Abstract
The block cipher GOST 28147-89 was the Russian Federation encryption standard for over 20 years, and is still one of its two standard block ciphers. GOST is a 32-round Feistel construction, whose security benefits from the fact that the S-boxes used in the design are kept secret. In the last 10 years, several attacks on the full 32-round GOST were presented. However, they all assume that the S-boxes are known. When the S-boxes are secret, all published attacks either target a small number of rounds, or apply for small sets of weak keys.
In this paper we present the first practical-time attack on GOST with secret S-boxes. The attack works in the related-key model and is faster than all previous attacks in this model which assume that the S-boxes are known. The complexity of the attack is less than \(2^{27}\) encryptions. It was fully verified, and runs in a few seconds on a PC. The attack is based on a novel type of related-key differentials of GOST, inspired by local collisions.
Our new technique may be applicable to certain GOST-based hash functions as well. To demonstrate this, we show how to find a collision on a Davies-Meyer construction based on GOST with an arbitrary initial value, in less than \(2^{10}\) hash function evaluations.
O. Dunkelman—Supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19.
N. Keller and A. Weizmann—Supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.
A. Weizmann—Supported by the President Scholarship for Ph.D. students at the Bar-Ilan University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
While the focus of this paper is on GOST with secret S-boxes, we note that in the known S-box setting, a related-key attack with complexity of \(2^{16}\) chosen plaintexts and less than \(2^{20}\) encryptions can be obtained by using the probability-one 25-round related-key differential characteristic with input difference \((e_{31},0,e_{31},0,e_{31},0,e_{31},0)\) and key difference \((e_{31},0)\) used in [24] and extending it to almost the entire cipher in a truncated manner, like was done in [2]. As the description of the attack includes many fine details and is of less interest, we omit it here.
- 2.
The somewhat nonstandard notations used here follow the notations presented in the up-to-date official document describing GOST [15].
- 3.
If a differential of the form \(8\xrightarrow {p}0\) is satisfied, then an even stronger 1-round iterative differential characteristic of GOST can be constructed, as is described in Sect. 3.4. We note that the existence of such a transition implies that the S-boxes are not bijective, but the official document describing GOST [16] permits using such S-boxes.
- 4.
We alert the reader that this algorithm is different (and much simpler) than the algorithm presented in [18]. The reason for the difference is that in our case we know the inputs to the S-box and the output differences, while the algorithm of [18] assumes only knowledge of the input and output differences.
- 5.
We note that while we can use the same strategy to obtain 256 pairs of known input values with known output differences for \(S_6\) as well, it turns out that due to addition carries, many of these pairs are equal and so we do not obtain enough information for recovering this S-box. Instead, we recover it at a later stage.
- 6.
Although theoretically \(S_4\) depends on the 24 least significant bits of \(K_1\), our experiments show that in most of the cases the same S-box is suggested by all the remaining keys. We thus use the S-box \(S_4\) of the first remaining key.
- 7.
Although \(S_2\) depends on the 12 least significant bits of \(K_1\), since only about 1.2 keys remain out of \(2^{24}\) possible values of the 24 least significant bits of \(K_1\), we assume that the S-box \(S_2\) suggested by all remaining keys is the same. This assumption was verified experimentally. We thus use the S-box \(S_2\) suggested by the first remaining key.
- 8.
We remind the reader that the GOST hash function uses 4 parallel applications of the GOST block cipher, has a 256-bit chaining value and a 256-bit message block. See more details in Sect. 5.2.
References
Ashur, T., Bar-On, A., Dunkelman, O.: Cryptanalysis of GOST2. IACR Trans. Symmetric Cryptol. 2017(1), 203–214 (2017)
Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2018)
Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)
Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_18
Biham, E., Chen, R., Joux, A.: Cryptanalysis of SHA-0 and reduced SHA-1. J. Cryptol. 28(1), 110–160 (2015)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Biryukov, A., Nikolić, I.: Complementing Feistel ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 3–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_1
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_18
Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055720
Courtois, N.: An improved differential attack on full GOST - extended version. IACR Cryptology ePrint Archive, 2012/138 (2012)
Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_18
Dinur, I., Dunkelman, O., Shamir, A.: Improved attacks on full GOST. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 9–28. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_2
Dmukh, A., Dygin, D., Marshalko, G.: A lightweight-friendly modification of GOST block cipher. IACR Cryptology ePrint Archive, 2015/65 (2015)
Dmukh, A., Trifonov, D., Chookhno, A.: Modification of the key schedule of the 2-GOST block cipher and its implementation on FPGA. J. Comput. Virol. Hacking Tech. 18(1), 49–59 (2022)
Dolmatov, V., Baryshkov, D.: RFC 8891, GOST R 34.12-2015: Block cipher “Magma” (2020). https://www.ietf.org/rfc/rfc8891.pdf
Dolmatov, V.: RFC 5830, GOST 28147-89: encryption, decryption, and message authentication code (MAC) algorithms (2010). https://www.rfc-editor.org/rfc/rfc5830.html
Dolmatov, V.: RFC 5831, GOST R 34.11-94: hash function algorithm (2010). https://datatracker.ietf.org/doc/html/rfc5831
Dunkelman, O., Huang, S.: Reconstructing an S-box from its difference distribution table. IACR Trans. Symmetric Cryptol. 2019(2), 193–217 (2019)
Frieze, A., Karoński,M.: Introduction to Random Graphs. Cambridge University Press (2015)
Isobe, T.: A single-key attack on the full GOST block cipher. J. Cryptol. 26(1), 172–189 (2013)
Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_19
Kim, J., Hong, S., Preneel, B., Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks: theory and experimental analysis. IEEE Trans. Inf. Theor. 58(7), 4948–4966 (2012)
Knudsen, L.R.: Cryptanalysis of LOKI 91. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_62
Ko, Y., Hong, S., Lee, W., Lee, S., Kang, J.-S.: Related key differential attacks on 27 rounds of XTEA and full-round GOST. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 299–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_19
Mendel, F., Pramstaller, N., Rechberger, C.: A (Second) preimage attack on the GOST hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 224–234. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_14
Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_10
Pudovkina, M.A., Khoruzenko, G.I.: An attack on the GOST 28147-89 block cipher with 12 related keys. Math. Aspect. Crypt. (Russ.) 4(2), 127–152 (2013)
Pudovkina, M.: A related-key attack on block ciphers with weak recurrent key schedules. In: Garcia-Alfaro, J., Lafourcade, P. (eds.) FPS 2011. LNCS, vol. 6888, pp. 90–101. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27901-0_8
Rudskoy, V.: On zero practical significance of “Key recovery attack on full GOST block cipher with zero time and memory”. IACR Cryptology eprint archive, 2010:111 (2010)
Saarinen, M.J.: A chosen key attack against the secret S-boxes of GOST. IACR Cryptology ePrint Archive, 2019/540 (1998)
Schneier, B.: Applied Cryptography, 2nd edn. Wiley (1996)
Seki, H., Kaneko, T.: Differential cryptanalysis of reduced rounds of GOST. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 315–323. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44983-3_23
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2
Zhao, X., et al.: Algebraic fault analysis on GOST for key recovery and reverse engineering. In: Proceedings of FDTC 2014, pp. 29–39. IEEE Computer Society (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Dunkelman, O., Keller, N., Weizmann, A. (2023). Practical-Time Related-Key Attack on GOST with Secret S-Boxes. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-38548-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38547-6
Online ISBN: 978-3-031-38548-3
eBook Packages: Computer ScienceComputer Science (R0)