Skip to main content
SpringerLink
Log in

Practical-Time Related-Key Attack on GOST with Secret S-Boxes

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

  • 1071 Accesses

Abstract

The block cipher GOST 28147-89 was the Russian Federation encryption standard for over 20 years, and is still one of its two standard block ciphers. GOST is a 32-round Feistel construction, whose security benefits from the fact that the S-boxes used in the design are kept secret. In the last 10 years, several attacks on the full 32-round GOST were presented. However, they all assume that the S-boxes are known. When the S-boxes are secret, all published attacks either target a small number of rounds, or apply for small sets of weak keys.

In this paper we present the first practical-time attack on GOST with secret S-boxes. The attack works in the related-key model and is faster than all previous attacks in this model which assume that the S-boxes are known. The complexity of the attack is less than \(2^{27}\) encryptions. It was fully verified, and runs in a few seconds on a PC. The attack is based on a novel type of related-key differentials of GOST, inspired by local collisions.

Our new technique may be applicable to certain GOST-based hash functions as well. To demonstrate this, we show how to find a collision on a Davies-Meyer construction based on GOST with an arbitrary initial value, in less than \(2^{10}\) hash function evaluations.

O. Dunkelman—Supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19.

N. Keller and A. Weizmann—Supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.

A. Weizmann—Supported by the President Scholarship for Ph.D. students at the Bar-Ilan University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    While the focus of this paper is on GOST with secret S-boxes, we note that in the known S-box setting, a related-key attack with complexity of \(2^{16}\) chosen plaintexts and less than \(2^{20}\) encryptions can be obtained by using the probability-one 25-round related-key differential characteristic with input difference \((e_{31},0,e_{31},0,e_{31},0,e_{31},0)\) and key difference \((e_{31},0)\) used in [24] and extending it to almost the entire cipher in a truncated manner, like was done in [2]. As the description of the attack includes many fine details and is of less interest, we omit it here.

  2. 2.

    The somewhat nonstandard notations used here follow the notations presented in the up-to-date official document describing GOST [15].

  3. 3.

    If a differential of the form \(8\xrightarrow {p}0\) is satisfied, then an even stronger 1-round iterative differential characteristic of GOST can be constructed, as is described in Sect. 3.4. We note that the existence of such a transition implies that the S-boxes are not bijective, but the official document describing GOST [16] permits using such S-boxes.

  4. 4.

    We alert the reader that this algorithm is different (and much simpler) than the algorithm presented in [18]. The reason for the difference is that in our case we know the inputs to the S-box and the output differences, while the algorithm of [18] assumes only knowledge of the input and output differences.

  5. 5.

    We note that while we can use the same strategy to obtain 256 pairs of known input values with known output differences for \(S_6\) as well, it turns out that due to addition carries, many of these pairs are equal and so we do not obtain enough information for recovering this S-box. Instead, we recover it at a later stage.

  6. 6.

    Although theoretically \(S_4\) depends on the 24 least significant bits of \(K_1\), our experiments show that in most of the cases the same S-box is suggested by all the remaining keys. We thus use the S-box \(S_4\) of the first remaining key.

  7. 7.

    Although \(S_2\) depends on the 12 least significant bits of \(K_1\), since only about 1.2 keys remain out of \(2^{24}\) possible values of the 24 least significant bits of \(K_1\), we assume that the S-box \(S_2\) suggested by all remaining keys is the same. This assumption was verified experimentally. We thus use the S-box \(S_2\) suggested by the first remaining key.

  8. 8.

    We remind the reader that the GOST hash function uses 4 parallel applications of the GOST block cipher, has a 256-bit chaining value and a 256-bit message block. See more details in Sect. 5.2.

References

  1. Ashur, T., Bar-On, A., Dunkelman, O.: Cryptanalysis of GOST2. IACR Trans. Symmetric Cryptol. 2017(1), 203–214 (2017)

    Article  Google Scholar 

  2. Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2018)

    Article  MathSciNet  MATH  Google Scholar 

  3. Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  4. Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_18

    Chapter  Google Scholar 

  5. Biham, E., Chen, R., Joux, A.: Cryptanalysis of SHA-0 and reduced SHA-1. J. Cryptol. 28(1), 110–160 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  6. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  7. Biryukov, A., Nikolić, I.: Complementing Feistel ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 3–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_1

    Chapter  Google Scholar 

  8. Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_18

    Chapter  Google Scholar 

  9. Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055720

    Chapter  MATH  Google Scholar 

  10. Courtois, N.: An improved differential attack on full GOST - extended version. IACR Cryptology ePrint Archive, 2012/138 (2012)

    Google Scholar 

  11. Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_18

    Chapter  Google Scholar 

  12. Dinur, I., Dunkelman, O., Shamir, A.: Improved attacks on full GOST. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 9–28. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_2

    Chapter  Google Scholar 

  13. Dmukh, A., Dygin, D., Marshalko, G.: A lightweight-friendly modification of GOST block cipher. IACR Cryptology ePrint Archive, 2015/65 (2015)

    Google Scholar 

  14. Dmukh, A., Trifonov, D., Chookhno, A.: Modification of the key schedule of the 2-GOST block cipher and its implementation on FPGA. J. Comput. Virol. Hacking Tech. 18(1), 49–59 (2022)

    Article  Google Scholar 

  15. Dolmatov, V., Baryshkov, D.: RFC 8891, GOST R 34.12-2015: Block cipher “Magma” (2020). https://www.ietf.org/rfc/rfc8891.pdf

  16. Dolmatov, V.: RFC 5830, GOST 28147-89: encryption, decryption, and message authentication code (MAC) algorithms (2010). https://www.rfc-editor.org/rfc/rfc5830.html

  17. Dolmatov, V.: RFC 5831, GOST R 34.11-94: hash function algorithm (2010). https://datatracker.ietf.org/doc/html/rfc5831

  18. Dunkelman, O., Huang, S.: Reconstructing an S-box from its difference distribution table. IACR Trans. Symmetric Cryptol. 2019(2), 193–217 (2019)

    Article  Google Scholar 

  19. Frieze, A., Karoński,M.: Introduction to Random Graphs. Cambridge University Press (2015)

    Google Scholar 

  20. Isobe, T.: A single-key attack on the full GOST block cipher. J. Cryptol. 26(1), 172–189 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  21. Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_19

    Chapter  Google Scholar 

  22. Kim, J., Hong, S., Preneel, B., Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks: theory and experimental analysis. IEEE Trans. Inf. Theor. 58(7), 4948–4966 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  23. Knudsen, L.R.: Cryptanalysis of LOKI 91. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_62

    Chapter  Google Scholar 

  24. Ko, Y., Hong, S., Lee, W., Lee, S., Kang, J.-S.: Related key differential attacks on 27 rounds of XTEA and full-round GOST. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 299–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_19

    Chapter  Google Scholar 

  25. Mendel, F., Pramstaller, N., Rechberger, C.: A (Second) preimage attack on the GOST hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 224–234. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_14

    Chapter  Google Scholar 

  26. Mendel, F., Pramstaller, N., Rechberger, C., Kontak, M., Szmidt, J.: Cryptanalysis of the GOST hash function. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 162–178. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_10

    Chapter  Google Scholar 

  27. Pudovkina, M.A., Khoruzenko, G.I.: An attack on the GOST 28147-89 block cipher with 12 related keys. Math. Aspect. Crypt. (Russ.) 4(2), 127–152 (2013)

    MATH  Google Scholar 

  28. Pudovkina, M.: A related-key attack on block ciphers with weak recurrent key schedules. In: Garcia-Alfaro, J., Lafourcade, P. (eds.) FPS 2011. LNCS, vol. 6888, pp. 90–101. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27901-0_8

    Chapter  Google Scholar 

  29. Rudskoy, V.: On zero practical significance of “Key recovery attack on full GOST block cipher with zero time and memory”. IACR Cryptology eprint archive, 2010:111 (2010)

    Google Scholar 

  30. Saarinen, M.J.: A chosen key attack against the secret S-boxes of GOST. IACR Cryptology ePrint Archive, 2019/540 (1998)

    Google Scholar 

  31. Schneier, B.: Applied Cryptography, 2nd edn. Wiley (1996)

    Google Scholar 

  32. Seki, H., Kaneko, T.: Differential cryptanalysis of reduced rounds of GOST. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 315–323. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44983-3_23

    Chapter  Google Scholar 

  33. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    Chapter  Google Scholar 

  34. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2

    Chapter  Google Scholar 

  35. Zhao, X., et al.: Algebraic fault analysis on GOST for key recovery and reverse engineering. In: Proceedings of FDTC 2014, pp. 29–39. IEEE Computer Society (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. Department of Mathematics, Bar-Ilan University, Ramat Gan, Israel

    Nathan Keller & Ariel Weizmann

Authors
  1. Orr Dunkelman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nathan Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ariel Weizmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Orr Dunkelman .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dunkelman, O., Keller, N., Weizmann, A. (2023). Practical-Time Related-Key Attack on GOST with Secret S-Boxes. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation