1 Introduction

Most modern block ciphers are constructed as a cascade of repeated keyed components, called rounds. The effectiveness of the standard cryptanalytic techniques (e.g., differential cryptanalysis [5], linear cryptanalysis [38], Square attack [16]) usually reduces drastically as the number of rounds increases. Hence, increasing the number of rounds is considered a relatively simple way to enhance the cipher’s security.

Only a few cryptanalytic techniques are independent of the number of rounds. Arguably, the best known of these is the slide attack, introduced in 1999 by Biryukov and Wagner [10].Footnote 1 The original slide attack targets ciphers that are a cascade of \(\ell \) identical functions, i.e.,

$$\begin{aligned} E_k=f_k^\ell =f_k \circ f_k \circ \cdots \circ f_k, \end{aligned}$$

where \(f_k\) is a “relatively weak” keyed permutation.

The idea behind the attack is rather simple. The adversary seeks to find a slid pair, a pair \((P,P')\) of plaintexts such that \(P'=f_k(P)\), as demonstrated in Fig. 1. Due to the structure of \(E_k\), the corresponding ciphertexts \(C=E_k(P),C'=E_k(P')\) must satisfy \(C' = f_k(C)\). Hence, if a slid pair \((P,P')\) is given, the adversary can use the “simplicity” of \(f_k\) to solve the system of equations:

$$\begin{aligned} \begin{aligned} \left\{ \begin{array}{c l} P' = f_k(P), \\ C' = f_k(C), \end{array} \right. \end{aligned} \end{aligned}$$
(1)

and thus to retrieve the secret key k.

Fig. 1
figure 1

A slid pair

Full size image

As the adversary does not know which plaintext pair is a slid pair, she simply takes \(O(2^n)\) random pairs (that can be constructed from \(O(2^{n/2})\) known plaintexts) and tries to solve (1) for each of them. It is expected that at least one of the checked pairs is a slid pair, and then the solution of (1) yields the secret key with a high probability. (For all but a few other plaintext pairs, the equation system is expected to be inconsistent.) The data complexity of the attack is \(O(2^{n/2})\) known plaintexts and the time complexity is \(O(t \cdot 2^n)\), where t is the time required for solving system (1) (that is, to break \(f_k\) given two known input/output pairs).

The original slide attack can be used only when \(f_k\) is “simple,” i.e., can be broken efficiently using only two known input/output pairs. Subsequent papers (e.g., [11, 25]) provided methods to apply the technique in cases where \(f_k\) is more complex, usually at the expense of higher data and time complexities (or when the attacked cipher has a very unique structure).

The slide attack was studied in numerous papers (e.g., [1, 11, 18, 21]) and applied to a few ciphers (most notably, the block cipher Keeloq [1]) and a few hash functions (see [28]). However, its applicability has been limited, as the time complexity of \(O(t \cdot 2^n)\) is usually impractically high, and in many cases even higher than that of exhaustive key search.

Only a few general scenarios are known in which the slide attack, or its variants, have time complexity significantly smaller than \(2^n\). Usually, this happens when there exists an efficient way to detect the slid pairs, so that the adversary does not have to check \(O(2^n)\) random plaintext pairs until a slid pair is found. These scenarios include Feistel constructions with 2-round and 4-round self-similarity (i.e., with round keys of the forms \((k_1,k_2,k_1,k_2,\ldots )\) and \((k_1,k_2,k_3,k_4,k_1,k_2,k_3,k_4,\ldots )\), respectively), possibly surrounded by key whitenings (see [11, 18]), the Even-Mansour [22] construction (i.e., \(E_{k_1,k_2}(P)=k_2 \oplus f(k_1 \oplus P)\), where f is a public permutation and \(k_1,k_2\) are secret keys) and some of its variants (see [21]).

In this paper, we concentrate on efficient slide attacks, that is, slide attacks with complexity lower than \(2^n\). We present four new classes of attacks:

1. Efficient slide attacks on SP Networks (SPNs) with self-similarity. We present, for the first time, efficient slide attacks on SPNs with self-similarity (this is in contrast to Feistel constructions with self-similarity that were studied in numerous works, see below).

Consider 1K-AES, a variant of AES [17] in which all round subkeys are replaced by the same subkey (with no round constants). It seems clear that this variant is “bad,” being vulnerable to the slide attack. However, the classical slide attack on it requires \(2^{64}\) known plaintexts and has a time complexity of \(2^{128}\) encryptions—no less than exhaustive key search! This raises the question whether the slide attack is really a threat for this variant.

We present a simple efficient slide attack on this variant with data and time complexities of \(2^{64}\), confirming the intuition that it is completely insecure. Our attack applies to a wide class of SP networks with 1-round self-similarity, yielding an attack with data and time complexities of \(O(2^{n/2})\). We also show that in the specific case of AES, one can also break 2K-AES and 3K-AES much with an efficient slide attack, using the somewhat slow diffusion of the linear permutation of AES.

In addition, we study the more general class of SASA...SA structures [9] with 1-round self-similarity. We show that when the linear layer A is known (like in the secret S-boxes variant of AES [44]), the cipher can be broken in \(O(s \cdot 2^s \cdot 2^{n/2})\) data and time, when the S-box size is s bits.

2. An efficient attack on Feistel constructions with 3-round self-similarity. We consider slide attacks on Feistel constructions with self-similarity, following [11, 18, 21, 35, 36]. While the slide-with-a-twist attack and its variants provide very efficient attacks on Feistels with 2-round and 4-round self-similarity, it appears that they do not yield an attack faster than \(2^n\) on constructions with 3-round self-similarity. We present the first known attack faster than \(2^n\) on a wide class of such constructions, with data and time complexities of \(O(2^{5n/6})\) and memory complexity of \(O(2^{2n/3})\). Specifically, our attack is applicable for all so-called Feistel-2 structures [32], i.e., when the round function is of the form \(f_k(x) = g(x \oplus k)\) for some keyless function \(g(\cdot )\).

When the round function \(f_k(x)\) is more structured (specifically, for all Feistel-3 structures, including a 3-round self-similar variant of DES itself), we present an improved attack that requires \(O((n/s) \cdot 2^{n/2})\) adaptive chosen plaintexts and \(O((n/s) \cdot 2^{n/2+s})\) time, when the S-box size is s bits.

3. A slide attack using the cycle structure of \(f_k\); application to 24-round GOST. We present a new variant of the slide attack that finds the slid pairs directly using comparison between the cycle structures of \(E_k\) and \(f_k\). While the data and time complexities of the attack are close to \(2^n\), it applies even if \(f_k\) is very complex (in which case a standard slide attack, if at all possible, would have time complexity significantly higher than \(2^n\)). We apply the new technique to a 24-round variant of the Russian encryption standard GOST [29] with unknown S-boxes. Our attack recovers the secret S-boxes and the secret key with data and time complexity of about \(2^{63}\). A slide attack on the same variant can be mounted using Furuya’s technique [25]; however, it would require the entire codebook and time complexity of about \(2^{100}\) encryptions. We note that similar ideas can be used in the case where the encryption algorithm is implemented by a quantum computing device, where one can use Simon’s algorithm to find the cycle efficiently (as observed in [2, 34]).

Table 1 Comparison of our attacks with the best previously known results on the same variants
Full size table

4. An efficient slide attack using the cycle structure and reflection; application to a 128-bit key variant of GOST. We show that in cases where the round keys of a Feistel cipher are palindromic, our cycle-structure attack can be combined with a reflection property (see [35, 36]) into a powerful attack with data and time complexity of only \(O(2^{n/2})\). We apply the new attack to a 128-bit key variant of GOST in which the “full” 256-bit key has the palindromic structure \((k_1,k_2,k_3,k_4,k_4,k_3,k_2,k_1)\). While weaknesses of this variant were pointed out in previous works (e.g., [11]), the best known attack on it, presented by Courtois [14], is rather complex and has time complexity of \(2^{91}\), when the S-boxes are known to the adversary. Our attack breaks this variant with practical complexity of \(2^{40}\), even if the S-boxes are secret.

Thus, our attack can be used to target the original GOST by a legitimate user who wants to recover the secret S-boxes she was provided (which may be profitable, as in GOST, the same set of S-boxes is used in an entire industry, e.g., the banking industry, see [42]). If the user is allowed to choose her secret key, she may choose it to be palindromic and then recover the secret S-boxes practically using our attack. An S-box recovery attack of this class was presented by Saarinen [41], but only for keys of the form (kkkkkkkk) for which GOST is a Feistel construction with 1-round self-similarity (which is widely known to be too weak).

A comparison of our results with the best previous results on the same variants is presented in Table 1.

This paper is organized as follows. In Sect. 2, we present efficient slide attacks on SPNs with self-similarity. In Sect. 3, we present the new attack on \(3K-DES\). The cycle-structure attacks are presented in Sect. 4. Finally, the applications to variants of GOST are given in Sect. 5.

2 Efficient Slide Attacks on Substitution-Permutation Networks with Self-Similarity

In this section, we study efficient slide attacks on SP networks (SPNs) with r-round self-similarity. A specific example is a variant of the encryption standard AES [17] in which the round keys are replaced by the sequence \(k_1, k_2, \ldots , k_r, k_1,k_2,\ldots , k_r,\ldots \), that may be called rK-AES. Unlike Feistel constructions with self-similarity that have been thoroughly studied in the context of slide attacks (see Sect. 3 below), SPNs with self-similarity have not been studied specifically in previous works. Probably, the reason for that is rK-AES being much more immune to slide attacks than rK-DES.

We present several efficient slide attacks on instances of rK-AES. First, in the simplest case of 1-round self-similarity (i.e., 1K-AES), we present a simple efficient slide attack with data and time complexities of \(2^{64}\) (or, more generally, \(2^{n/2}\) for n-bit blocks). We then turn our attention to a more complex type of 1-round self-similarity represented by so-called SASA...SA structures (as defined in [9]), either with a known linear layer or even with a key-dependent linear layer. Finally, in the specific case of AES-like structures, we present efficient attacks on variants with 2-round and even 3-round self-similarity, exploiting the slow diffusion of the AES round function.

2.1 A Simple Efficient Slide Attack on 1K-AES

2.1.1 The Structure of 1K-AES

The AES [17] is the most widely used block cipher. We briefly recall a few details that are relevant to our attack (the interested reader can look at [17] for a complete description). The block size of AES is 128 bits, and the key sizes are 128/192/256 bits. AES is an iterated cipher composed of 10/12/14 almost identical rounds. Each round consists of four operations: SubBytes (SB), ShiftRows (SR), MixColumns (MC)—operations on the state that do not depend on the key, followed by AddRoundKey (ARK)—bitwise XOR of the state with a 128-bit subkey. In the real AES, there is an additional AddRoundKey operation before the first round, and the MC operation is omitted in the last round. We define 1K-AES to have a similar structure (with a whitening key before the first round) but the same round key in all rounds, as depicted in Fig. 2. Thus,

$$\begin{aligned} E_k(P) = f_k \circ f_k \circ \cdots \circ f_k (P \oplus k), \end{aligned}$$

where \(f_k(x) = ARK _k \circ MC \circ SR \circ SB \) denotes a single round of AES. We claim that \(E_k\) can be broken with \(2^{64}\) known plaintexts and \(2^{64}\) time, using a simple variant of the slide attack.

Fig. 2
figure 2

Structure of 1K-AES

Full size image

2.1.2 The Attack Algorithm

The idea behind the attack is simple. Assume that \((P,P')\) is a slid pair for \(E_k\), i.e., that \(f_k(P \oplus k)=P' \oplus k\). We have \(P = k \oplus ( SB ^{-1} \circ SR ^{-1} \circ MC ^{-1}(P'))\). Hence, denoting \(\bar{P'} = SB^{-1} \circ SR ^{-1} \circ MC ^{-1}(P')\), we have

$$\begin{aligned} P \oplus \bar{P'} = k. \end{aligned}$$
(2)

On the other hand, by the structure of E, the corresponding ciphertexts must satisfy \(C'= k \oplus (MC \circ SR \circ SB (C))\). Thus, denoting \(\bar{C} = MC \circ SR \circ SB (C)\), we have

$$\begin{aligned} C' \oplus \bar{C} = k. \end{aligned}$$
(3)

Combining (2) and (3), we get

$$\begin{aligned} P \oplus \bar{C} = \bar{P'} \oplus C'. \end{aligned}$$
(4)

This relation allows to mount the attack described in Algorithm 1, inspired by the slide-with-a-twist attack of [11]. We note that similar observations were used in the attack of Jean et al. on the PRINCE block cipher [33] and in [21].

figure a

By the birthday paradox, it is expected that the data set contains a slid pair, i.e., a pair satisfying \(f_k(P_i)=P_j\), with a non-negligible probability. For a random pair \((P_i,P_j)\), the probability that \(P_i \oplus \bar{C_i} = \bar{P_j} \oplus C_j\) is \(2^{-128}\), and thus, only a few collisions are expected in the table. These collisions include the collision induced by the slid pair, which suggests the correct value of k. The data complexity of the attack is \(2^{64}\) known plaintexts, and the time and memory complexities are \(2^{64}\) operations, as asserted.

We note that the collision we are looking for is of the form \(P_i \oplus \bar{C_i} = \bar{P_j} \oplus C_j\). Given that each side of the equation depends on a single plaintext/ciphertext pair, one can easily transform the attack into a memoryless one, as follows:

Define \(g_1(P_i) = P_i \oplus \bar{C_i}\) and \(g_2(P_j) = \bar{P_j} \oplus C_j\). Use a memoryless collision finding algorithm (such as [24]) to find a collision between \(g_1(\cdot )\) and \(g_2(\cdot )\). As such algorithms take about \(O(2^{n/2})\) queries to \(g_1(\cdot )\) and \(g_2(\cdot )\), the time complexity of the attack is \(O(2^{n/2})\). The main change is that the data requirement becomes an adaptive chosen plaintext one (following the way memoryless collision algorithms operate), in exchange for the reduction of the memory complexity.

The attack applies to any SPN with 1-round self-similarity in which the key-dependent operation is XOR or modular addition, regardless of the non-key-dependent operations. The data and time complexities remain the same — \(O(2^{n/2})\).

2.2 An Efficient Slide Attack on SASA...SA

We now turn our attention to the more general SPN structures known as the SASA...SA constructions. First analyzed by Biryukov and Shamir in [9], such constructions have layers of bijective nonlinear S-boxes S (the S-boxes may be different) followed by invertible affine layers A. Both types of layers may be key-dependent. General SASA...SA constructions (without self-similarity) were recently studied in several papers, for example [6, 7, 39]. We consider SASA...SA constructions with 1-round self-similarity, i.e., where the same combination \(A \circ S\) is applied r times sequentially. The generic attack of Algorithm 1 obviously cannot be applied to this constructions, due to the complex key-dependent operations.

We first consider the case when the A layer is not key-dependent (like in the AES variant studied in [44]) and present a simple attack with data and time complexities of \(O(s \cdot 2^s \cdot 2^{n/2})\) for an s-bit S-box. We then extend the attack to the case when A is key-dependent, with data complexity of \(O(s \cdot 2^s \cdot 2^{n/2})\) and time complexity of \(O(n^3 \cdot 2^n)\). (The latter attack falls a bit out of our scope, requiring more than \(2^n\) operations. We chose to present it, as it uses similar techniques like the previous attacks and is much faster than the best one can get with a classical slide attack on the same variant.)

2.2.1 Attacking SASA...SA When A is Not Key-Dependent

Let \(P' = A \circ S(P)\), i.e., \((P,P')\) is a slid pair. As observed in [25], if \((P,P')\) is a slid pair, then so is \((E_k(P),E_k(P'))\), as well as \((E_k^i(P),E_k^i(P'))\) for any i. Hence, using adaptive plaintext queries, one can generate as many slid pairs as needed out of a single slid pair.

In the data collection phase of the attack, we take \(2^{n/2}\) plaintexts, and generate from each of them a sequence of plaintexts, i.e., \(P, E_k(P), E_k^2(P), E_k^3(P), \ldots , E_k^t (P)\) for a parameter t we shall choose later. Then, we detect the slid pairs \((P,P')\) (and their encryptions) efficiently using the following observation: If in the chain \(P, E_k(P), E_k^2(P), E_k^3(P), \ldots , E_k^t (P)\) the same value enters one of the S-boxes twice (e.g., in \(E_k^1(P)\) and \(E_k^8(P)\)), then the outputs of the respective S-boxes in the sequence generated by \(P'\) are equal (i.e., we have \(A^{-1}(E_k^1(P')) = A^{-1}(E_k^8(P'))\)). This observation allows an immediate identification of the slid pairs (without the need of comparing all sequences to all other sequences). After finding the slid pairs, the adversary obtains a large number of input/output pairs for each of the S-boxes, which is sufficient to identify the S-boxes. The attack is depicted in Algorithm 2.

figure b

Footnote 2

The value of t depends on two factors: The length of the chains required to ensure that enough collisions exist, and the length of the chains required to ensure that we can recover the full S-box. A pair of chains of length t contains t pairs of plaintexts \((E_k^a(P_i),E_k^a(P_j))\), each with n / s S-boxes that can collide. As we have to obtain an n-bit filtering condition, and as each collision offers an s-bit filtering condition, we need \(t\cdot \frac{n}{s} \cdot 2^{-s} \ge \frac{n}{s}\), i.e., \(t\ge 2^{s}\). At the same time, obtaining \(2^s\) different inputs to each and every S-box (where the inputs are chosen at random), requires \(\ln 2 \cdot s \cdot 2^s\) inputs (due to the coupon collector’s nature of the problem), i.e., we need \(t = O(s\cdot 2^s)\). Therefore, the data and time complexities of the attack are \(O(s \cdot 2^s \cdot 2^{n/2})\).

2.2.2 Attacking SASA...SA When A is Key-Dependent

In this case, we need to try all pairs of chains, as we cannot obtain direct access to the output of the S-boxes. To identify whether a candidate pair of chains is indeed slid, we use the above observation in a different way. Recall that when the inputs to the S-box are the same, then so are the outputs. This fact translates into an s-bit linear relation on the chain \(A^{-1}(P_i), A^{-1}(E_k(P_i)), A^{-2}(E_k^2(P_i)), \ldots \). Hence, for each pair of candidate chains, one can construct the relevant system of linear equations for \(A^{-1}\) and try to solve it. If the solution is consistent (by having a few more equal values, one can obtain an over-determined system of linear equations that is expected to be inconsistent for non-slid chains), one obtains the correct value of A, and then the S layer can be recovered like in the previous attack.

As there are \(2^n\) pairs of candidate chains, and as solving the set of n linear equations takes \(O(n^3)\) operations, the total time complexity of the attack is \(O(n^3 \cdot 2^n)\). The memory and data complexities are \(O(s \cdot 2^s \cdot 2^{n/2})\).

2.3 Efficient Slide Attack on Specific Instances of 2K-AES and 3K-AES

A slight modification of the above attack presented in Sect. 2.2 can be used to attack rK-AES with \(r>1\), if the diffusion in the linear layer is not full. We demonstrate it in the case of the AES, for which we can attack variants with 2-round and 3-round self-similarity. We denote these variants below by 2K-AES and 3K-AES and alert the reader that unlike the attack on 1K-AES presented in Sect. 2.1, these attacks do exploit the specific structure of the AES.

We start with an attack on 2K-AES. Consider a slid pair \((P,P')\) such that \(P' \oplus k_1 = ARK _{k_1} \circ MC \circ SR \circ SB \circ ARK _{k_2} \circ MC \circ SR \circ SB (P \oplus k_1)\). As the \( ARK _{k_1}\) on the right-hand side cancels out with the \(\oplus k_1\) on the left-hand side, the second round’s \( SB , SR , MC \) operations can be easily inverted, by computing \(\tilde{P'} = SB ^{-1} \circ SR ^{-1} \circ MC ^{-1}(P')\) and obtaining \(\tilde{P'} = ARK _{k_2} \circ MC \circ SR \circ SB (P \oplus k_1)\). Moreover, as \( MC \) and \( SR \) are linear operations which can be easily exchanged with the \( ARK \) operation (by applying the inverse operations to the key), \(\tilde{P'}\) can be rewritten as:

$$\begin{aligned} \tilde{P'} = MC \circ SR \circ ARK _{ SR ^{-1} \circ MC ^{-1}(k_2)} \circ SB \circ (P \oplus k_1). \end{aligned}$$

Hence, for a given \(P'\) we compute \(\bar{P'}\) defined as

$$\begin{aligned} \bar{P'} = SR ^{-1} \circ MC ^{-1} (\tilde{P'}) = SR ^{-1} \circ MC ^{-1} \circ SB^{-1} \circ SR ^{-1} \circ MC ^{-1}(P'). \end{aligned}$$

As a result, when \((P,P')\) is a slid pair (and thus, the chains that are generated from them are slid chains), two bytes with the same input in the chain of P must have the same output in the chain of \(\bar{P'}\). This immediately allows to apply Algorithm 2. Moreover, note that there is no need to recover the full S-box, as once the slid chain is found, it is trivial to extract \(k_1\) and \( SR ^{-1} \circ MC ^{-1}(k_2)\). Therefore, a slightly lower data/time complexity is needed for this attack: Only \(2^{69}\) adaptive chosen plaintext and ciphertext pairs are needed, as well as \(2^{69}\) time.

The attack on 3K-AES is similar in nature. Due to the additional round, instead of looking at equality in inputs and outputs from a single S-box (an 8-bit condition), we consider the AES’ super S-box (essentially, a column of 4 S-boxes). As a result, applying Algorithm 2 with 32-bit S-boxes results in data and time complexity of about \(2^{81}\).

3 Efficient Slide Attacks on Feistel Constructions with 3-round Self-Similarity

Historically, a main target of the slide attack and its generalizations have always been a Feistel construction with r-round self-similarity, i.e., whose sequence of round functions is \(f_1,f_2,\ldots ,f_r,f_1,f_2,\ldots ,f_r,\ldots \). A specific example is a variant of the former encryption standard DES [40] in which the round keys are replaced by the sequence \(k_1,k_2,\ldots ,k_r,k_1,k_2,\ldots , k_r,\ldots \) (where \(k_1,\ldots ,k_r\) are independent of each other), called in [10] rK-DES.

In [10], Biryukov and Wagner showed that 2K-DES (and more generally, a Feistel construction with n-bit blocks and 2-round self-similarity) can be broken with \(O(2^{n/2})\) adaptively chosen plaintexts and \(O(2^{n/2})\) time using the slide attack. In [11], Biryukov and Wagner presented the complementation slide and slide with a twist techniques and used them to break 2K-DES in \(O(2^{n/4})\) chosen plaintexts and \(O(2^{n/4})\) time, and also to break 4K-DES with the same complexity. In [21], Dunkelman et al. introduced the mirror slidex attack and used it to break 2K-DES surrounded by key whitenings in \(O(2^{n/2})\) known plaintexts and \(O(2^{n/2})\) time. Finally, Dinur et al. [18] were able to break 4K-DES surrounded by key whitenings in \(O(n \cdot 2^{n/2})\) known plaintexts and \(O(n \cdot 2^{n/2})\) time using enhanced reflection.

Fig. 3
figure 3

Structure of 3K-DES

Full size image

Neither of these attacks seems to apply to 3K-DES, i.e., a Feistel construction with 3-round self-similarity depicted in Fig. 3. Hence, the best one can currently do is to apply the standard slide attack, which results in data complexity of \(O(2^{n/2})\) known plaintexts and time complexity of \(O(t\cdot 2^n)\) where t is the time required for breaking 3-round DES given two input/output pairs.

In this section, we present a new attack on this construction with a lower time complexity of \(O(2^{5n/6})\), at the expense of a higher data complexity of \(O(2^{5n/6})\). Our attack exploits slid pairs of a specific type and uses ideas developed in the attacks presented in Sect. 2.

In addition, for a more specific class of round functions which contains the round function of DES itself (or any Feistel-3 construction), we present a slide attack on 3K-DES with data complexity of \(O((n/s) \cdot 2^{n/2})\) known plaintexts and \(O((n/s) \cdot 2^{n/2+s})\) time, when the S-box size is s bits.

3.1 The Structure of 3K-DES and Notations

The DES [40] was the US encryption standard until 2001, and the most widely used block cipher worldwide until the end of the 1990s. Its structure is well known and can be found in [40]. We briefly recall a few details that are relevant to our attack. The block size of DES is 64 bits, and the key size is 56 bits. DES is a 16-round Feistel construction. Each round function \(f_i: \{0,1\}^{32} \rightarrow \{0,1\}^{32}\) consists of four operations: a linear expansion function E that expands the state to 48 bits, XOR with a 48-bit subkey, an S-box layer S which shrinks the state to 32 bits and a permutation P. The only key-dependent operation in \(f_i\) is the XOR with a subkey.

In our attack, we consider the following natural abstraction of 3K-DES (called “Feistel-2 construction with 3-round self-similarity,” according to the terminology of [32]). Let \(k_1,k_2,k_3\) be independent (n / 2)-bit subkeys. Let \(E_{k_1,k_2,k_3}\) be a 3m-round Feistel construction with n-bit blocks, in which the round function \(f_{k_i}\) has the form \(f_{k_i}(x)=g(k_i \oplus x)\), where \(k_i:= k_{(i \bmod 3)+1}\) and g is a public keyless function. The structure of E is demonstrated in Fig. 3.

Denote by h the first three Feistel rounds of E. It is clear that \(E=h^m\). For a given plaintext/ciphertext pair (PC), we denote the input to round i in the encryption process of P by \(X_i\) (e.g., \(P=X_0\)), and the input to round i in the encryption process of C (assuming that it is encrypted) by \(Y_i\) (e.g., \(C=Y_0\)), as shown in Fig. 3. Note that if \((P,P')\) is a slid pair for E (i.e., if \(P'=h(P)\)), then \(P'=X_3\) and \(C'=Y_3\). We also use \(X_L\) to denote the left half of X and \(X_R\) to denote the right half of X.

3.2 The Observations Behind the Attack

The basic idea of the attack is to search for slid pairs that satisfy the following additional property:

$$\begin{aligned} Y_{1L} = X_{1L}. \end{aligned}$$
(5)

We use a few observations. Assume that (5) holds for some slid pair \((P,P')\). Then we can deduce the following:

  1. 1.

    The outputs of the second round function \(f_{k_2}\) in the encryptions of P and C are equal. By the Feistel structure, this implies \(X_{0L} \oplus X_{2L} = Y_{0L} \oplus Y_{2L}\). As \(X_{2L} = P'_{R}\) and \(Y_{2L} = C'_{R}\), we obtain \(P_L \oplus P'_R = C_L \oplus C'_R\), or equivalently,

    $$\begin{aligned} P_L \oplus C_L = P'_R \oplus C'_R. \end{aligned}$$
    (6)

    Conversely, if the keyless function g is invertible then (6) implies (5), and even if g is a random function, (6) implies that (5) holds with a constant non-negligible probability.

  2. 2.

    By the Feistel construction, (5) implies \(X_{0R} \oplus f_{k_1}(X_{0L}) = Y_{0R} \oplus f_{k_1}(Y_{0L})\), or equivalently, \(X_{0R} \oplus Y_{0R} = f_{k_1}(X_{0L}) \oplus f_{k_1}(Y_{0L})\). Now, consider the applications of g as part of \(f_{k_1}\) in the encryptions of P and C. We know that the input difference between these two applications is \(X_{0L} \oplus Y_{0L}\) (as the key addition does not change the difference), and that the output difference is \(X_{0R} \oplus Y_{0R}\). For a random function g, given an input difference \(\alpha \) and an output difference \(\beta \), there exists one pair of inputs \((x,x')\) on average such that \(x \oplus x' = \alpha \) and \(y \oplus y' = \beta \). Moreover, given the full Difference Distribution Table (DDT) of g and the input/output differences \((\alpha ,\beta )\), one can obtain instantly all possible actual values of the input pairs \((x,x')\) that correspond to those differences, whose total number is usually very small. Hence, if we could pre-compute the full DDT of the function g, our knowledge would be sufficient to recover the actual values \((X_0 \oplus k_1,Y_0 \oplus k_1)\), and hence, to get a suggestion for the subkey \(k_1\). As we cannot keep in memory the full DDT (since it requires \(2^n\) space) or even compute it (since this also takes \(2^n\) time), we will exploit this observation in a more subtle way.

  3. 3.

    By the same argument, applied with \(P', C'\) instead of PC, if (5) holds then we know the input and output differences in the applications of g as part of \(f_{k_3}\) in the encryptions of P and C. This would be sufficient for recovering \(k_3\), and could we pre-compute and store the full DDT of g.

  4. 4.

    Once \(k_1,k_3\) are known, a candidate for \(k_2\) can be instantly found by comparing a partial encryption of P with a partial decryption of \(P'\).

3.3 The Attack Algorithm

A naïve way to exploit the above observations in a slide attack is to go over many random pairs \((P,P')\), and for each pair assume that it is a slid pair that satisfies (5), use the above observations to get candidates for the subkeys \(k_1,k_2,k_3\) and check them by trial encryption. However, as the probability of a random plaintext pair to be a slid pair that satisfies (5) is \(2^{-n} \cdot 2^{-n/2} = 2^{-3n/2}\), such a naïve attack has time complexity of \( \varOmega (2^{3n/2})\).

Instead, we use relation (6) to check many candidate plaintext pairs simultaneously, and construct “slices” of the DDT that are sufficient for our purposes instead of the full DDT in order to save time and space. The attack algorithm is given in Algorithm 3.

figure c

3.4 Analysis of the Attack

The data complexity of the attack is \(O(2^{5n/6})\) known plaintexts. Each plaintext enters tables \(T_1\) or \(T_2\) with probability \(2^{n/3-n/2} =2^{-n/6}\), i.e., the expected size of the tables \(T_1,T_2\) is \(2^{2n/3}\). Hence, the total number of candidate slid pairs the attack may analyze is \(2^{4n/3}\). Of these pairs, the attack identifies the pairs \((P,P')\) satisfying \(P_L \oplus C_L, P'_R \oplus C'_R \in L\). Given that the size of L is \(2^{n/3}\), the probability that (6) holds is \(2^{-n/3}\) (since this is the probability of collision between two random elements in a set of size \(2^{n/3}\)). Hence, the probability that a pair \((P,P')\) examined in the attack is a slid pair satisfying (6) is \(2^{-n} \cdot 2^{-n/3} = 2^{-4n/3}\). Therefore, with a constant non-negligible probability, the data contain a slid pair that satisfies (6), and hence satisfies (5) (again, with a constant probability). As any slid pair suggests the correct subkeys (possibly, along with a few additional subkey candidates), the attack recovers the secret key with a constant probability. The success probability can be easily increased by enlarging the data complexity by a fixed constant (i.e., examining additional plaintexts).

The time complexity of the first external loop is \(2^{5n/6}\), dominated by encrypting the plaintexts. The second external loop is repeated for \(2^{n/3}\) values of \(\alpha \) and its complexity is dominated by computing a row in the difference distribution table that requires \(2^{n/2}\) operations for each value of \(\alpha \). (The first internal loop takes \(2^{n/3}\) operations for each \(\alpha \), and the second internal loop takes \(2^{n/6}\) encryptions, since the expected number of collisions with the table \(T_3\) is \(2^{n/3} \cdot 2^{n/3} \cdot 2^{-n/2} = 2^{n/6}\).) Therefore, the total time complexity of the attack is \(O(2^{5n/6})\) encryptions.

The memory complexity is \(O(2^{2n/3})\), dominated by the storage required for the tables \(T_1,T_2\). (Note that the plaintext/ciphertext pairs themselves that do not enter tables \(T_1\) and \(T_2\) can be discarded.) As \(T_3\) is built for each value of \(\alpha \) independently, and as each \(\alpha \) value is expected to correspond to \(2^{n/3}\) pairs in \(T_1\), the size of \(T_3\) is just \(O(2^{n/3})\).

3.5 Attack on 3K-DES Using the Structure of the Round Function

Let us assume now that the round function F in the Feistel construction has the following specific form (sometimes referred to as Feistel-3, as opposed to the more general Feistel-2 structure we considered above): first, the input of F is divided into s-bit chunks that are independently processed through an S-box layer, and then a linear transformation is applied to the entire state. This structure is satisfied by DES, with \(|s|=6\) (up to the “linear expansion” operation, which changes the analysis only slightly and thus is omitted here), and by many other Feistel ciphers. In this case, we present an improved slide attack that takes only \(O((n/s)\cdot 2^{n/2})\) adaptive plaintexts (i.e., relies on finding a single slid pair) and \(O((n/s) \cdot 2^{n/2+s})\) time.

Consider a candidate pair \((P,P')\) and their corresponding ciphertexts \((C,C')\), respectively. For such a pair, we know that \(P' = f_{k_3}(f_{k_2}(f_{k_1}(P)))\) and \(C'=f_{k_3}(f_{k_2}(f_{k_1}(C)))\), which allows for a simple meet in the middle attack.

Namely, it is possible to guess the part of \(k_1\) that allows partial encryption of a single S-box for P and for C. Similarly, one can guess the part of \(k_3\) that allows partial decryption of a single S-box for \(P'\) and for \(C'\). Hence, by guessing s key bits from \(k_1\) and s from \(k_3\), we obtain a 2s-bit filter condition (due to the existence of two “input/output” pairs to 3 rounds of DES). Obviously, one can extend the attack to find more key bits by targeting the other S-boxes, resulting in a simple attack on 3 rounds of DES.

This simple meet in the middle attack can be exploited in a slide attack as well. First of all, we generate from each plaintext a chain of a few encryptions \(P,E_k(P),E_k(E_k(P)),\ldots \). It is easy to see that each of the 3-round DES instances that need to be attacked uses the same order of subkeys, and thus, guessing s bits of \(k_1\) allows for the partial encryption of all the values in the chain by one round.

The attack is thus very simple: For each chain \(P,E_k(P),E_k(E_k(P)),\ldots \), we guess s bits of subkey material for \(k_1\) and store in the table the resulting partial encryptions of the chain values (under all \(k_1\) guesses). Similarly, for each chain \(P',E_k(P'),E_k(E_k(P')),\ldots \) we try s bits of \(k_3\), and perform partial decryption to search in the table for collisions. Each such collision suggests a candidate slid chain as well as candidate keying material. Once a slid chain is identified, it is easy to extract the remaining bits of \(k_1\) and \(k_3\), and to use them to retrieve \(k_2\).

For a chain of length t, we obtain \(t \cdot s\) filtering bits for the meet in the middle parts. There are \(2^{n/2+s}\) candidate chains from each side, resulting in \(2^{n+2s}\) possible pairs of chains. By having a \(n+2s\)-bit filtering, we can immediately identify the slid chains, suggesting that \(t=n/s+2\) is sufficient.

The resulting data complexity is \((n/s+2)\cdot 2^{n/2}\) adaptive chosen plaintexts and ciphertexts. The memory and time complexities are both \(O((n/s) \cdot 2^{n/2+s})\).

4 Efficient Slide Attacks using the Cycle Structure of Permutations

In this section, we present a new variant of the slide attack that exploits the relation between the cycle structures of the entire cipher \(E_k = f_k^\ell \) and the round function \(f_k\) to detect slid pairs efficiently. First, we present a generic attack with data and time complexities of \(2^{n-1}\) that applies even when \(f_k\) is very complex. Then, we show that for Feistel constructions with a palindromic key schedule the complexity of the generic attack drops to \(O(2^{n/2})\), using a reflection property.

4.1 A Generic Attack Using the Cycle Structure

4.1.1 Facts and observations

First we recall several facts regarding the cycle structure of permutations that are used in our attack. Let \(g:GF(2^n) \rightarrow GF(2^n)\) be a random permutation. For every \(x \in GF(2^n)\) we denote \(CycleLength(x)=\min \{k>0|g^k(x)=x\}\). Following the classical results of [26, 27] on the distribution of cycle sizes in random permutations (see also [23, p. 596]), we expect that the largest cycle \(Cycle_{max}\) has an expected size of \((1-1/e)\cdot 2^n\), and for every \(x \in GF(2^n)\), \(\Pr [x \in Cycle_{max}] \approx 1-1/e\). Here, \(e=2.7182\ldots \) is the basis of the natural logarithm. Moreover, we expect that the second largest cycle has a size of \(1/e\cdot (1-1/e) \cdot 2^{n}\), and generally, the size of the ith largest cycle is \((1/e)^{i-1} \cdot (1-1/e) \cdot 2^{n}\).

The main observation used in our attack is the following: Let P be an arbitrary plaintext. We consider the cycles of P with respect to \(f_k\) and \(E_k\), denoted by \(Cycle_{f_k}(P)\) and \(Cycle_{E_k}(P)\), respectively. Denote the length of \(Cycle_{f_k}(P)\) by \(m_1\), i.e., \(m_1=\min \{t>0|f_k^t(P)=P\}\). Similarly, denote the length of \(Cycle_{E_k}(P)\) by \(m_2\). As \(E_k = f_k^\ell \), the relation \(E_k^{m_2}(P)=P\) can be written as \(f_k^{l\cdot m_2}(P)=P\). It clearly follows that \(m_1 | \ell \cdot m_2\). On the other hand, \(m_2=\min \{t>0|E_k^t(P)=P\}=\min \{t>0|f_k^{(t\cdot \ell ) \bmod m_1} (P)=P\}\). Combining these two statements, we get \(m_2=\min \{t>0|t\ell = 0 \bmod m_1\}\), or equivalently,

$$\begin{aligned} m_2=m_1/\gcd (m_1,\ell ). \end{aligned}$$
(7)

In particular, if \(\gcd (m_1,\ell )\)=1, then \(m_1=m_2\).

If \(\gcd (m_1,\ell )=1\), we can use Euclid’s extended algorithm to find \(1 \le d_1 \le \ell -1\) and \(d_2\) such that \(d_1 \cdot m_1 = \ell -1 \pmod \ell = d_2 \cdot \ell - 1\). For those \(d_1,d_2\), we have

$$\begin{aligned} f_k^{d_1 \cdot m_1 +1}(P) = f_k(P), \qquad \text{ and } \qquad f_k^{d_1 \cdot m_1 +1}(P)=f_k^{d_2 \cdot \ell }(P)=E_k^{d_2}(P). \end{aligned}$$

Hence, the pair \((P,E_k^{d_2}(P))\) is a slid pair for \(E_k\).

It is important to note that the adversary does not have access to \(f_k\) and thus cannot compute \(m_1\). Only \(m_2\) can be computed, by sequential encryption using \(E_k\). However, the adversary may assume that \(\gcd (m_1,\ell )=1\) and then use the value \(m_1=m_2\) to compute \(d_1,d_2\) and find the candidate slid pair \((P,E_k^{d_2}(P))\). If the assumption \(\gcd (m_1,\ell )=1\) is correct, the found pair must be a slid pair. Furthermore, as observed in [11], this implies that for every t, the pairs \((E_k^t(P),E_k^{d_2+t}(P))\) must also be slid pairs.

4.1.2 The Attack Algorithm and Its Analysis

Based on the above observations, we can mount the following attack.

  1. 1.

    Fix an arbitrary plaintext \(P_0\).

  2. 2.

    Ask for a sequential encryption of \(P_0\) through \(E_k\), i.e., for the sequence \(E_k(P_0), E_k^2(P_0)=E_k(E_k(P_0)),E_k^3(P_0),\ldots \), until \(E_k^{m_2}(P_0)=P_0\) is encountered for the first time.

  3. 3.

    Use the extended Euclid algorithm to find \(d_1,d_2\) such that \(d_1 \cdot m_2 = d_2 \cdot \ell - 1\).

  4. 4.

    Deduce that \((P,E_k^{d_2}(P))\) is a candidate slid pair and check the guess by attacking \(f_k\) using \(\{(E_k^t(P),E_k^{d_2+t}(P))\}_{t \ge 0}\) as input/output pairs.

For a random value of x, \(\mathbb {E}[CycleLength(x)]=(1-1/e)\cdot 2^{n}\), and thus, we expect to get about \((1-1/e)\cdot 2^{n}\) pairs of the form \(\{(E_k^t(P),E_k^{d_2+t}(P))\}_{t \ge 0}\). This amount is sufficient for most possible attacks on \(f_k\), including adaptive chosen plaintext and ciphertext attacks. Hence, Step 4 is expected to succeed even for fairly complex functions \(f_k\) (e.g., \(f_k\) being the full 16-round DES).

The attack succeeds if \(gcd(m_1,\ell )=1\). For a random permutation \(f_k\), this occurs with probability \(\varphi (\ell )/\ell \), where \(\varphi (\ell )=|\{1 \le d \le (\ell -1): \gcd (d,\ell )=1\}|\) is the Euler function. In case of failure, we can apply the attack again with another plaintext \(P_1\) that is not included in the sequence \(E_k^i(P_0)\). If the attack fails again, we can take a new plaintext \(P_2\) etc. After k applications of the attack, the total success probability is \(1- (1-\varphi (\ell )/\ell )^k\), which approaches 1 quickly.

As the expected length of \(Cycle_{E_k}(P_0)\) is \((1-1/e)\cdot 2^{n})\), the data complexity of the attack is very large — almost the entire codebook.

The advantage of the attack over a standard slide attack is the time complexity — \(O(2^{n-1}+t)\), where t is the time required for breaking \(f_k\) with \(O(2^{n-1})\) known input/output pairs (compared to \(O(2^n \cdot t)\) for the standard slide attack). Hence, the attack is advantageous in cases where \(f_k\) is very complex, so that t is large. In Sect. 5, we exemplify this technique with an attack on 24-round GOST with unknown S-boxes, where the function \(f_k\) is 8-round GOST with unknown S-boxes. Due to the complexity of \(f_k\), our attack is \(2^{36}\) times faster than the best previously known slide attack on the same variant.

We note that when the encryption algorithm is implemented by a quantum computing device capable of encrypting a quantum state, one can use the quantum cycle finding algorithm by Simon [43]. In such a case, the detection of the cycle itself can be done in time O(n) using O(1) quantum queries to the device (by generating an entangled state composed of all possible inputs, which is then encrypted to an entangled state composed of all possible outputs). After finding the cycle length, one can either exploit a standard cryptanalytic attack or use some advanced quantum attack algorithms, e.g., those presented in [2, 34].

4.2 An Efficient Attack on Feistel Constructions with a Palindromic Key Schedule

The attack algorithm described above does not depend on the exact cycle structures of \(E_k\) and \(f_k\), apart from its success probability (that depends on the probability \(\Pr [\gcd (m_1,\ell )=1]\)). Hence, if for some cipher \(E_k\) the cycle structure deviates from random, such that shorter cycles are more likely to occur, the same attack holds with a lower complexity (as the complexity is dominated by the computation of \(Cycle_{E_k}(P_0)\)).

A notable case in which such a reduction occurs is Feistel ciphers with a palindromic key schedule, i.e., round subkeys of the form \(k_1,k_2,\ldots ,k_r,k_r,k_{r-1},\ldots ,k_1\) for some r. Let \(f_k\) be such a construction, and let \(E_k=f_k^\ell \) as before (so that \(E_k\) consists of \(2r\ell \) Feistel rounds). Consider a sequential encryption of a plaintext \(P_0\), as performed in the attack described above, and denote the input of the j’th round in the encryption process of \(E_k^i(P_0)\) by \(X[2r\ell \cdot i + j]\) (for \(j=0,1,\ldots ,2r\ell -1\)).

We use the following observation, introduced in [35, 36] and called reflection property. Assume that for some \(i \in \mathbb {N}\) and for some \(0 \le m \le \ell -1\), the intermediate value \(X = X[2r\ell \cdot i + 2rm + r]\) satisfies \(X_L=X_R\). In such a case, by the palindromic Feistel structure, we have \(X[2r\ell \cdot i + 2rm] = X[2r\ell \cdot i + 2r(m+1)]\). Furthermore, the reflection property can be extended all the way in both directions to obtain

$$\begin{aligned} P_0 = X_0 = X[2r\ell \cdot 2i + 2r(2m+1)]. \end{aligned}$$
(8)

This intermediate value is not seen by the adversary who sees only values of the form \(E_k^j(P_0)=X[2r\ell \cdot j]\). However, if we denote \(c=\frac{\ell }{\gcd (2m+1,\ell )}\), then (8) implies

$$\begin{aligned} P_0= & {} X\left[ c (2r\ell \cdot 2i + 2r(2m+1))\right] = X\left[ 2r\ell \cdot \left( 2ic + \frac{2m+1}{\gcd (2m+1,\ell )}\right) \right] \\= & {} E_k^{2ic + \frac{2m+1}{\gcd (2m+1,\ell )}}(P_0). \end{aligned}$$

It follows that in such a case,

$$\begin{aligned} \textit{CycleLength}_{E_k}(P_0) \le 2ic + \frac{2m+1}{\gcd (2m+1,\ell )}. \end{aligned}$$
(9)

Furthermore, the same argument holds if some \(X' = X[2r\ell \cdot i + 2rm]\) satisfies \(X'_L=X'_R\), and in such a case,

$$\begin{aligned} \textit{CycleLength}_{E_k}(P_0) \le 2ic' + \frac{2m}{\gcd (2m,\ell )}, \end{aligned}$$
(10)

where \(c' = \ell /\gcd (2m,\ell )\).

We now analyze the expectation of the right-hand sides of (9) and (10). By standard randomness assumptions, for each \(i \in \mathbb {N}\) and \(0 \le m \le \ell -1\), the probability that \(X = X[2r\ell \cdot i + 2rm + r]\) satisfies \(X_L=X_R\) is \(2^{-n/2}\). The same holds for the probability that \(X' = X[2r\ell \cdot i + 2rm]\) satisfies \(X'_L=X'_R\). Hence, it is expected that the smallest index for which (8) or the respective statement for \(X'\) holds is X[j], for \(j=O(r \cdot 2^{n/2})\). Therefore, in expectation (9) and (10) yield

$$\begin{aligned} E\left[ CycleLength_{E_k}(P_0) \right] \le O \left( \frac{r \cdot 2^{n/2} \cdot 2 \cdot \frac{\ell }{\gcd (2m+1,\ell )}}{2r\ell } \right) \le O(2^{n/2}). \end{aligned}$$
(11)

It follows that when we apply the attack algorithm described above to \(E_k\), the expected data complexity is as small as \(O(2^{n/2})\). In Sect. 5, we apply this attack to a 128-bit key variant of the block cipher GOST, to get an attack which is \(2^{51}\) times faster than the best previously known attack of [14] on an even weaker variant.

It should be noted that as \(CycleLength_{E_k}(P_0)\) becomes smaller, the task of breaking \(f_k\) using the candidate slid pairs becomes more complex, since the cycle contains at most \(O(2^{n/2})\) known input/output pairs for \(f_k\). Combining many cycles together is problematic since each candidate slid pair is correct only with probability \(\varphi (\ell )/\ell \), so the probability that all examined cycles suggest correct slid pairs may be too low. A possible way to overcome this obstacle is to devise an efficient distinguishing attack on \(f_k\) that requires at most \(O(2^{n/2})\) known input/output pairs. Using the distinguishing attack, the adversary can check which of the suggested slid pairs are correct ones and then combine verified slid pairs suggested by different cycles to break \(f_k\) with a more data-consuming attack.

5 Application to the GOST Block Cipher

In this section we apply the new slide attacks presented in Sect. 4 to variants of the block cipher GOST—the Russian encryption standard.Footnote 3 First we present the structure of GOST and a brief account of previous results on the cipher. Then we present new efficient attacks on 8-round GOST with unknown S-boxes that will be used as subroutines in the slide attacks. Finally, we present the new slide attacks on 24-round GOST and on a 128-bit key variant of the cipher considered in [11, 14].

5.1 The Structure of GOST and Previous Results

The Russian encryption standard GOST [29], designed in 1989, is a 64-bit block and 256-bit key cipher with a Feistel structure of 32 rounds. The round function accepts an input and a subkey of 32 bits each. The input and the subkey are added (modulo \(2^{32}\)), and the outcome is divided into eight sets of four bits each. Each such set enters a different S-box, where the least significant set enters S1 and the most significant set enters S8. A central feature of GOST is that the actual S-boxes that are used are kept secret and are assigned by the government to a given set of users in each industry.Footnote 4 The outputs of all S-boxes are combined to 32 bits, which are then rotated to the left by 11 bits. Figure 4 describes one round of GOST.

Fig. 4
figure 4

Round function of GOST

Full size image

The key schedule algorithm takes the 256-bit key and treats it as eight 32-bit words, i.e., \(K=K_1,\ldots ,K_8\). The subkey \(k_r\) of round r is

$$\begin{aligned} k_r = \left\{ \begin{array}{lcc} K_{(r-1) \bmod {8}+1} &{} &{}r\in \{1,\ldots ,24\};\\ K_{33-r} &{} &{}r\in \{25,\ldots , 32\}.\\ \end{array} \right. \end{aligned}$$

Most of the previous results on GOST consider a variant with known S-boxes, using as a specific example the set of S-boxes used in the Russian banking industry that has leaked and appears in [42]. In this mode, Isobe [31] was the first to publish an attack on the full cipher in 2010. Later on, several improved attack were presented by Dinur et al. [19], and a multitude of attacks using various techniques were presented by Courtois [12, 13, 15].

The results obtained so far on GOST with unknown S-boxes are by far less impressive. A related-key distinguisher for the entire cipher that requires only two related-key chosen plaintexts is presented in [37]. In [11, 21] a slide-with-a-twist attack on a 20-round variant of GOST is described, and in [18] an efficient enhanced reflection attack on 18-round GOST is given. Finally, a weak-key class consisting of \(2^{32}\) keys of the form (KKKKKKKK) identified using a slide attack is presented in [25], and in [41] it is shown that for a key in this weak-key class, an adversary can recover the secret S-boxes with a chosen-key attack. To summarize, the only known attacks on more than 20 rounds of GOST with secret S-boxes are either related-key attacks or attacks that apply for only \(2^{32}\) of the \(2^{256}\) keys.

In our attacks on variants of GOST presented below, we use the following notations. The plaintext and the ciphertext are denoted, as usual, by PC, respectively. The input to round i is denoted by \(X_i\), so \(P=X_1\). Note that following the official GOST specifications, we start the rounds at round 1. For any state X, the left and right halves of X are denoted by \(X_L\) and \(X_R\), respectively. Bits \(j,j+1,\ldots ,\ell \) of a state X are denoted by \(X[j\text{-- }\ell ]\). Finally, a difference between two encryptions in the intermediate state X is denoted by \(X'\).

5.2 Efficient Known-Plaintext Attacks on 8-Round GOST with Unknown S-Boxes

We now present two new attacks on 8-round GOST with unknown S-boxes. The first is a simple distinguishing attack with data complexity of \(2^{36}\) known plaintexts. The second attack is more complex, but allows to recover the unknown S-boxes and the secret key with data complexity of \(2^{36.5}\) known plaintexts and time complexity of \(2^{36.5}\). Both attacks will be used as subroutines in the slide attacks presented in Sects. 5.3 and 5.4. (For reasons described below, both are needed.)

5.2.1 A Distinguishing Attack on 8-Round GOST with Unknown S-Boxes

The distinguishing attack is a simple truncated differential attack which uses the 8-round differential characteristic depicted in Fig. 5. The characteristic exploits the weak diffusion of the GOST round function to predict the difference in 17 bits of the state after 8 rounds with probability \((1/2)^8 \cdot (3/4)^{8} = 2^{-11.32}\). As can be seen, for each S-box whose input difference is \(L_i \in \{0,1,\ldots ,7\}\), with probability of at least 3 / 4, the key addition operation does not result in carry to the next S-box (and so, the next S-box remains inactiveFootnote 5), and with probability of 1 / 2, the LSB of the output difference is zero, so that after the rotation, only one S-box is affected and not two. In the last three rounds of the characteristic, we allow some of the active S-boxes to affect two S-boxes in the next round in order to increase the probability of the characteristic.

Fig. 5
figure 5

An 8-round truncated differential of GOST with probability \((\frac{1}{2})^8\cdot (\frac{3}{4})^{8}=2^{-11.32}\)

Full size image

The differential characteristic allows to mount a distinguishing attack on 8-round GOST with data complexity of \(2^{37}\) known plaintexts. Indeed, the plaintexts contain \(2^{2 \cdot 37-1}=2^{73}\) pairs, out of which \(2^{73} \cdot 7 \cdot 2^{-64} \approx 2^{11.8}\) pairs satisfy the input difference of the characteristic. Hence, it is expected that for 8-round GOST, at least one of them satisfies also the output difference of the characteristic. On the other hand, for a random permutation, the probability that the output difference of the characteristic is obtained for a given pair is \(2^{-17}\), and thus with a very high probability there are no pairs that satisfy the characteristic’s input and output differences. This allows to distinguish 8-round GOST from a random permutation with a high probability.

The data complexity of the attack can be slightly reduced to \(2^{36}\) known plaintexts, by using variants of the differential characteristic in which the input difference is rotated cyclically by k nibbles (for \(k=1,2,\ldots ,7\)). It can be checked that each of these characteristics holds with probability of at least \(2^{-12.57}\), and so, \(2^{71}\) pairs (formed from \(2^{36}\) plaintexts) are sufficient to have a right pair with respect to one of the 8 characteristics with a high probability.Footnote 6 Finally, the attack can be performed efficiently by inserting all plaintexts into a hash table indexed by the right half of the input and the 8 MSBs of the nibbles in the left half of the input (i.e., a total of 40 bits), and checking only colliding pairs in the table as candidates for satisfying the characteristic. In this way, the time complexity is dominated by encrypting the plaintexts.

5.2.2 A 7-Round Truncated Differential and a Key Recovery Attack on 8-Round GOST with Unknown S-Boxes

The basic 7-round truncated differential we use is depicted in Fig. 6. It exploits the weak diffusion of the GOST round function to predict the difference in 4 bits of the intermediate state after 7 rounds with probability 0.242.

Fig. 6
figure 6

A 7-round differential of GOST with probability \((\frac{7}{8})^2 \cdot (\frac{3}{4})^4=0.242\)

Full size image

As in the 8-round differential presented above, we require that in all “active” S-boxes (i.e., S-boxes with a nonzero input difference), the key addition does not result in carry into the next S-box. The probability of this event is either 7 / 8 (if the difference in the S-box is \(W_1\)) or 3 / 4 (if the difference is \(L_i\)). This time, we always allow the output difference to affect two S-boxes in order to maximize the probability of the characteristic.

We use the differential in rounds 2–8 of the encryption process and analyze the first round. Denote its input difference by \(\alpha \), i.e., we look for pairs with difference \(X'_2 = \alpha \). For such pairs, the input difference of the round function in round 1 is \(P'_{1L}=00~00~00~0W_1\). With probability 7 / 8, this implies that only one S-box in round 1 is active and the output difference is of the form \(00~00~L_1 U_1~00\). If this is the case, then there are only 16 possible plaintext differences (which are all \(P'\) such that \(P'_R[\text{0--10,15--31 }]=0\)) that lead to difference \(\alpha \) in the input of round 2. Denote the set of these 16 possible differences of \(P'_R\) by S.

In the attack, we examine \(2^{36.5}\) plaintexts, and out of the \(2^{72}\) possible plaintext pairs that they compose we keep only those that satisfy three conditions:

  1. 1.

    \(P'_L = 00~00~00~0W_1\), for \(W_1 \in \{1_x,2_x,3_x\}\).

  2. 2.

    \(P'_R \in S\) (which means that \(P'_R[\text{0--10,15--31 }]=0\)).

  3. 3.

    \(C' \in \beta \) (which means that \(C'[\text{7--10 }]=0000\)).

Out of the \(2^{36.5}\) known plaintexts, it is possible to compose \(2^{72}\) pairs. The probability that a random pair satisfies the above three conditions is \(3/2^{32} \cdot 2^{-28} \cdot 2^{-4} = 3 \cdot 2^{-64}\), and we expect \(2^{72} \cdot 3 \cdot 2^{-64} = 768\) random pairs to satisfy all three conditions. Independently, out of the \(2^{72}\) pairs, a fraction of \(3\cdot 2^{-64}\) satisfy the input difference \(\alpha \) at the entrance to the second round. Each of these \(2^{72} \cdot 3 \cdot 2^{-64} = 768\) pairs has probability 0.242 to satisfy the differential characteristic (i.e., to have the output difference \(C' \in \beta \)). This suggests that about \(768 \cdot 0.242 = 184\) right pairs exist in the data. We note that with probability 7 / 8 a pair with input difference \(\alpha \) to the second round has only one active S-box in the first round (Condition 2), i.e., we expect about \(184 \cdot 7/8 = 161\) right pairs to exist in the data set (along 768 random pairs which satisfy the input/output differences).

Therefore, after the initial filtering we are left with about 160 “right” pairs that satisfy the truncated differential and 768 “random” pairs. We now need to identify the right pairs and use them appropriately.

Observation 1

Let \((P_1,P_2)\) and \((P_1^*,P_2^*)\) be two right pairs satisfying Condition 2. If \(P_{1L}[0\text{-- }3]=P^{*}_{1L}[0\text{-- }3]\) (the input bits to the single active S-box in round 1) and \(P_{2L}[0\text{-- }3]=P^{*}_{2L}[0\text{-- }3]\) (which imply that the input differences \(P'_L,P^{'*}_L\) are equal), then the output differences of the first round function are equal in both pairs, and thus \(P'_R[\text{11--14 }]=P^{'*}_R[\text{11--14 }]\).

This observation can be used to distinguish 8-round GOST from a random permutation, as follows: We divide the \(\approx 900\) pairs (out of which about 160 are right pairs) that satisfy the three conditions into 48 sets, according to the value of \((P_{L}[\text{0--3 }],P'_L[0,1])\). (Note that \(P'_L[0,1]\) has only three possible values.) In each set, check how many times each value of \(P'_R[\text{11--14 }]\) is encountered. For a random cipher (or when the pairs are random), the values of \(P'_R[\text{11--14 }]\) in each set are distributed uniformly among the 16 possible values. In particular, the probability that in more than a few sets a value of \(P'_R[\text{11--14 }]\) appears at least four times is fairly low. On the other hand, for 8-round GOST, in each of the 48 sets, all right pairs have the same value of \(P'_R[\text{11--14 }]\). As each set contains 3.33 right pairs on average, it is expected that at least 10 sets have a value of \(P'_R[\text{11--14 }]\) appearing at least four times, or at least two sets have a value of \(P'_R[\text{11--14 }]\) appearing at least five times.

Formally, we define the distinguisher based on whether at least 10 sets have a value of \(P'_R[\text{11--14 }]\) appearing at least four times or at least two sets have a value of \(P'_R[\text{11--14 }]\) appearing at least five times. Otherwise, we decide that the examined cipher is a random permutation. A straightforward computation shows that the success probability of this distinguisher is very high. We experimentally verified this by running 10,000 experiments with right pairs (all of which were identified correctly). We also run 100,000 experiments with a random permutation (all of which were identified correctly as well). The algorithm of the distinguisher is presented below.

  1. 1.

    Ask for the encryption of \(2^{36.5}\) known plaintexts.

  2. 2.

    Insert the plaintext/ciphertext pairs into a hash table \(T_1\) indexed by bits \(P_L[\text{2--31 }],P_R[\text{0--10,15--31 }],C[\text{7--10 }]\).

  3. 3.

    Collect all pairs colliding in \(T_1\) (all satisfying Conditions (1)–(3)).

  4. 4.

    Insert the colliding pairs into a second hash table, \(T_2\) indexed by the value of \((P_{L}[\text{0--3 }],P'_L[0,1])\).

  5. 5.

    In each entry of \(T_2\), find the maximal number of times that a \(P'_R[\text{11--14 }]\) value appears. Count how many times this maximum is 4 or at least 5. If the number of times 4 appears as the maximum is 10 or more, or if the number of times 5 (or more) appears as the maximum is 2 or more, output “8-round GOST.” Otherwise, output “random permutation.”

The data and time complexities of the above distinguisher are \(2^{36.5}\).

5.2.3 Recovering the Subkeys and the S-Boxes

The algorithm described above allows not only to distinguish 8-round GOST from a random permutation, but also to detect the right pairs, and using them, to recover the subkeys and the secret S-boxes. For each of the 48 sets considered above, with a very high probability the right pairs are those which correspond to the most frequently proposed value of \(P'_R[\text{11--14 }]\).

We start the analysis by using the right pairs from each set to determine the least significant nibble of \(k_1\). Right pairs that passed our analysis do not have the second S-box active, and thus, subkey suggestions that cause overflow and activate the second S-box can be discarded. After analyzing all 48 sets, we expect only the correct value of \(k_1\) to remain.

We also note that one can apply the attack from the ciphertext side (by reversing the order of rounds in the differential characteristic and using it in rounds 1–7). This allows finding the least significant nibble of \(k_8\) using the same technique.

At this point, we know various input pairs to S1 and their corresponding output differences. While it allows using techniques such as those discussed in [8], a more subtle analysis is needed. The S-box recovery as well as the related subtleties are given in “Appendix”.

After recovering the first S-box S1, as well as the least significant nibbles of \(k_1\) and \(k_8\), we can repeat the attack targeting S2 and the second least significant nibbles. The attack is then repeated until the full \(k_1\) and \(k_8\) as well as the 8 S-boxes are recovered. Extracting the remaining six subkeys (\(k_2,k_3,\ldots ,k_7\)) can be easily done by truncating the differential and re-running the attack on less rounds using the truncated differential. Hence, we can fully recover the secret S-boxes and the secret key with data, memory, and time complexity of \(2^{36.5}\).

5.3 A Slide Attack on 24-Round GOST with Unknown S-Boxes

An efficient slide attack on a reduced round variant of GOST which consists of the first 24 rounds of the cipher can be mounted by combining the generic technique of Sect. 4.1 with the attack on 8-round GOST of Sect. 5.2.2.

Indeed, by the structure of GOST, its first 24 rounds can be written as \(E_k = (f_k)^3\), where \(f_k\) is 8-round GOST with subkeys \(K_1,K_2,\ldots ,K_8\). This allows to apply the attack of Sect. 4.1 to retrieve a set of \(\approx 2^{63}\) slid pairs, which are input/output pairs to \(f_k\). Given these input/output pairs (and actually, \(2^{36.5}\) of them are sufficient), the secret S-boxes and the secret key \(K_1,K_2,\ldots ,K_8\) can be recovered using the attack of Sect. 5.2.2.

The attack complexity is dominated by the complexity of the generic attack of Sect. 4.1, which requires \(2^{63}\) adaptively chosen plaintexts (or almost \(2^{64}\) known plaintexts) and has time complexity of \(2^{63}\). The success probability is close to 1 as if the attack fails for one cycle of \(E_k\) (which happens with probability \(1-\varphi (3)/3=1/3\), as \(\ell =3\) in our case), we can repeat it for other cycles.

5.4 An Efficient Slide Attack on an 128-Bit Key Variant of GOST

Consider a weak-key class of GOST of size \(2^{128}\) in which the 256-bit key is palindromic, i.e., has the form \(K_1,K_2,K_3,K_4,K_4,K_3,K_2,K_1\) where \(K_1,K_2,K_3,K_4\) are 32-bit words. This weak-key class was mentioned in [11], where it was remarked that under such keys GOST is an involution, and thus, has \(2^{32}\) fixed points. However, this is clearly not sufficient for attacking it efficiently. In [14], Courtois analyzed two natural 128-bit key variants of GOST. One of these variants is our “palindromic key schedule” variant, and for this variant Courtois presents a fixed-point attack which requires \(2^{32}\) chosen plaintexts and \(2^{91}\) encryptions, assuming that the S-boxes are known. We present an efficient slide attack on this variant, which has a practical complexity of about \(2^{40}\), even if the S-boxes are secret.

For keys of the form \(K_1,K_2,K_3,K_4,K_4,K_3,K_2,K_1\), the full 32-round GOST can be written as \(E_k=f_k^4\), where \(f_k\) is 8-round GOST with unknown S-boxes. Furthermore, \(f_k\) is a Feistel construction with a palindromic key schedule, and thus, we can apply to \(E_k\) the efficient slide attack of Sect. 4.2. In this case, we have \(n=64\), \(\ell =4\), and \(r=4\), and thus, the expected length of \(Cycle_{E_k}(P_0)\) is \(2^{31}\). By the attack of Sect. 4.2, this would be sufficient to break \(E_k\) with \(2^{31}\) plaintexts and time, could we break 8-round GOST with \(2^{31}\) known plaintexts. As our best attack on 8-round GOST requires \(2^{36.5}\) known plaintexts, we have to work a little more.

In order to collect \(2^{36.5}\) plaintexts, we must use plaintexts from many different cycles together. However, for each of the cycles, the probability that the candidate pairs yielded by it are correct slid pairs is \(\varphi (4)/4=1/2\). Hence, the probability that all pairs we collect are simultaneously correct is extremely low. To overcome this problem, we first use the distinguishing attack of Sect. 5.2.1 to detect the cycles that yield correct slid pairs and then apply the key recovery attack of Sect. 5.2.2 to the “correct” pairs.

Specifically, we start with \(2^{40}\) adaptive plaintexts (collected from \(\approx 512\) different cycles) and detect all plaintext pairs that satisfy the truncated differential presented in Sect. 5.2.1. As described above, the pairs can be detected efficiently (i.e., in time that is negligible compared to the encryption of the plaintexts) using a hash table. Among the \(2^{79}\) plaintext pairs, about \(2^{77}\) result from correct slid pairs (as this happens exactly when both plaintexts belong to cycles that yield correct slid pairs). Hence, about 64 pairs are expected to satisfy the truncated differential characteristic . In addition, it is expected that \(2^{79} \cdot 2^{-64} \cdot 2^{-17} \cdot 7 \cdot 8 \approx 16\) pairs satisfy the input and output differences of the characteristics by chance. Despite the “false alarms,” we treat all found pairs as “right” pairs, and for each of them, we assume that both cycles from which the elements of the cycle were taken contain “correct” slid pairs. Thus, we obtain about \(2^7\) “correct” cycles, which are used in the subsequent key recovery attack.

In the key recovery attack, we are given about \(2^{31} \cdot 2^7 = 2^{38}\) plaintexts, that form \(2^{75}\) pairs. However, out of these pairs only \(2^{75} \cdot (4/5)^2 \approx 2^{74.31}\) are real plaintext/ciphertext pairs, while the rest are “random” pairs taken from the “false alarm” cycles. As a result, the signal/noise ratio of the truncated differential attack presented in Sect. 5.2.2 is reduced by a factor of \((4/5)^2\). However, it can be easily seen that as the total number of plaintexts is increased by a factor of 2, the attack still succeeds to recover the key and the secret S-boxes with a high probability.

To summarize, we obtain an attack on the “palindromic key schedule” variant of GOST with data, memory, and time complexity of \(2^{40}\). It seems plausible that the complexity of the attack can be reduced even further (say, to about \(2^{35}\)), by devising an attack on 8-round GOST with a smaller data complexity.

6 Summary and Conclusions

In this paper, we presented four types of new efficient slide attacks, that perform better than the “standard” \(2^n\) time complexity of the slide attack, due to efficient detection of the slid pairs. We applied our attacks to two variants of the Russian encryption standard GOST, improving the total complexity over the best previously known attacks on the same (or weaker) variants by a factor of more than \(2^{35}\). One of our attacks can be used practically by a legitimate user of GOST who wants to recover her secret S-boxes (that are supposed to be used in other branches of the same industry).

It will be interesting to find further scenarios in which slide attacks can be performed with time complexity of less than \(2^n\), and thus, make slide attacks more applicable in practice.