Journal of Cryptology

, Volume 26, Issue 1, pp 172–189 | Cite as

A Single-Key Attack on the Full GOST Block Cipher

  • Takanori Isobe


The GOST block cipher is the Russian encryption standard published in 1989. In spite of considerable cryptanalytic efforts over the past 20 years, a key recovery attack on the full GOST block cipher without any key conditions (e.g., weak keys and related keys) has not been published yet. In this paper, we show the first single-key attack, which works for all key classes, on the full GOST block cipher. To begin, we develop a new attack framework called Reflection-Meet-in-the-Middle Attack. This approach combines techniques of the reflection attack and the meet-in-the-middle (MITM) attack. Then we apply it to the GOST block cipher employing bijective S-boxes. In order to construct the full-round attack, we use additional novel techniques which are the effective MITM techniques using equivalent keys on a small number of rounds. As a result, a key can be recovered with a time complexity of 2225 encryptions and 232 known plaintexts. Moreover, we show that our attack is applicable to the full GOST block cipher using any S-boxes, including non-bijective S-boxes.

Key words

Block cipher GOST Single-key attack Reflection attack Meet-in-the-middle attack Equivalent keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    K. Aoki, Y. Sasaki, Preimage attacks on one-block MD4, 63-step MD5 and more, in SAC, ed. by R.M. Avanzi, L. Keliher, F. Sica. Lecture Notes in Computer Science, vol. 5381 (Springer, Berlin, 2008), pp. 103–119 Google Scholar
  2. [2]
    E. Biham, O. Dunkelman, N. Keller, Improved slide attacks, in [3] (2007), pp. 153–166 Google Scholar
  3. [3]
    A. Biryukov (ed.), Fast Software Encryption, 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, 26–28 March, 2007, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4593 (Springer, Berlin, 2007) MATHGoogle Scholar
  4. [4]
    A. Biryukov, D. Wagner, Slide attacks, in FSE, ed. by L.R. Knudsen. Lecture Notes in Computer Science, vol. 1636 (Springer, Berlin, 1999), pp. 245–259 Google Scholar
  5. [5]
    A. Biryukov, D. Wagner, Advanced slide attacks, in EUROCRYPT, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 589–606 Google Scholar
  6. [6]
    A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in CHES, ed. by P. Paillier, I. Verbauwhede. Lecture Notes in Computer Science, vol. 4727 (Springer, Berlin, 2007), pp. 450–466 Google Scholar
  7. [7]
    A. Bogdanov, C. Rechberger, A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN, in Selected Areas in Cryptography, ed. by A. Biryukov, G. Gong, D.R. Stinson. Lecture Notes in Computer Science, vol. 6544 (Springer, Berlin, 2010), pp. 229–240 CrossRefGoogle Scholar
  8. [8]
    C.D. Cannière, O. Dunkelman, M. Knezevic, KATAN and KTANTAN—A family of small and efficient hardware-oriented block ciphers, in CHES, ed. by C. Clavier, K. Gaj. Lecture Notes in Computer Science, vol. 5747 (Springer, Berlin, 2009), pp. 272–288 Google Scholar
  9. [9]
    D. Chaum, J. Evertse, Crytanalysis of DES with a reduced number of rounds: sequences of linear factors in block ciphers, in CRYPTO, ed. by H.C. Williams. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1985), pp. 192–211 Google Scholar
  10. [10]
    H. Demirci, A.A. Selçuk, A meet-in-the-middle attack on 8-round AES, in [25] (2008), pp. 116–126 Google Scholar
  11. [11]
    H. Demirci, I. Taskin, M. Çoban, A. Baysal, Improved meet-in-the-middle attacks on AES, in INDOCRYPT, ed. by B.K. Roy, N. Sendrier. Lecture Notes in Computer Science, vol. 5922 (Springer, Berlin, 2009), pp. 144–156 Google Scholar
  12. [12]
    W. Diffie, M.E. Hellman, Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10, 74–84 (1977) CrossRefGoogle Scholar
  13. [13]
    O. Dunkelman, G. Sekar, B. Preneel, Improved meet-in-the-middle attacks on reduced-round DES, in INDOCRYPT, ed. by K. Srinathan, C.P. Rangan, M. Yung. Lecture Notes in Computer Science, vol. 4859 (Springer, Berlin, 2007), pp. 86–100 Google Scholar
  14. [14]
    O. Dunkelman, N. Keller, A. Shamir, Improved single-key attacks on 8-round AES-192 and AES-256, in ASIACRYPT, ed. by M. Abe. Lecture Notes in Computer Science, vol. 6477 (Springer, Berlin, 2010), pp. 158–176 Google Scholar
  15. [15]
    E. Fleischmann, M. Gorski, J. Hüehne, S. Lucks, Key recovery attack on full GOST. Block cipher with negligible time and memory, in Western European Workshop on Research in Cryptology (WEWoRC). LNCS, vol. 6429 (Springer, Berlin, 2009) (to appear) Google Scholar
  16. [16]
    J. Guo, T. Peyrin, A. Poschmann, M.J.B. Robshaw, The LED block cipher, in [27] (2011), pp. 326–341 Google Scholar
  17. [17]
    S. Indesteege, N. Keller, O. Dunkelman, E. Biham, B. Preneel, A practical attack on KeeLoq, in EUROCRYPT, ed. by N.P. Smart. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 1–18 Google Scholar
  18. [18]
    O. Kara, Reflection cryptanalysis of some ciphers, in INDOCRYPT, ed. by D.R. Chowdhury, V. Rijmen, A. Das. Lecture Notes in Computer Science, vol. 5365 (Springer, Berlin, 2008), pp. 294–307 Google Scholar
  19. [19]
    O. Kara, C. Manap, A new class of weak keys for blowfish, in [3] (2007), pp. 167–180 Google Scholar
  20. [20]
    J. Kelsey, B. Schneier, D. Wagner, Key-schedule cryptoanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES, in CRYPTO, ed. by N. Koblitz. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 237–251 Google Scholar
  21. [21]
    Y. Ko, S. Hong, W. Lee, S. Lee, J.-S. Kang, Related key differential attacks on 27 rounds of XTEA and full-round GOST, in FSE, ed. by B.K. Roy, W. Meier. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin, 2004), pp. 299–316 Google Scholar
  22. [22]
    F. Mendel, N. Pramstaller, C. Rechberger, A (second) preimage attack on the GOST hash function, in [25] (2008), pp. 224–234 Google Scholar
  23. [23]
    F. Mendel, N. Pramstaller, C. Rechberger, M. Kontak, J. Szmidt, Cryptanalysis of the GOST Hash function, in CRYPTO, ed. by D. Wagner. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 162–178 Google Scholar
  24. [24]
    National Soviet Bureau of Standards. Information Processing System—Cryptographic Protection—Cryptographic Algorithm GOST 28147-89 (1989) Google Scholar
  25. [25]
    K. Nyberg (ed.), Fast Software Encryption, 15th International Workshop, Revised Selected Papers, FSE 2008, Lausanne, Switzerland, 10–13 February, 2008. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008) Google Scholar
  26. [26]
    A. Poschmann, S. Ling, H. Wang, 256 bit standardized crypto for 650 GE-GOST revisited, in CHES, ed. by S. Mangard, F.-X. Standaert. Lecture Notes in Computer Science, vol. 6225 (Springer, Berlin, 2010), pp. 219–233 Google Scholar
  27. [27]
    B. Preneel, T. Takagi (eds.), Proceedings Cryptographic Hardware and Embedded Systems—CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011. Lecture Notes in Computer Science, vol. 6917 (Springer, Berlin, 2011) MATHGoogle Scholar
  28. [28]
    V. Rudskoy, On zero practical significance of “Key recovery attack on full GOST block cipher with zero time and memory”. Cryptology ePrint Archive, Report 2010/111 (2010).
  29. [29]
    M.-J.O. Saarinen, A chosen key attack against the secret S-boxes of GOST. Unpublished manuscript (1998) Google Scholar
  30. [30]
    Y. Sasaki, K. Aoki, Finding preimages in full MD5 faster than exhaustive search, in EUROCRYPT, ed. by A. Joux. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 134–152 Google Scholar
  31. [31]
    B. Schneier, Description of a new variable-length key, 64-bit block cipher (Blowfish), in FSE, ed. by R.J. Anderson. Lecture Notes in Computer Science, vol. 809 (Springer, Berlin, 1993), pp. 191–204 Google Scholar
  32. [32]
    B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edn. (Wiley, New York, 1995) Google Scholar
  33. [33]
    H. Seki, T. Kaneko, Differential cryptanalysis of reduced rounds of GOST, in SAC, ed. by D.R. Stinson, S.E. Tavares. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2011), pp. 315–323 Google Scholar
  34. [34]
    M. Steil, 17 Mistakes Microsoft Made in the Xbox Security System (2005) Google Scholar
  35. [35]
    K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, T. Shirai, Piccolo: an ultra-lightweight blockcipher, in [27] (2011), pp. 342–357 Google Scholar
  36. [36]
    D.J. Wheeler, R.M. Needham, TEA, a tiny encryption algorithm, in FSE, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 1008 (Springer, Berlin, 1994), pp. 363–366 Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  1. 1.Sony CorporationMinato-ku, TokyoJapan

Personalised recommendations