An Improved Differential Attack on Full GOST

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and is becoming increasingly popular [?,15]. Until 2010 researchers unanimously agreed that: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, see [26] and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST can be broken and is insecure on more than one account. There is a substantial variety of recent attacks on GOST [5, 10, 16, 8, 6, 7, 11]. We have reflection attacks [16, 10], attacks with double reflection [10], self-similarity guess then determine attacks which do not use any reflections [10, 5] and advanced differential attacks [28, 8, 6, 7]. The final key recovery step in various attacks is in many cases a software algebraic attack [10, 5], frequently also a Meet-In-The-Middle attack [16, 10, 11] and in differential attacks key bits are guessed and confirmed by the differential properties [28, 8, 6, 7]. In this paper we consider some recent differential attacks on GOST [28, 8, 6, 7] and show how to further improve them. We present a new singlekey attack against full 32-round 256-bit GOST with time complexity of 2 which is substantially faster than any previous single key attack on GOST.