Can GOST Be Made Secure Against Differential Cryptanalysis?

2016

The New Codebreakers

Self Cite

Abstract. GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and it is becoming increasingly popular [51,36]. Until 2010 researchers unanimously agreed that: "despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken", see [51] and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST can be broken and it is insecure on more than one account. There is a substantial variety of recent innovative attacks on GOST [9, 26, 37, 10-12, 31, 21, 19, 20]. We have reflection attacks [37,26], attacks with double, triple and even quadruple reflections [26,20], a large variety of self-similarity and black-box reduction attacks [9,26,19,20], some of which do not use any reflections whatsoever [26, 9] and few other. The final key recovery step in various attacks is in many cases a software algebraic attack [26, 9,20] or/and a Meet-In-The-Middle attack [37,26,31,21]. In differential attacks key bits are guessed and confirmed by the differential properties [54,[10][11][12][13][14]49] and there have already been quite a few papers about advanced differential attacks on GOST [54, 10-13, 49, 14, 22, 15]. There is also several even more advanced "combination" attacks which combine the complexity reduction approach based on high-level self-similarity of [26,19, 9] with various advanced differential properties with 2,3 or 4 points, see [26,20]. In this paper we consider some recent differential attacks on GOST [54, 10-14, 49, 15] and show how to further improve them. We present a single-key attack against full 32-round 256-bit GOST with time complexity of 2 179 which is substantially faster than any previous single key attack on GOST. * Note: This paper is a new extended and updated version of a paper with the same title [27] to appear in LNCS 9100, Springer in March 2016. This paper is substantially expanded compared to the earlier version from 2012. The main attack remains the same and also the same as in the Springer version [27]. The introduction, preliminary study and exploration of underlying cipher structure and properties attacks are however greatly expanded in order to show a bigger picture and provide useful insights. We explain in details the philosophy and the structure of our attacks, and the methodology of how one can find such attacks, cf. Part I, "Discovery of Advanced Differential Attacks on GOST", pages 9-24. We also cite recent related and follow-up work.

Section: Background: Differential Cryptanalysismentioning

confidence: 99%

Section: Background: Differential Cryptanalysismentioning

confidence: 99%

Section: Background: Differential Cryptanalysismentioning

confidence: 99%

“…On the contrary. Recent research shows that differential attacks on GOST work quite well across all (known or alternative] sets of S-boxes see [13,14,22,49].…”

Section: Part Imentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

An Improved Differential Attack on Full GOST

2016

The New Codebreakers

Self Cite

Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?

Information Security and Cryptology – ICISC 2020

Quisquater

2021

Self Cite

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources.

Two Philosophies for Solving Non-linear Equations in Algebraic Cryptanalysis

Lecture Notes in Computer Science

2017

Self Cite

Algebraic Cryptanalysis [36] is concerned with solving systems of particular multivariate non-linear equations derived from various cryptanalysis problems. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, and few other. In this paper we survey these methods and point out that the main working principle in all these is essentially the same. One quantity grows faster than another quantity which leads to a phase transition and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis. Exact analysis can be quite difficult with complex redundancies and additional equations which help the attacker. In this paper we point out that there exist a second (more) general way of formulating algebraic attacks which did NOT so far have a comparable success in cryptographic literature. Past experience shows that the algebraic degree and/or time complexity of cryptanalysis problems could be reduced by a variety of dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of additional equations may be somewhat deliberately engineered by the attacker. For example we show examples of I/O relations where introduction of extra variables allows to substantially reduce the degree and the complexity of polynomial equations.