On Multiple Symmetric Fixed Points in GOST

Courtois, Nicolas T.

doi:10.1080/01611194.2014.988362

Cited by 7 publications

(12 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Basically the cost of computing the first 3+ and the last 3+ rounds of GOST can be neglected. More precisely it will be amortized in 2 20 sub-cases of the 2 96 cases, in which we just need to evaluate 4 S-boxes in round 3 and 4 S-boxes in round 30, which is roughly feasible to do in most an equivalent of 1 round of GOST. Therefore we estimate that we need only about 2 116+64 · 8 CPU clocks, which could be seen as an equivalent of roughly about 2 174 GOST encryptions.…”

Section: Attack Stage 1 -First 4 and Last 4 Roundsmentioning

confidence: 99%

“…This paper does NOT cover the whole spectrum of what differential properties can bring in terms interesting or/and efficient attacks on GOST. In this paper we do not consider multiple key attacks [17,19,26,20, 39] and we do not try to develop or at more advanced "combination" attacks which combine the complexity reduction approach based on high-level self-similarity of [26,19,9] with advanced differential properties with 2,3 and 4 points, [26,20]. This paper is essentially a technical paper on simple yet highly-optimized truncated differential attacks in a single key scenario.…”

Section: Introductionmentioning

confidence: 99%

“…There is a substantial variety of recent innovative attacks on GOST [9, 26, 37, 10-12, 31, 21, 19, 20]. We have reflection attacks [37,26], attacks with double, triple and even quadruple reflections [26,20], a large variety of self-similarity and black-box reduction attacks [9,26,19,20], some of which do not use any reflections whatsoever [26, 9] and few other. The final key recovery step in various attacks is in many cases a software algebraic attack [26, 9,20] or/and a Meet-In-The-Middle attack [37,26,31,21].…”

mentioning

confidence: 99%

“…In differential attacks key bits are guessed and confirmed by the differential properties [54,[10][11][12][13][14]49] and there have already been quite a few papers about advanced differential attacks on GOST [54, 10-13, 49, 14, 22, 15]. There is also several even more advanced "combination" attacks which combine the complexity reduction approach based on high-level self-similarity of [26,19, 9] with various advanced differential properties with 2,3 or 4 points, see [26,20]. In this paper we consider some recent differential attacks on GOST [54, 10-14, 49, 15] and show how to further improve them.…”

mentioning

confidence: 99%

“…We have reflection attacks [37,26], attacks with double, triple and even quadruple reflections [26,20], a large variety of self-similarity and black-box reduction attacks [9,26,19,20], some of which do not use any reflections whatsoever [26, 9] and few other. The final key recovery step in various attacks is in many cases a software algebraic attack [26, 9,20] or/and a Meet-In-The-Middle attack [37,26,31,21]. In differential attacks key bits are guessed and confirmed by the differential properties [54,[10][11][12][13][14]49] and there have already been quite a few papers about advanced differential attacks on GOST [54, 10-13, 49, 14, 22, 15].…”

mentioning

confidence: 99%

See 4 more Smart Citations

An Improved Differential Attack on Full GOST

Courtois

2016

The New Codebreakers

View full text Add to dashboard Cite

Abstract. GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and it is becoming increasingly popular [51,36]. Until 2010 researchers unanimously agreed that: "despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken", see [51] and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST can be broken and it is insecure on more than one account. There is a substantial variety of recent innovative attacks on GOST [9, 26, 37, 10-12, 31, 21, 19, 20]. We have reflection attacks [37,26], attacks with double, triple and even quadruple reflections [26,20], a large variety of self-similarity and black-box reduction attacks [9,26,19,20], some of which do not use any reflections whatsoever [26, 9] and few other. The final key recovery step in various attacks is in many cases a software algebraic attack [26, 9,20] or/and a Meet-In-The-Middle attack [37,26,31,21]. In differential attacks key bits are guessed and confirmed by the differential properties [54,[10][11][12][13][14]49] and there have already been quite a few papers about advanced differential attacks on GOST [54, 10-13, 49, 14, 22, 15]. There is also several even more advanced "combination" attacks which combine the complexity reduction approach based on high-level self-similarity of [26,19, 9] with various advanced differential properties with 2,3 or 4 points, see [26,20]. In this paper we consider some recent differential attacks on GOST [54, 10-14, 49, 15] and show how to further improve them. We present a single-key attack against full 32-round 256-bit GOST with time complexity of 2 179 which is substantially faster than any previous single key attack on GOST. * Note: This paper is a new extended and updated version of a paper with the same title [27] to appear in LNCS 9100, Springer in March 2016. This paper is substantially expanded compared to the earlier version from 2012. The main attack remains the same and also the same as in the Springer version [27]. The introduction, preliminary study and exploration of underlying cipher structure and properties attacks are however greatly expanded in order to show a bigger picture and provide useful insights. We explain in details the philosophy and the structure of our attacks, and the methodology of how one can find such attacks, cf. Part I, "Discovery of Advanced Differential Attacks on GOST", pages 9-24. We also cite recent related and follow-up work.

show abstract

Section: Attack Stage 1 -First 4 and Last 4 Roundsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

An Improved Differential Attack on Full GOST

Courtois

2016

The New Codebreakers

View full text Add to dashboard Cite

show abstract

Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?

Courtois

Quisquater

2021

Information Security and Cryptology – ICISC 2020

View full text Add to dashboard Cite

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources.

show abstract