Security Evaluation of GOST 28147-89 in View of International Standardisation

GOST 28147-89 is is a well-known 256-bit block cipher which is a plausible alternative for AES-256 and triple DES, which however has a much lower implementation cost, see [31]. GOST is implemented in standard crypto libraries such as OpenSSL and Crypto++ [25, 45], and is increasingly popular and used also outside its country of origin and on the Internet [23, 24, 31]. In 2010 GOST was submitted to ISO 18033, to become a worldwide industrial encryption standard. Until 2011 researchers unanimously agreed that GOST could or should be very secure, which was summarized in 2010 in these words: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, see [31]. Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher. There is a very considerable amount of recent not yet published work on cryptanalysis of GOST known to us, see [12]. One simple attack was already presented in February at FSE 2011, see [28]. In this short paper we describe another attack, to illustrate the fact that there are now attacks on GOST, which require much less memory, and don’t even require the reflection property [29] to hold, without which the recent attack from [28] wouldn’t work. We are also aware of many substantially faster attacks and of numerous special even weaker cases, see [12]. These will be published in appropriate peer-reviewed cryptography conferences but we must warn the ISO committees right now. More generally, our ambition is to do more than just to point out that a major encryption standard is flawed. We would like to present and suggest a new general paradigm for effective symmetric cryptanalysis of so called “Algebraic Complexity Reduction” which in our opinion is going to structure and stimulate substantial amounts of academic research on symmetric cryptanalysis for many years to come. In this paper we will explain the main ideas behind it and explain also the precise concept of “Black-box Algebraic Complexity Reduction”. This new paradigm builds on many already known attacks on symmetric ciphers, such as fixed point, slide, involution, cycling and other self-similarity attacks but the exact attacks we obtain, could never be developed previously, because only in the recent 5 years it became possible to show the existence of an appropriate last step for many such attacks, which is a low data complexity software algebraic attack. This methodology leads to a large number of new attacks on GOST [12], way more complex, better and more efficient than in [28]. One example of such an attack is given in the