Advanced Differential Cryptanalysis and GOST Cipher

Differential Cryptanalysis (DC) is one of the oldest known attacks on block ciphers and there is no doubt that it has influenced the design of encryption algorithms very deeply, ever since the 1970s. DC is based on tracking of changes in the differences between two messages as they pass through the consecutive rounds of encryption. However DC remains poorly understood. In this paper we survey some of our research on the differential cryptanalysis of GOST. GOST cipher is the official encryption standard of the Russian federation. It has military-grade 256-bit keys and until recently it had a very solid reputation. It is also an exceptionally economical cipher implemented in OpenSSL and by some large banks. In 2010 it was submitted to ISO to become a global industrial standard. In his textbook written in the late 1990s Schneier wrote that against differential cryptanalysis, GOST is “probably stronger than DES”. In fact Knudsen have soon proposed more powerful advanced differential attacks however to this day most people get it wrong. In the most recent survey paper about advanced differential cryptanalysis and specifically in the context of ciphers with small blocks such as GOST, [Albrecht-Leander 2012] we read: “Truncated differentials, [...] in some cases allow to push differential attacks one or two rounds further”. In fact we can gain not 2 but much closer to 20 rounds. For the default set of S-boxes our best differential attack on GOST has complexity of 2 which is also the best single key attack on GOST cipher ever found. For other S-boxes the adaptation is possible but not straightforward.