Algebraic Complexity Reduction and Cryptanalysis of GOST

GOST 28147-89 is a well-known Russian government encryption standard. Its large key size of 256 bits at a particularly low implementation cost [77] make that it is widely implemented and used [66, 96, 62, 77, 82]. In 2010 GOST was submitted to ISO to become an international standard. GOST was analysed by Schneier, Biham, Biryukov, Dunkelman, Wagner, various Australian, Japanese, and Russian scientists, and all researchers seemed to agree that it looks quite secure. Though the internal structure of GOST seems quite weak compared to DES, and in particular the diffusion is not quite as good, it is always stipulated that this should be compensated by a large number of 32 rounds cf. [59, 92, 91, 8] and by the additional non-linearity and diffusion provided by modular additions [59, 78]. At Crypto 2008 the hash function based on this cipher was broken. Yet as far as traditional encryption applications with keys generated at random are concerned, until 2011 no cryptographically significant attack on GOST was found. In this paper we present several new attacks on full 32-rounds GOST. Our methodology is derived from the idea of conditional algebraic attacks on block ciphers [23, 18] which can be defined as attacks in which the problem of key recovery is written as a problem of solving a large system of algebraic equations, and where the attacker makes some “clever” assumptions on the cipher which lead to an important simplification in the algebraic description of the problem, which makes it solvable in practice if the assumptions hold. Our methods work by black box reduction and allow to literally break the cipher apart into smaller pieces and reduce breaking GOST to a low data complexity software/algebraic/MITM attack on 8 or less rounds. We obtain some 50 distinct attacks faster than brute force on the full 32-round GOST and we provide five nearly practical attacks on two major 128-bit variants of GOST (cf. Table 6). Recent updates: Our latest attacks combine all of [higher-order] truncated differentials, complexity reduction, [approximate] fixed points, reflections, MITM and software/algebraic attacks. Single key attacks are summarized in Table 3 p. 50 and Table 7 p. 147 and the fastest of these is a differential attack in 2 by Courtois [35]. In the multiple random key scenario the cost of recovering one full 256-bit GOST key decreases in a spectacular way at the expense of further growing data requirements. In Table 4 page 124 we summarize all our attacks in this space. Our fastest attack achieves a nearly feasible T= 2 (cf. Section 28.6 and [28]).