Advanced Truncated Differential Attacks Against GOST Block Cipher and Its Variants

  • Theodosis Mourouzis
  • Nicolas Courtois


GOST block cipher, defined in the GOST 28147-89 standard, is a well-known 256-bit symmetric cipher that operates on 64-bit blocks. The 256-bit level security can be even more increased by keeping the specifications of the S-boxes secret. GOST is implemented in many standard libraries such as OpenSSL and it has extremely low implementation cost and as a result of this it could be considered as a plausible alternative for AES-256 and 3-DES. Furthermore, nothing seemed to threaten its high 256-bit security [CHES 2010] and in 2010 it was submitted to ISO 18033-3 to become a worldwide industrial standard. During the period of submission many new attacks of different types were presented by the cryptographic communities against full 32-rounds of GOST. We have algebraic complexity reduction attacks, advanced differential attacks, attacks using reflection property, and many others. However, all of these attacks were against the version of GOST which uses the standard set of S-boxes. In this paper, we study the security of many variants of GOST against advanced forms of differential attacks which are based on truncated differentials techniques. In particular we present an attack against full GOST for the variant of GOST which is supposed to be the strongest one and uses the set of S-boxes proposed in ISO 18033-3. Our attack is of Depth-First key search style constructed by solving several underlying optimization problems and has time complexity 2245. 4 and 264 memory and data complexity. It is very interesting to note that this attack is unoptimized with respect to several aspects and can be immediately improved by discovering more efficient ad-hoc heuristics which could eventually lead to the discovery of better truncated differential properties.


Block Cipher Stream Cipher Differential Characteristic Differential Attack Differential Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round des. In: Brickel, E.F. (ed.) CRYPTO 1992. Lecture Notes in Computer Science, vol. 740, pp. 487–496. Springer, Heidelberg (1992)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993). ISBN: 0-387-97930-1, 3-540-97930-1Google Scholar
  3. 3.
    Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Algorithms and Complexity, pp. 61–72. Springer, Berlin Heidelberg (2013)Google Scholar
  4. 4.
    Coppersmith, D.: The data encryption standard (des) and its strength against attacks. IBM J. Res. Dev. 38(3), 243 (1994). doi:10.1147/rd.383.0243MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Courtois, N.: Algebraic Complexity Reduction and Cryptanalysis of GOST. IACR Cryptology ePrint Archive (2011)Google Scholar
  6. 6.
    Courtois, N.: Security evaluation of GOST 28147-89. In: View Of International Standardisation. IACR Cryptology ePrint Archive (2011)Google Scholar
  7. 7.
    Courtois, N.: An Improved Differential Attack on full GOST. IACR Cryptology ePrint Archive (2012)Google Scholar
  8. 8.
    Courtois, N.: Low complexity key recovery attacks on GOST block cipher. Cryptologia 37(1), 1–10 (2013)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Misztal, M.: First Differential cryptanalysis of full round 32- round GOST. In: ICICS’11, Beijing. LNCS, vol. 7043, pp. 216–227. Springer, Heidelberg (2011)Google Scholar
  10. 10.
    Courtois, N., Misztal, M.: Aggregated Differentials and Cryptanalysis of PP-1 and GOST. Period. Math. Hung. 65(2), 177–192 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Mourouzis,T: Optimizations in Algebraic and Differential Cryptanalysis. PhD Thesis, UCL (2015)Google Scholar
  12. 12.
    Courtois, N., Mourouzis, T.: Enhanced truncated differential cryptanalysis of GOST. In: SECRYPT 2013, 10th International Conference on Security and Cryptography, Reykjavik, 29–31 July 2013Google Scholar
  13. 13.
    Courtois, N., Mourouzis, T., Grocholewska-Czurylo, A., Quisquater, J.: On Optimal Size in Truncated Differential Attacks, Budapest, 21–23 May 2014Google Scholar
  14. 14.
    Dolmatov, V.: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms. IETF, Anaheim (2010). ISSN: 2070-1721Google Scholar
  15. 15.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved attacks on full GOST. In: Fast Software Encryption, pp. 9–28. Springer, Berlin Heidelberg (2011)Google Scholar
  16. 16.
    Dolmatov, V.: RFC 5830: GOST 28147-89 Encryption, Decryption and MAC algorithms (2010)Google Scholar
  17. 17.
    Furuya, S.: Slide attacks with a known-plaintext cryptanalysis. In Information Security and Cryptology—ICISC 2001, pp. 214–225. Springer, Berlin Heidelberg (2002)Google Scholar
  18. 18.
    Isobe,T.: A single-key attack on the full GOST block cipher. In: Fast Software Encryption, pp. 290–305. Springer, Berlin Heidelberg (2011)Google Scholar
  19. 19.
    Khovratovich, D., Ivica Nikolic, I.: Rotational cryptanalysis of ARX. In: Fast Software Encryption, pp. 333–346. Springer, Berlin Heidelberg (2013)Google Scholar
  20. 20.
    Knudsen, L.: Truncated and higher order differentials. In: 2nd International Workshop on Fast Software Encryption, pp. 196–211. Springer, Heidelberg (1994)Google Scholar
  21. 21.
    Knudsen, L.: Truncated and higher order differentials. In: Fast Software Encryption, pp. 196–211. Springer, Berlin Heidelberg (1995)Google Scholar
  22. 22.
    Knudsen, L., Robshaw, M.: The Block Cipher Companion. Springer, Berlin Heidelberg (2011)CrossRefzbMATHGoogle Scholar
  23. 23.
    Lai, X., Massey, J.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) Advances in Cryptology. Springer, Heidelberg (1991)Google Scholar
  24. 24.
    Malchik, A.: An English Translation of GOST Standard by Aleksandr Malchik with an English Preface Co-written with Whitfield Diffie (1994)Google Scholar
  25. 25.
    Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Fast Software Encryption, pp. 152–164. Springer, Heidelberg (2001)Google Scholar
  26. 26.
    Meier, W., Kunzli, S.: Distinguishing Attack on MAG. ENCRYPT Stream Cipher Project. eSTREAM (2013)Google Scholar
  27. 27.
    Popov, K., Leontiev, S.: Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms (2006)Google Scholar
  28. 28.
    Poschmann, A., Ling, S., Wang, H.: 256 bit standardized crypto for 650 GE GOST revisited. In: CHES 2010, LNCS, vol. 6225, pp. 219–233. Springer, Heidelberg (2010)Google Scholar
  29. 29.
    Rudskoy, V., Chmora, A.: Working draft for ISO/IEC 1st WD of AMD1/18033-3. In: Russian Block Cipher GOST, ISO/IEC JTC 1/SC 27 N9423, 2011-01-14 (2011)Google Scholar
  30. 30.
    Saarinen, M.: A Chosen Key Attack Against the Secret S-Boxes of GOST (1998)Google Scholar
  31. 31.
    Schneier, B.: Applied Cryptography, 2nd edn. Wiley, New York (1996)Google Scholar
  32. 32.
    Seki, H., Kaneko, T.: Differential cryptanalysis of reduced rounds of GOST. In: Selected Areas in Cryptography, pp. 315–323. Springer, Berlin Heidelberg (2001)Google Scholar
  33. 33.
    Shorin, V., Jelezniakov, V., Gabidulin, E.: Linear and differential cryptanalysis of Russian GOST. Electron. Notes Discret Math. 6, 538–547 (2001)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Shorin, V., Jelezniakov, V., Gabidulin, E.: Security of algorithm GOST 28147-89. In: Abstracts of XLIII MIPT Science Conference (2000)Google Scholar
  35. 35.
    Zabotin. I., Glazkov, G., Isaeva, V.: Cryptographic Protection for Information Processing Systems, Government Standard of the USSR, GOST 28147-89. Government Committee of the USSR for Standards (1989)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University College LondonLondonUK

Personalised recommendations