST is insecure on more than one account. There is an amazing variety of recent attacks on GOST . We have reflection attacks , attacks with double reflection , and various attacks which does not use reflections . All these methods follow a certain general framework called "Algebraic Complexity Reduction", a new general "umbrella" paradigm introduced in . The final key recovery step is in most cases a software algebraic attack and sometimes a Meet-In-The-Middle attack .

View PDFchevron_right
Enhanced truncated differential cryptanalysis of GOST
Nicolas Courtois

2013 International Conference on Security and Cryptography (SECRYPT), 2013

GOST is a well-known block cipher implemented in standard libraries such as OpenSSL, it has extremely low implementation cost and nothing seemed to threaten its high 256-bit security [CHES 2010]. In 2010 it was submitted to ISO to become a worldwide industrial standard. Then many new attacks on GOST have been found in particular some advanced differential attacks by Courtois and Misztal with complexity of 2179 which are based on distinguishers for 20 Rounds. In July 2012 Rudskoy et al claimed that these attacks fail when the S-boxes submitted to ISO 18033-3 are used. However, the authors failed to consider that these attacks need to be re-optimized again for this set of S-boxes. This is difficult because we have exponentially many sets of differentials. In this paper we present a basic heuristic methodology and a framework for constructing families of distinguishers and we introduce differential sets of a special new form dictated by the specific regular structure of GOST. We look a...

View PDFchevron_right
Contradiction Immunity and Guess-Then-Determine Attacks on Gost
Nicolas Courtois

Tatra Mountains Mathematical Publications, 2012

GOST is a well-known government standard cipher. Since 2011 several academic attacks on GOST have been found. Most of these attacks start by a so called “Complexity Reduction” step [Courtois Cryptologia 2012] the purpose of which is to reduce the problem of breaking the full 32-round GOST to a low-data complexity attack on a reduced-round GOST. These reductions can be viewed as optimisation problems which seek to maximize the number of values inside the cipher determined at given “cost” in terms of guessing other values. In this paper we look at similar combinatorial optimisation questions BUT at the lower level, inside reduced round versions of GOST. We introduce a key fundamental notion of Contradiction Immunity of a block cipher. A low value translates to working software attacks on GOST with a SAT solver. A high value will be mandatory for any block cipher to be secure. We provide some upper bounds for the Contradiction Immunity of GOST.

View PDFchevron_right
Black-Box Collision Attacks on the Compression Function of the Gost Hash Function
Nicolas Courtois

Proceedings of the International Conference on Security and Cryptography, 2011

The GOST hash function and more precisely GOST 34.11-94 is a cryptographic hash function and the official government standard of the Russian Federation. It is a key component in the national Russian digital signature standard. The GOST hash function is a 256-bit iterated hash function with an additional checksum computed over all input message blocks. Inside the GOST compression function, we find the standard GOST block cipher, which is an instantiation of the official Russian national encryption standard GOST 28147-89. In this paper we focus mostly on the problem of finding collisions on the GOST compression function. At Crypto 2008 a collision attack on the GOST compression function requiring 2 96 evaluations of this function was found. In this paper, we present a new collision attack on the GOST compression function which is fundamentally different and more general than the attack published at Crypto 2008. Our new attack is a blackbox attack which does not need any particular weakness to exist in the GOST block cipher, and works also if we replace GOST by another cipher with the same block and key size. Our attack is also slightly faster and we also show that the complexity of the previous attack can be slightly improved as well. Since GOST has an additional checksum computed over all blocks, it is not obvious how a collision attack on the GOST compression function can be extended to a collision attack on the hash function. In 2008 Gauravaram and Kelsey develop a technique to achieve this, in the case in which the checksum is linear or additive, using the Camion-Patarin-Wagner generalized birthday algorithm. Thus at Crypto 2008 the authors were also able to break the collision resistance of the complete GOST Hash function. Our attack is more generic and shows that the GOST compression function can be broken whatever is the underlying block cipher, but remains an attack on the compression function. It remains an open problem how and if this new attack can be extended to a collision attack on the full GOST hash function. 325 T. Courtois N. and Mourouzis T.. BLACK-BOX COLLISION ATTACKS ON THE COMPRESSION FUNCTION OF THE GOST HASH FUNCTION.

View PDFchevron_right
Advanced truncated differential cryptanalysis of GOST block cipher
Nicolas Courtois

2014

n this paper, we use the ideas presented by Courtois and Mourouzis to study the security of two variants of GOST, which are considered as the simpler and most secure variants [9]; the one with the S-boxes replaced by the Identity Map and the ISO version which is assumed to be the strongest one. The advanced differential attacks we present are of the form of Depth-First Key search, which uses a 20 round distinguisher in the middle (or equivalently 26-round distinguisher for the simpler version of GOST with Identity Map) [11]. The main idea is that we consider a partition of the 32 rounds by placing in the middle the constructed distinguisher. Then, based on the weak diffusion we can extend these very strong statistical distinguishers to efficiently good filters for some external rounds. Then, by guessing some key bits for external rounds and determining some plaintext and ciphertext pairs of specified input-output differences we can extend the construction to an attack against the fu...

View PDFchevron_right
Towards an Algebraic Attack on AES-128 Faster Than Brute-Force
Andrei Simion

2013

In this paper we describe the main ideas of a few versions of an algebraic known plaintext attack against AES-128. The attack could be applied under the hypothesis of knowing a part of the 16-bytes key. These attack versions are based on some specific properties of the key schedule, properties that allow splitting the keys space (2 128 keys) in subspaces based on some well-defined criteria. The practical efficiency of these attacks depends on some conditions including a conjecture. Also, the paper introduces a definition of weak keys, in the context of the presented attack.

View PDFchevron_right
CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited
Nicolas Courtois

The cipher CTC (Courtois Toy Cipher) described in (4) has been designed to demonstrate that it is possible to break on a PC a block cipher with good diusion and very small number of known (or chosen) plaintexts. It has however never been designed to withstand all known attacks on block ciphers and Dunkelman and Keller have shown (13) that a few bits of the key can be recovered by Linear Cryptanalysis (LC) - which cannot however compromise the security of a large key. This weakness can easily be avoided: in this paper we give a specification of CTC2, a tweaked version of CTC. The new cipher is MUCH more secure than CTC against LC and the key scheduling of CTC has been extended to use any key size, independently from the block size. Otherwise, there is little dierence between CTC and CTC2. We will show that up to 10 rounds of CTC2 can be broken by simple algebraic attacks.

View PDFchevron_right
Algebraic Cryptanalysis of the Data Encryption Standard
Nicolas Courtois

Proceedings of the 11th IMA international …, 2007

In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.

View PDFchevron_right

References (126)

  1. Martin Albrecht: Algebraic Attacks against the Courtois Toy Cipher, In Cryptolo- gia, Vol. 32, Iss. 3 July 2008 , ppp. 220-276.
  2. Martin Albrecht and Gregor Leander: An All-In-One Approach to Differential Cryptanalysis for Small Block Ciphers, preprint available at eprint.iacr.org/ 2012/401/.
  3. Ludmila K. Babenko, Evgeniya Ishchukova, Ekaterina Maro: Research about strength of GOST 28147-89 encryption algorithm, In SIN 2012: pp. 138-142, ACM, 2011.
  4. Ludmila K. Babenko, Evgeniya Ishchukova, Ekaterina Maro: Algebraic analysis of GOST encryption algorithm, In SIN 2011, pp. 57-62, ACM, 2011.
  5. Lyudmila K. Babenko, Evgeniya Ishchukova: Differential analysis of GOST en- cryption algorithm, In SIN 2010, pp. 149-157, ACM, 2010.
  6. Eli Biham, Orr Dunkelman, Nathan Keller: Improved Slide Attacks, In FSE 2007, LNCS 4593 Springer 2007, pp. 153-166.
  7. A. Biryukov, D.Wagner: Slide Attacks, In proceedings of FSE'99, LNCS 1636, pp. 245-259, Springer, 1999.
  8. Alex Biryukov, David Wagner: Advanced Slide Attacks, In Eurocrypt 2000, LNCS 1807, pp. 589-606, Springer 2000.
  9. Alex Biryukov: Analysis of Involutional Ciphers: Khazad And Anubis, In FSE 2003, pp. 45-53 LNCS.
  10. Eli Biham, Adi Shamir, Differential Cryptanalysis of DES-like Cryptosystems, Journal of Cryptology, vol. 4, pp. 3-72, IACR, 1991.
  11. Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger: Biclique cryptanalysis of the full AES, In Asiacrypt 2011, LNCS 7073, pp. 344-371, 2011.
  12. Nicolas Courtois and Josef Pieprzyk: Cryptanalysis of Block Ciphers with Overde- fined Systems of Equations, Asiacrypt 2002, LNCS 2501, pp.267-287, Springer.
  13. Nicolas Courtois and Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003, LNCS 2656, pp. 345-359, Springer. An extended version is available at http://www.minrank.org/toyolili.pdf
  14. Nicolas Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, Crypto 2003, LNCS 2729, pp: 177-194, Springer.
  15. Nicolas Courtois CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited Available at http://eprint.iacr.org/2007/152/.
  16. Nicolas Courtois: General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers, in AES 4, LNCS 3373, pp. 67-83, Springer, 2005.
  17. Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomi- als over GF(2) via SAT-Solvers, http://eprint.iacr.org/2007/024/.
  18. Nicolas Courtois: 100 years of Cryptanalysis: Compositions of Permutations slides about cryptanalysis of Engima and block cipher cryptanalysis, used teaching GA18 Cryptanalysis course at University College London 2014-2016, http://www. nicolascourtois.com/papers/code_breakers_enigma_block_teach.pdf
  19. Nicolas Courtois, Gregory V. Bard: Algebraic Cryptanalysis of the Data Encryp- tion Standard, In Cryptography and Coding, 11-th IMA Conference, pp. 152-169, LNCS 4887, Springer, 2007. Preprint available at eprint.iacr.org/2006/402/.
  20. Nicolas Courtois, Gregory V. Bard, David Wagner: Algebraic and Slide Attacks on KeeLoq, In FSE 2008, pp. 97-115, LNCS 5086, Springer, 2008.
  21. Nicolas Courtois, Gregory V. Bard and Andrey Bogdanov: Periodic Ciphers with Small Blocks and Cryptanalysis of KeeLoq, In Tatra Mountains Mathematic Pub- lications, 41 (2008), pp. 167-188, post-proceedings of Tatracrypt 2007 conference, The 7th Central European Conference on Cryptology, June 22-24, 2007, Smolenice, Slovakia.
  22. Nicolas Courtois: Self-similarity Attacks on Block Ciphers and Application to KeeLoq, In Cryptography and Security: From Theory to Applications -Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday. LNCS 6805, Springer, 2012, pp. 55-66, David Naccache editor.
  23. Nicolas T. Courtois and Gregory V. Bard: Random Permutation Statistics and An Improved Slide-Determine Attack on KeeLoq, In Cryptography and Security: From Theory to Applications -Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday. LNCS vol. 6805, Springer, 2012, pp. 35-54, David Naccache editor.
  24. Gregory V. Bard, Shaun V. Ault and Nicolas T. Courtois: Statistics of Random Permutations and the Cryptanalysis Of Periodic Block Ciphers, In Cryptologia, Vol. 36, Issue 03, pp. 240-262, July 2012.
  25. Nicolas Courtois and Blandine Debraize: Algebraic Description and Simultaneous Linear Approximations of Addition in Snow 2.0., In ICICS 2008, 10th International Conference on Information and Communications Security, 20 -22 October, 2008, Birmingham, UK. In LNCS 5308, pp. 328-344, Springer, 2008.
  26. Nicolas T. Courtois, Pouyan Sepherdad, Petr Susil and Serge Vaudenay: ElimLin Algorithm Revisited, In FSE 2012, LNCS, Springer.
  27. Nicolas Courtois: Security Evaluation of GOST 28147-89 In View Of International Standardisation, in Cryptologia, Volume 36, Issue 1, pp. 2-13, 2012. An earlier version which was officially submitted to ISO in May 2011 can be found at http: //eprint.iacr.org/2011/211/.
  28. Nicolas Courtois: Cryptanalysis of GOST, a very long extended sets of slides about the cryptanalysis of GOST, 2010-2014, http://www.nicolascourtois.com/ papers/GOST.pdf. An earlier and shorter version was presented at 29C3, see [29].
  29. Nicolas Courtois: Cryptanalysis of GOST, (Security Evaluation of Russian GOST Cipher; Survey of All Known Attacks on Russian Government Encryption Stan- dard. ) Presentation at 29th Chaos Communication Congress (29C3), December 27th to 30th, 2012, Hamburg, Germany, http://events.ccc.de/congress/2012/ Fahrplan/attachments/2243_GOST_29C3_long.pdf A video is available on: www.youtube.com/watch?v=o_sP0qJam-4 An MP3 audio recording is available at: http://blademp3.com/mp3/4709a02_ Security-Evaluation-of-Russian-GOST-Cipher.html.
  30. Nicolas Courtois: Cryptanalysis of Two GOST Variants With 128-bit Keys, In Cryptologia vol. 38(4), pp. 348-361, 2014. At http://www.tandfonline.com/doi/ full/10.1080/01611194.2014.915706.
  31. Nicolas Courtois: Faster Attacks on Full GOST, A short presentation given at FSE 2012 rump session, available at http://fse2012rump.cr.yp.to/ 9c19b743f2434a74b3a0d3e281b52b01.pdf.
  32. Nicolas Courtois, Jerzy A. Gawinecki, Guangyan Song: Contradiction Immunity and Guess-Then-Determine Attacks On GOST, In Tatra Mountains Mathematic Publications, Vol. 53 no. 3 (2012), pp. 65-79.
  33. Nicolas T. Courtois: Cryptanalysis of GOST In the Multiple Key Scenario, In post-proceedings of CECC 2013, Tatra Mountains Mathematical Publica- tions. Vol. 57, no. 4 (2013), p. 45-63. At http://www.sav.sk/journals/uploads/ 0124133006Courto.pdf
  34. Nicolas Courtois: On Multiple Symmetric Fixed Points in GOST, In Cryptologia, Volume 39, Issue 4, 2015, pp. 322-334, http://www.tandfonline.com/doi/full/ 10.1080/01611194.2014.988362.
  35. Nicolas T. Courtois: Low-Complexity Key Recovery Attacks on GOST Block Ci- pher, In Cryptologia, Volume 37, Issue 1, pp. 1-10, 2013.
  36. Nicolas Courtois, Micha l Misztal: Aggregated Differentials and Cryptanalysis of PP-1 and GOST, In CECC 2011, 11th Central European Conference on Cryptol- ogy. In Periodica Mathematica Hungarica Vol. 65 (2 ), 2012, pp. 1126, Springer.
  37. Nicolas Courtois, Micha l Misztal: First Differential Attack On Full 32-Round GOST, in ICICS'11, pp. 216-227, Springer LNCS 7043, 2011.
  38. Nicolas Courtois, Micha l Misztal: Differential Cryptanalysis of GOST, In Cryptol- ogy ePrint Archive, Report 2011/312. 14 June 2011, http://eprint.iacr.org/ 2011/312.
  39. Nicolas Courtois: An Improved Differential Attack on Full GOST, in "The New Codebreakers a Festschrift for David Kahn", LNCS 9100, Springer, 2015.
  40. Nicolas Courtois: An Improved Differential Attack on Full GOST, In Cryptology ePrint Archive, Report 2012/138. 15 March 2012, updated September 2015, http: //eprint.iacr.org/2012/138.
  41. Nicolas Courtois, Theodosis Mourouzis, Anna Grocholewska-Czurylo and Jean- Jacques Quisquater: On Optimal Size in Truncated Differential Attacks, In CECC 2014, Budapest, Hungary, 21 -23 May 2014. Slides presented: http: //www.nicolascourtois.com/papers/GOST_CECC2014.pdf. Post-proceedings in print (Studia Scientiarum Mathematicarum Hungarica).
  42. Nicolas T. Courtois, Theodosis Mourouzis, Micha l Misztal, Jean-Jacques Quisquater, Guangyan Song: Can GOST Be Made Secure Against Differential Cryptanalysis?, In Cryptologia, vol. 39, Iss. 2, 2015, pp. 145-156.
  43. Nicolas T. Courtois, Theodosis Mourouzis: Advanced Differential Cryptanalysis and GOST Cipher, accepted for a 30 minute oral presentation at the 3rd IMA Conference on Mathematics in Defence At Tom Elliott Conference Centre, QinetiQ, Malvern, UK on Thursday 24 October 2013. 6-pages paper in CD-ROM and web proceedings planned.
  44. Nicolas T. Courtois, Theodosis Mourouzis: Enhanced Truncated Differential Cryptanalysis of GOST, in SECRYPT 2013, Reykjavik, July 2013, http://www. nicolascourtois.com/papers/sec13.pdf
  45. Nicolas T. Courtois, Theodosis Mourouzis: Propagation of Truncated Differentials in GOST, in proc. of SECURWARE 2013, http://www.thinkmind.org/download. php?articleid=securware_2013_7_20_30119
  46. Nicolas T. Courtois, Daniel Hulme and Theodosis Mourouzis: Solving Circuit Op- timisation Problems in Cryptography and Cryptanalysis, In (informal) proceed- ings of SHARCS 2012 workshop, pp. 179-191, http://2012.sharcs.org/record. pdf. Earlier preprint is available at, http://eprint.iacr.org/2011/475, and an abridged version appears in the electronic proceedings of the 2nd IMA conference Mathematics in Defence 2011, UK.
  47. Nicolas Courtois, Theodosis Mourouzis: Black-Box Collision Attacks on the Com- pression Function of the GOST Hash Function, appears in 6th International Con- ference on Security and Cryptography SECRYPT 2011.
  48. Charles Bouilleguet, Patrick Derbez, Orr Dunkelman, Nathan Keller, Pierre-Alain Fouque: Low Data Complexity Attacks on AES, Cryptology ePrint Archive, Report 2010/633. http://eprint.iacr.org/2010/633/.
  49. Gustaf Dellkrantz: Cryptanalysis of Symmetric Block Ciphers, Break- ing Reduced KHAZAD and SAFER++, Royal Institute of Technol- ogy, Sweden, supervised by Johan Håstad and Christophe De Cannière, http://www.nada.kth.se/utbildning/grukth/exjobb/rapportlistor/2003/ rapporter03/dellkrantz_gustaf_03110.pdf
  50. Itai Dinur, Orr Dunkelman and Adi Shamir: Improved Attacks on Full GOST, FSE 2012, LNCS 7549, pp. 9-28, 2012, early version available at http://eprint. iacr.org/2011/558/.
  51. Itai Dinur, Orr Dunkelman, Nathan Keller and Adi Shamir: Reflections on Slide with a Twist Attacks, 16 Oct 2014, At https://eprint.iacr.org/2014/847
  52. Ali Doģanaksoy, Bariş Ege, Onur Koçak and Fatih Sulak: Cryptographic Random- ness Testing of Block Ciphers and Hash Functions, In http://eprint.iacr.org/ 2010/564.
  53. Jean-Charles Faugère: A new efficient algorithm for computing Gröbner bases with- out reduction to zero (F5), Workshop on Applications of Commutative Algebra, Catania, Italy, 3-6 April 2002, ACM Press.
  54. Philippe Flajolet, Robert Sedgewick Analytic Combinatorics , Cambridge Univer- sity Press.
  55. I. J. Good and Cipher A. Deavours, Afterword to: Marian Rejewski, "How Polish Mathematicians Deciphered the Enigma", Annals of the History of Computing, 3 (3), July 1981, 229-232.
  56. Fleischmann Ewan, Gorski Michael, Huehne Jan-Hendrik, Lucks Stefan: Key re- covery attack on full GOST block cipher with zero time and memory, Published as ISO/IEC JTC 1/SC 27 N8229. 2009.
  57. Soichi Furuya: Slide Attacks with a Known-Plaintext Cryptanalysis, In ICISC 2001, LNCS 2288, 2002, pp. 11-50.
  58. E. K. Grossman, B. Tuckerman: Analysis of a Weakened Feistel-like Cipher, 1978 International Conference on Communications, pp.46.3.1-46.3.5, Alger Press Lim- ited, 1978.
  59. L. V. Kovalchuk: Upper-bound estimation of the average probabilities of integer- valued differentials in the composition of key adder, substitution block, and shift operator, In Cybernetics And Systems Analysis Vol. 46, Number 6 (2010), pp. 936-944, Springer.
  60. L. V. Kovalchuk and O. A. Sirenko: Analysis of mixing properties of the operations of modular addition and bitwise addition defined on one carrier, In Cybernetics And Systems Analysis Vol. 47, Number 5 (2011), pp. 741-753, Springer.
  61. A. N. Alekseychuk and L. V. Kovalchuk: Towards a Theory of Security Evaluation for GOST-like Ciphers against Differential and Linear Cryptanalysis, Preprint 9 Sep 2011, http://eprint.iacr.org/2011/489.
  62. V.V. Shorin, V.V. Jelezniakov, E.M. Gabidulin Security of algorithm GOST 28147- 89, (in Russian), In Abstracts of XLIII MIPT Science Conference, December 8-9, 2000.
  63. Vitaly V. Shorin, Vadim V. Jelezniakov and Ernst M. Gabidulin: Linear and Dif- ferential Cryptanalysis of Russian GOST, Preprint submitted to Elsevier Preprint, 4 April 2001
  64. I. A. Zabotin, G. P. Glazkov, V. B. Isaeva: Cryptographic Protection for Infor- mation Processing Systems, Government Standard of the USSR, GOST 28147-89, Government Committee of the USSR for Standards, 1989. In Russian, translated to English in [65].
  65. An English translation of [64] by Aleksandr Malchik with an English Preface co- written with Whitfield Diffie, was published in 1994, at 193.166.3.2/pub/crypt/ cryptography/papers/gost/russian-des-preface.ps.gz
  66. Vasily Dolmatov, Editor, RFC 5830: GOST 28147-89 encryption, decryption and MAC algorithms, IETF. ISSN: 2070-1721. March 2010. http://tools.ietf.org/ html/rfc5830
  67. GOST R 34.11-94, the Russian hash function standard, the original Russian ver- sion can be found at http://protect.gost.ru/document.aspx?control=7&id= 134550 and an English transation can be found at ftp.funet.fi/pub/crypt/ cryptography/papers/gost/russian-des-preface.ps.gz.
  68. Vasily Dolmatov, Editor, RFC 5831: GOST R 34.11-94: Hash Function Algorithm, IETF. ISSN: 2070-1721. March 2010. http://tools.ietf.org/html/rfc5831.
  69. V. Popov, I. Kurepkin, S. Leontie: RFC 4357: Additional Cryptographic Algo- rithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms, IETF January 2006. http://tools.ietf.org/ html/rfc4357
  70. A Russian reference implementation of GOST implementing Russian algorithms as an extension of TLS v1.0. is available as a part of OpenSSL library. The file gost89.c contains eight different sets of S-boxes and is found in OpenSSL 0.9.8 and later: http://www.openssl.org/source/
  71. J. Hulsbosch: Analyse van de zwakheden van het DES-algoritme door middel van formele codering, Master thesis, K. U. Leuven, Belgium, 1982.
  72. Florian Mendel, NorbertPramstaller and Christian Rechberger: A (Second) Preim- age Attack on the GOST Hash Function, In Kaisa Nyberg editor, FSE 2008, LNCS 5086, pp. 224234, Springer, 2008.
  73. Florian Mendel, Norbert Pramstaller, Christian Rechberger, Marcin Kontak and Janusz Szmidt: Cryptanalysis of the GOST Hash Function, In Crypto 2008, LNCS 5157, pp. 162 -178, Springer, 2008.
  74. Takanori Isobe: A Single-Key Attack on the Full GOST Block Cipher, In FSE 2011, pp. 290-305, Springer LNCS 6733, 2011.
  75. Orhun Kara: Reflection Cryptanalysis of Some Ciphers, In Indocrypt 2008, LNCS 5365, pp. 294-307, 2008.
  76. Jialin Huang and Xuejia Lai: What is the Effective Key Length for a Block Cipher: an Attack on Every Block Cipher, eprint.iacr.org/2012/677.
  77. Orhun Kara and Ferhat Karakoç: Fixed Points of Special Type and Cryptanalysis of Full GOST. In CANS 2012, LNCS 7712, pp 86-97, 2012.
  78. John Kelsey, Bruce Schneier, David Wagner: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES, In Crypto'96, pp. 237-251, LNCS 1109, Springer, 1996.
  79. Lars R. Knudsen: Truncated and Higher Order Differentials, In FSE 1994, pp. 196-211, LNCS 1008, Springer.
  80. Nick and Alex Moldovyan: Innovative Cryptography, textbook, 2nd edition, Charles River Media, Boston, 2007.
  81. Theodosis Mourozis: Optimizations in Algebraic and Differential Cryptanalysis, PhD thesis, under superivsion of Dr. Nicolas T. Courtois, University College London, January 2015, http://discovery.ucl.ac.uk/1462141/2/PhD_Thesis_ Theodosis_Mourouzis.pdf
  82. Klaus Pommerening: Permutations and Rejewskis Theorem, http://www.staff. uni-mainz.de/pommeren/MathMisc/Permut.pdf
  83. Axel Poschmann, San Ling, and Huaxiong Wang: 256 Bit Standardized Crypto for 650 GE GOST Revisited, In CHES 2010, LNCS 6225, pp. 219-233, 2010.
  84. C. Charnes, L. O'Connor, J. Pieprzyk, R. Savafi-Naini, Y. Zheng: Comments on So- viet encryption algorithm, In Advances in Cryptology -Eurocrypt'94 Proceedings, LNCS 950, A. De Santis, ed., pp. 433-438, Springer, 1995.
  85. Random Permutation Statistics -wikipedia article, 22 January 2008, available at http://en.wikipedia.org/wiki/Random ~permutation ~statistics.
  86. J.-J. Quisquater and J.P. Delescaille: How Easy is Collision Search. New Results and Applications to DES, In Crypto89, LNCS 435, pp. 408-413.
  87. J.-J. Quisquater and Y. Desmedt and M. Davio: The Importance of 'good' Key Scheduling Schemes (How to make a secure DES scheme with ≤ 48 bit keys?, In Crypto'85, LNCS 218, pp. 537-542, Springer, 1985.
  88. RSA Labs PKCS #11: Cryptographic Token Interface Standard, ver. 2.30, Sep 2009, mechanisms part 1, Sections 6.39-6.40.7ftp://ftp.rsasecurity.com/pub/ pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf
  89. Marian Rejewski: How Polish Mathematicians Deciphered the Enigma, Annals of the History of Computing, vol. 3, number 3, July 1981, 213-234.
  90. Marian Rejewski: Mathematical Solution of the Enigma Cipher, In Cryptologia, vol. 6, number 1, January 1982, pp. 1-37.
  91. Marian Rejewski. An application of the theory of permutations in breaking the Enigma cipher. Applicaciones Mathematicae, 16(4), Warsaw, 1980. At http:// www.impan.pl/Great/Rejewski/article.html
  92. Marian Rejewski: Memories of My Work at the Cipher Bureau of the General Staff Second Department 1930-45, second edition, Adam Mickiewicz University Press, Poznan, Poland, 2011.
  93. Frank Carter: The First Breaking of Enigma: Some of the Pioneering Techniques Developed by the Polish Cipher Bureau Report No 2, Bletchley Park Trust, new edition September 2008.
  94. Vladimir Rudskoy: On zero practical significance of Key recovery attack on full GOST block cipher with zero time and memory, Preprint 31-Mar-2010, http: //eprint.iacr.org/2010/111
  95. Vladimir Rudskoy, Andrey Dmukh: Algebraic and Differential Cryptanalysis of GOST: Fact or Fiction, In CTCrypt 2012, Workshop on Current Trends in Cryptology, affiliated with 7th International Computer Science Symposium in Russia (CSR-2012), 2 July 2012, Nizhny Novgorod, Russia. Full papers will be submitted and published in a special issue of Russian peer-review jour- nal Mathematical Aspects of Cryptography. An extended abstract is available at: https://www.tc26.ru/invite/spisokdoc/CTCrypt_rudskoy.pdf slides are available at: https://www.tc26.ru/documentary%20materials/CTCrypt%202012/ slides/CTCrypt_rudskoy_slides_final.pdf
  96. Vladimir Rudskoy and Andrey Chmora: Working draft for ISO/IEC 1st WD of Amd1/18033-3: Russian Block Cipher GOST, ISO/IEC JTC 1/SC 27 N9423, 2011- 01-14, MD5=feb236fe6d3a79a02ad666edfe7039aa
  97. Igor Semaev: Sparse Algebraic Equations over Finite Fields, SIAM J. Comput. 39(2): 388-409 (2009).
  98. Haavard Raddum and Igor Semaev: New Technique for Solving Sparse Equation Systems, ECRYPT STVL website, January 16th 2006, available also at eprint. iacr.org/2006/475/
  99. Markku-Juhani Saarinen: A chosen key attack against the secret S-boxes of GOST, unpublished manuscript, 1998.
  100. Haruki Seki and Toshinobu Kaneko: Differential Cryptanalysis of Reduced Rounds of GOST. In SAC 2000, LNCS 2012, pp. 315-323, Springer, 2000.
  101. Bruce Schneier: Section 14.1 GOST, in Applied Cryptography, Second Edition, John Wiley and Sons, 1996. ISBN 0-471-11709-9.
  102. Claude Elwood Shannon: Communication theory of secrecy systems, Bell System Technical Journal 28 (1949), see in particular page 704.
  103. Niklas Sörensson, Niklas Eén: MiniSat 2.06. an open-source SAT solver package.
  104. Mate Soos: CryptoMiniSat 2.92, an open-source SAT solver package based on earlier MiniSat software, at http://www.msoos.org/cryptominisat2/
  105. Wei Dai: Crypto++, a public domain library containing a reference C++ imple- mentation of GOST and test vectors, http://www.cryptopp.com
  106. Pavol Zajac: Solving Trivium-based Boolean Equations Using the Method of Syl- logisms, Fundam. Inform. 114(3-4): 359-373 (2012)
  107. Pavol Zajac, Radoslav Cagala: Local reduction and the algebraic cryptanalysis of the block cipher gost. In Periodica Mathematica Hungarica 65(2): 239-255 (2012).
  108. Marcel Zanechal: An algebraic approach to fix points of GOST-algorithm, Math- ematica Slovaca 51 (2001), no. 5, 583-591.
  109. Otokar Grosek, Pavol Zajac: Two papers in Encyclopedia of Artificial Intelli- gence Automated Cryptanalysis, on pages 179-185 and Automated Cryptanalysis of Classical Ciphers, pages 186-191.
  110. Rabuñal, Dorado, Pazos (Eds.), 3 Volumes, IGI Global 2009, ISBN 9781599048499
  111. Bo Zhu and Guang Gong: Multidimensional Meet-in-the-Middle Attack and Its Applications to GOST, KTANTAN and Hummingbird-2, Cryptology ePrint Archive: eprint.iacr.org/2011/619/, 17 Feb 2012, the initial attack was appar- ently incorrect and later versions of this paper do NOT study GOST cipher at all.
  112. Following Fact 14, we will have in each case with 32+32 data bits and 87 key bits, 2 3.6 possibilities for these 27 bits, and the time of this enumeration of 2 3.6 cases can be neglected, because it is done only 2 64+16.6 times overall.
  113. In the same way, for the same 64 middle bits, we enumerate all the 2 16.6 possibilities for the 87 key bits in the lower 4 rounds, plus 2 3.6 possibilities for the same middle 27 bits, for each case, enumerated at negligible additional cost. Time spent in this step is another 2 109 GOST encryptions and 2 110 GOST encryptions total for both.
  114. We need a negligible quantity of memory to store these two sets of 2 16.6 half-keys on 87 bits.
  115. Now we are going to enumerate all possible cases which will agree on the 27 middle bits for the third encryption.
  116. For every 32+32 middle bits, we have two lists of 2 16.6+3.6 possibilities on 27 bits. For every 27 bits from the first list it will be in the second list with probability 2 16.6+3.6-27 = 2 -6.8 . Therefore out of 2 16.6+3.6 possibilities on 27 bits in the first list, only 2 16.6+3.6-6.8 = 2 13.4 will survive.
  117. Thus in our attack given 32+32 middle bits we are able to enumerate only 2 13.4 keys on 174=87+87 key bits.
  118. In each case, given the 87+87 bits we run a SAT solver to determine the remaining 256-174 bits. This is done 2 64+13.4 = 2 77.4 times. It takes just 1 s which is 2 21 GOST encryptions.
  119. This step takes about 2 77.4+21 = 2 98.4 GOST encryptions.
  120. Overall our attack requires 2 110 GOST encryptions and very small memory.
  121. With Method 1, cf. Fig 55, we first chose any k 0 , h 0 , compute s 0 with one GOST encryption and put c 0 = s 0 ⊕ a which allows us to achieve x 0 = a.
  122. We can compute a basis for a linear space of dimension 128.
  123. We can then try 2 128 cases in this space. We need to repeat this 2 64 times for different initial choice of h 0 , k 0 .
  124. We need to try 2 191 cases on average until we get (x 1 , x 2 , x 3 ) = (b, c, d).
  125. In each of 2 191 steps we need to compute just one GOST encryption and most of the time we can reject this case because x 1 = b. This is only 2 -2 evaluations of the GOST compression function.
  126. Overall the expected running time 2 191-2 = 2 189 evaluations of the GOST compression function. Here also a more powerful method to find pre-images which are no longer pseudo-pre-images and where almost the whole H i can be "almost" an arbitrary value is described in [73].

Related papers

Improved Single-Key Attacks on 2-GOST
qiuhua zheng

Security and Communication Networks, 2020

GOST, known as GOST-28147-89, was standardized as the Russian encryption standard in 1989. It is a lightweight-friendly cipher and suitable for the resource-constrained environments. However, due to the simplicity of GOST’s key schedule, it encountered reflection attack and fixed point attack. In order to resist such attacks, the designers of GOST proposed a modification of GOST, namely, 2-GOST. This new version changes the order of subkeys in the key schedule and uses concrete S-boxes in round function. But regarding single-key attacks on full-round 2-GOST, Ashur et al. proposed a reflection attack with data of 2 32 on a weak-key class of size 2 224 , as well as the fixed point attack and impossible reflection attack with data of 2 64 for all possible keys. Note that the attacks applicable for all possible keys need the entire plaintext space. In other words, these are codebook attacks. In this paper, we propose single-key attacks on 2-GOST with only about 2 32 data instead of code...

View PDFchevron_right
First Differential Attack on Full 32-Round GOST
Michaa Misztal, Nicolas Courtois

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and thus increasingly popular and used [12,15,13,20]. Until 2010 researchers have written that: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, see [15] and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST is insecure on more than one account. There is a variety of recent attacks on GOST [3,7]. We have reflection attacks [14,7], attacks with double reflection [7], and various attacks which do not use reflections [7,3]. The final key recovery step in these attacks is in most cases a software algebraic attack [7,3] and sometimes a Meet-In-The-Middle attack [14,7]. In this paper we show that GOST is NOT SECURE even against...

View PDFchevron_right
An Improved Differential Attack on Full GOST
Nicolas Courtois

The main attack remains the same and also the same as in the Springer version [27]. The introduction, preliminary study and exploration of underlying cipher structure and properties attacks are however greatly expanded in order to show a bigger picture and provide useful insights. We explain in details the philosophy and the structure of our attacks, and the methodology of how one can find such attacks, cf. Part I, "Discovery of Advanced Differential Attacks on GOST", pages 9-24. We also cite recent related and follow-up work.

View PDFchevron_right
Cryptanalysis of Gost in the Multiple-Key Scenario
Nicolas Courtois

Tatra mountains mathematical publications, 2013

GOST 28147-89 is a well-known 256-bit block cipher. In 2010 GOST was submitted to ISO, to become an international standard. Then many academic attacks which allow to break full GOST faster than brute force have been found. The fastest known single-key attack on GOST for 2 64 of data is 2 179 of [

View PDFchevron_right
Security Evaluation of GOST 28147-89 In View Of International Standardisation
Nicolas Courtois

GOST 28147-89 is is a well-known 256-bit block cipher which is a plausible alternative for AES-256 and triple DES, which however has a much lower implementation cost, see . GOST is implemented in standard crypto libraries such as OpenSSL and Crypto++ , and is increasingly popular and used also outside its country of origin and on the Internet . In 2010 GOST was submitted to ISO 18033, to become a worldwide industrial encryption standard. Until 2011 researchers unanimously agreed that GOST could or should be very secure, which was summarized in 2010 in these words: "despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken", see . Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher. There is a very considerable amount of recent not yet published work on cryptanalysis of GOST known to us, see . One simple attack was already presented in February at FSE 2011, see . In this short paper we describe another attack, to illustrate the fact that there are now attacks on GOST, which require much less memory, and don't even require the reflection property [29] to hold, without which the recent attack from [28] wouldn't work.

View PDFchevron_right

Related topics

  • Computer Science
  • Block Cipher
  • Hash Function
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved