256 Bit Standardized Crypto for 650 GE – GOST Revisited

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6225)


The former Soviet encryption algorithm GOST 28147-89 has been standardized by the Russian standardization agency in 1989 and extensive security analysis has been done since. So far no weaknesses have been found and GOST is currently under discussion for ISO standardization. Contrary to the cryptographic properties, there has not been much interest in the implementation properties of GOST, though its Feistel structure and the operations of its round function are well-suited for hardware implementations. Our post-synthesis figures for an ASIC implementation of GOST with a key-length of 256 bits require only 800 GE, which makes this implementation well suitable for low-cost passive RFID-tags. As a further optimization, using one carefully selected S-box instead of 8 different ones -which is still fully compliant with the standard specifications!- the area requirement can be reduced to 651 GE.


lightweight cryptography ASIC GOST 


  1. 1.
    Biham, E., Dunkelman, O., Keller, N.: Improved slide attacks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 153–166. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A., Leander, G., Knudsen, L., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT - An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Lim, C., Korkishko, T.: mCrypton - A Lightweight Block Cipher for Security of Low-cost RFID Tags and Sensors. In: Song, J., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Charnes, C., O’Connor, L., Pieprzyk, J., Safavi-Naini, R., Zheng, Y.: Further comments on the soviet encryption algorithm. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 433–438. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    de Cannière, C., Dunkelman, O., Knezević, M.: Katan and ktantan–a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Dolmatov, V.: Gost 28147-89 encryption, decryption and mac algorithms (December 3, 2009),
  7. 7.
    Feldhofer, M., Wolkerstorfer, J., Rijmen, V.: AES Implementation on a Grain of Sand. IEE Proceedings of Information Security 152(1), 13–20 (2005)CrossRefGoogle Scholar
  8. 8.
    Good, T., Benaissa, M.: Hardware Results for Selected Stream Cipher Candidates. In: State of the Art of Stream Ciphers 2007 (SASC 2007), Workshop Record (February 2007),
  9. 9.
    Hämäläinen, P., Alho, T., Hännikäinen, M., Hämäläinen, T.D.: Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core. In: DSD, pp. 577–583 (2006)Google Scholar
  10. 10.
    Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B.S., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: A New Block Cipher Suitable for Low-Resource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    ISO/IEC. International Standard ISO/IEC 18033 Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphersGoogle Scholar
  12. 12.
    Kara, O.: Reflection cryptanalysis of some ciphers. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 294–307. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Ko, Y., Hong, S., Lee, W.L.S., Kang, J.-S.: Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 299–316. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Leander, G., Paar, C., Poschmann, A., Schramm, K.: New Lightweight DES Variants. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 196–210. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Leander, G., Poschmann, A.: On the classification of 4-Bit s-boxes. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 159–176. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Mace, F., Standaert, F.-X., Quisquater, J.-J.: ASIC Implementations of the Block Cipher SEA for Constrained Applications. In: RFID Security — RFIDsec 2007, Workshop Record, Malaga, Spain, pp. 103–114 (2007)Google Scholar
  17. 17.
    National Soviet Bureau of Standards. Informtation Processing System - Cryptographic Protection - Cryptographic Algorithm GOST 28147-89 (1989)Google Scholar
  18. 18.
    Oreku, G.S., Li, J., Pazynyuk, T., Mtenzi, F.J.: Modified s-box to archive accelerated gost. IJCSNS International Journal of Computer Science and Network Security 7(6), 88–98 (2007)Google Scholar
  19. 19.
    Robshaw, M.: Searching for compact algorithms: cgen. In: Nguyen, P. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 37–49. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Rolfes, C., Poschmann, A., Leander, G., Paar, C.: Ultra-Lightweight Implementations for Smart Devices - Security for 1000 Gate Equivalents. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 89–103. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Saarinen, M.-J.: A chosen Key attack against the secret S-boxes of GOST (unpublished manuscript) (1998)Google Scholar
  22. 22.
    Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Chichester (1996)Google Scholar
  23. 23.
    Seki, H., Kaneko, T.: Differential Cryptanalysis of Reduced Rounds of GOST. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 315–323. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Synopsys. Design Compiler User Guide - Version A-2007.12 (December 2007),
  25. 25.
    Synopsys. Power Compiler User Guide - Version A-2007.12 (March 2007),
  26. 26.
    Virtual Silicon Inc. 0.18 μm VIP Standard Cell Library Tape Out Ready, Part Number: UMCL18G212T3, Process: UMC Logic 0.18 μm Generic II Technology: 0.18μm (July 2004)Google Scholar
  27. 27.
    Weiser, M.: The computer for the 21st century. ACM SIGMOBILE Mobile Computing and Communications Review 3(3), 3–11 (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingapore

Personalised recommendations