Reflection Cryptanalysis of Some Ciphers

Kara, Orhun

doi:10.1007/978-3-540-89754-5_23

Cited by 32 publications

(33 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It is therefore very important to notice that in addition to the very long bit keys GOST has a much lower implementation cost than AES or any other comparable encryption algorithm. For example in hardware GOST 256 bits requires less than 800 GE, while AES-128 requires 3100 GE, see [22]. Thus it is not surprising that GOST became an Internet standard, it is part of many crypto libraries such as OpenSSL [20], and is increasingly popular also outside its country of origin [23].…”

Section: Gost and Iso Standardisationmentioning

confidence: 99%

Contradiction Immunity and Guess-Then-Determine Attacks on Gost

Courtois¹,

Gawinecki²,

Song³

2012

Tatra Mountains Mathematical Publications

View full text Add to dashboard Cite

ABSTRACT. GOST is a well-known government standard cipher. Since 2011 several academic attacks on GOST have been found. Most of these attacks start by a so called "Complexity Reduction" step [Courtois Cryptologia 2012] the purpose of which is to reduce the problem of breaking the full 32-round GOST to a low-data complexity attack on a reduced-round GOST. These reductions can be viewed as optimisation problems which seek to maximize the number of values inside the cipher determined at given "cost" in terms of guessing other values. In this paper we look at similar combinatorial optimisation questions BUT at the lower level, inside reduced round versions of GOST.We introduce a key fundamental notion of Contradiction Immunity of a block cipher. A low value translates to working software attacks on GOST with a SAT solver. A high value will be mandatory for any block cipher to be secure. We provide some upper bounds for the Contradiction Immunity of GOST.

show abstract

Section: Gost and Iso Standardisationmentioning

confidence: 99%

Contradiction Immunity and Guess-Then-Determine Attacks on Gost

Courtois¹,

Gawinecki²,

Song³

2012

Tatra Mountains Mathematical Publications

View full text Add to dashboard Cite

show abstract

“…The reflection property which was first described in [7], where it was used to attack 30 rounds of GOST (and 2 224 weak keys of the full GOST). This property was later exploited in [6] to attack the full GOST for all keys.…”

Section: Overview Of Our New Attacks On the Full Gostmentioning

confidence: 99%

“…As a result, DES was broken theoretically (by using differential and linear techniques) and practically (by using special purpose hardware) about 20 years ago, whereas all the single key attacks [1,7,13] published before 2011 were only applicable to reduced-round versions of the cipher. 1 The first single key attack on the full 32-round version of GOST was published by Takanori Isobe at FSE'11 [6].…”

Section: Introductionmentioning

confidence: 99%

“…1 The first single key attack on the full 32-round version of GOST was published by Takanori Isobe at FSE'11 [6]. It exploited a surprising reflection property which was first pointed out by Kara [7] in 2008: Whenever the left and right halves of the state after 24 rounds are equal (which happens with probability 2 −32 ), the last 16 rounds become the identity mapping, and thus the effective number of rounds is reduced from 32 to 16. Isobe developed a new key-extraction algorithm for the remaining 16 rounds of GOST which required 2 192 time and 2 64 memory, and used it 2 32 times for different plaintext/ciphertext pairs in order to get the full 256 bit key using a total of 2 32 data, 2 64 memory, and 2 224 time.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improved Attacks on Full GOST

Dinur

Dunkelman

Shamir

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. GOST is a well known block cipher which was developed in the Soviet Union during the 1970's as an alternative to the US-developed DES. In spite of considerable cryptanalytic effort, until very recently there were no published single key attacks against its full 32-round version which were faster than the 2 256 time complexity of exhaustive search. In February 2011, Isobe used in a novel way the previously discovered reflection property in order to develop the first such attack, which requires 2 32 data, 2 64 memory and 2 224 time. Shortly afterwards, Courtois and Misztal used a different technique to attack the full GOST using 2 64 data, 2 64 memory and 2 226 time. In this paper we introduce a new fixed point property and a better way to attack 8-round GOST in order to find improved attacks on full GOST: Given 2 32 data we can reduce the memory complexity from an impractical 2 64 to a practical 2 36 without changing the 2 224 time complexity, and given 2 64 data we can simultaneously reduce the time complexity to 2 192 and the memory complexity to 2 36 .

show abstract

“…Так в работах [1] - [3] приведены сдвиговые атаки, основанные на слабостях алгоритма развертывания ключа и раундовой функции. В работах [4] и [5] предложены атаки на основе метода отражений, а в работах [6] - [9] -атаки на основе алгебраического и разностного ме-тодов. К шифрсистеме ГОСТ 28147-89 применялась также атака на основе метода встречи посередине [10].…”

Section: Introductionunclassified

Атака На Шифрсистему ГОСТ 28147-89 С 12 Связанными Ключами

Пудовкина¹,

Хоруженко²,

Khoruzhenko³

2013

Матем. вопр. криптогр.

View full text Add to dashboard Cite

Национальный исследовательский ядерный университет (МИФИ), МоскваПолучено 18. IX.2012 Приведена атака на блочную шифрсистему ГОСТ 28147-89 с 12 связан-ными ключами. Она основана на комбинации методов бумеранга и связан-ных ключей и для произвольного s-бокса позволяет найти все 256 бит ключа шифрования. В ряде случаев ключ шифрования может быть найден на ЭВМ за приемлемое время. Abstract. A key-recovery attack on the full GOST 28147-89 block cipher with 12 related keys is described. The attack is based on the related-key and boomerang techniques and allows to find all 256 bits of the master key for arbitrary s-boxes. In some cases the attack has practical complexity.Key words: GOST 28147-89, related-key attack, boomerang attack Citation: Mathematical Aspects of Cryptography, 2013, vol. 4, no. 2, pp. 127-152 (Russian В данной работе проведена модификация атаки из [15], позволяющая восстановить весь ключ шифрования с 12 связанными ключами для произ-вольного s-бокса. В ряде случаев ключ определяется на ЭВМ за практически приемлемое время . При наличии линейного транслятора для его нахождения используется модификация различителя работы [15]. Для восстановления ра-ундовых ключей 25 и 26-го раундов применяется разностная характеристика, отличная от характеристики работы [15]. Предложенный способ нахождения ключа шифрования состоит из двух этапов. На первом этапе методом бу-меранга со связанными ключами определяются множества кандидатов в ра-ундовые ключи 32 и 31-го раундов, используя четверку связанных ключей. На втором этапе находятся множества кандидатов в раундовые ключи 30, 29,. . . , 25-го раундов разностным методом со связанными ключами (приме-няются пары связанных ключей). Каждый из этапов предполагает наличие двух модификаций в зависимости от свойств подстановки s 8 . Описание шифрсистемы ГОСТ 28147-89Пусть V n -n-мерное векторное пространство над полем GF(2); N -множество натуральных чисел, N 0 = N ∪ {0}; S(X) -множество всех подстановок на X; ⊕ -покоординатное сложение по модулю два векто-ров из V t , t ∈ N; α ≪ t (α ≫ t) -циклический сдвиг вектора α на t бит влево (вправо); + q -сложение по модулю q; запись x∈ U X означа-ет, что x случайно и равновероятно выбирается из множества X; X × = = X\{0}; K [r] − множество кандидатов в раундовые ключи r-го раунда; β = = (β 3 , . . . , β 0 ) ∈ V 4 ; β = β 7 , . . . , β 0 ∈ V 32 ; s = ( s 8 , . . . , s 1 ), s : V 32 → V 32 ,

show abstract

Reflection Cryptanalysis of Some Ciphers

Cited by 32 publications

References 31 publications

Contradiction Immunity and Guess-Then-Determine Attacks on Gost

Contradiction Immunity and Guess-Then-Determine Attacks on Gost

Improved Attacks on Full GOST

Атака На Шифрсистему ГОСТ 28147-89 С 12 Связанными Ключами

Contact Info

Product

Resources

About