Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 The algorithm 2 Cryptanalysis of GOST 3 See also 4 References 5 Further reading 6 External links

GOST (block cipher)

●Català ●فارسی ●Français ●Italiano ●עברית ●Polski ●Português ●Русский ●Тоҷикӣ ●Türkçe ●Українська Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

GOST 28147-89 (Magma)
General
Diagram of GOST
Designers	USSR, KGB, 8th Department
First published	1994-05-23 (declassified)
Successors	GOST hash function, Kuznyechik
Certification	GOST standard
Cipher detail
Key sizes	256 bits
Block sizes	64 bits
Structure	Feistel network
Rounds	32
Best public cryptanalysis
In 2011 several authors discovered more significant flaws in GOST, being able to attack the full 32-round GOST with arbitrary keys for the first time. It has even been called "a deeply flawed cipher" by Nicolas Courtois.^[1]

The GOST block cipher (Magma), defined in the standard GOST 28147-89 (RFC 5830), is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015 (RFC 7801, RFC 8891), specifies that it may be referred to as Magma.^[2] The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

Developed in the 1970s, the standard had been marked "Top Secret" and then downgraded to "Secret" in 1990. Shortly after the dissolution of the USSR, it was declassified and it was released to the public in 1994. GOST 28147 was a Soviet alternative to the United States standard algorithm, DES.^[3] Thus, the two are very similar in structure.

The algorithm

[edit]

GOST has a 64-bit block size and a key length of 256 bits. Its S-boxes can be secret, and they contain about 354 (log₂(16!⁸)) bits of secret information, so the effective key size can be increased to 610 bits; however, a chosen-key attack can recover the contents of the S-boxes in approximately 2³² encryptions.^[4]

GOST is a Feistel network of 32 rounds. Its round function is very simple: add a 32-bit subkey modulo2³², put the result through a layer of S-boxes, and rotate that result left by 11 bits. The result of that is the output of the round function. In the adjacent diagram, one line represents 32 bits.

The subkeys are chosen in a pre-specified order. The key schedule is very simple: break the 256-bit key into eight 32-bit subkeys, and each subkey is used four times in the algorithm; the first 24 rounds use the key words in order, the last 8 rounds use them in reverse order.

The S-boxes accept a four-bit input and produce a four-bit output. The S-box substitution in the round function consists of eight 4 × 4 S-boxes. The S-boxes are implementation-dependent, thus parties that want to secure their communications using GOST must be using the same S-boxes. For extra security, the S-boxes can be kept secret. In the original standard where GOST was specified, no S-boxes were given, but they were to be supplied somehow. This led to speculation that organizations the government wished to spy on were given weak S-boxes. One GOST chip manufacturer reported that he generated S-boxes himself using a pseudorandom number generator.^[5]

For example, the Central Bank of Russian Federation used the following S-boxes:

#	S-box
1	4 A 9 2 D 8 0 E 6 B 1 C 7 F 5 3
2	E B 4 C 6 D F A 2 3 8 1 0 7 5 9
3	5 8 1 D A 3 4 2 E F C 7 6 0 9 B
4	7 D A 1 0 8 9 F E 4 6 C B 2 5 3
5	6 C 7 1 5 F D 8 4 A 9 E 0 3 B 2
6	4 B A 0 7 2 1 D 3 6 8 5 9 C F E
7	D B 4 1 3 F 5 9 0 A E 7 6 8 2 C
8	1 F D 0 5 7 A 4 9 2 3 E 6 B 8 C

However, the most recent revision of the standard, GOST R 34.12-2015, adds the missing S-box specification and defines it as follows.^[2]

#	GOST R 34.12-2015 S-box
1	C 4 6 2 A 5 B 9 E 8 D 7 0 3 F 1
2	6 8 2 3 9 A 5 C 1 E 4 7 B D 0 F
3	B 3 5 8 2 F A D E 1 7 4 C 9 6 0
4	C 8 2 1 D 4 F 6 7 0 A 5 3 E 9 B
5	7 F 5 A 8 1 6 D 0 9 3 E B 4 2 C
6	5 D F 6 9 2 C A B 7 8 1 4 3 E 0
7	8 E 2 5 6 9 1 C F 4 B 0 D A 3 7
8	1 7 E D 0 5 8 3 4 F A 6 9 C B 2

Cryptanalysis of GOST

[edit]

The latest cryptanalysis of GOST shows that it is secure in a theoretical sense. In practice, the data and memory complexity of the best published attacks has reached the level of practical, while the time complexity of even the best attack is still 2¹⁹² when 2⁶⁴ data is available.

Since 2007, several attacks have been developed against reduced-round GOST implementations and/or weak keys.^[6]^[7]

In 2011 several authors discovered more significant flaws in GOST, being able to attack the full 32-round GOST with arbitrary keys for the first time. It has even been called "a deeply flawed cipher" by Nicolas Courtois.^[8] Initial attacks were able to reduce time complexity from 2²⁵⁶ to 2²²⁸ at the cost of huge memory requirements,^[9] and soon they were improved up to 2¹⁷⁸ time complexity (at the cost of 2⁷⁰ memory and 2⁶⁴ data).^[10]^[11]

In December 2012, Courtois, Gawinecki, and Song improved attacks on GOST by computing only 2¹⁰¹ GOST rounds.^[12] Isobe had already published a single key attack on the full GOST cipher,^[13] which Dinur, Dunkelman, and Shamir improved upon, reaching 2²²⁴ time complexity for 2³² data and 2³⁶ memory, and 2¹⁹² time complexity for 2⁶⁴ data.^[14]

Since the attacks reduce the expected strength from 2²⁵⁶ (key length) to around 2¹⁷⁸, the cipher can be considered broken. However, this attack is not feasible in practice, as the number of tests to be performed 2¹⁷⁸ is out of reach.

Note that for any block cipher with block size of n bits, the maximum amount of plaintext that can be encrypted before rekeying must take place is 2^n/2 blocks, due to the birthday paradox,^[15] and none of the aforementioned attacks require less than 2³² data.

References

[edit]

^ Courtois, Nicolas T. (9 May 2011). "Security Evaluation of GOST 28147-89 In View Of International Standardisation". Cryptology ePrint Archive. IACR. Until 2011 researchers unanimously agreed that GOST could or should be very secure, which was summarised in 2010 in these words: despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken". Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher

^ ^a ^b "GOST R 34.12-2015 (Russian only)" (PDF). Archived from the original (PDF) on 2015-09-24. Retrieved 2015-08-28.

^ Fleischmann, Ewan; Gorski, Michael; Hühne, Jan-Hendrik; Lucks, Stefan (2009). "Key Recovery Attack on Full GOST Block Cipher with Zero Time and Memory". Published as ISO/IEC JTC. 1.

^ Saarinen, Markku-Juhani (1998). "A chosen key attack against the secret S-boxes of GOST". We show that a simple "black box" chosen-key attack against GOST can recover secret S-boxes with approximately 2^32 encryptions {{cite journal}}: Cite journal requires |journal= (help)

^ Schneier, Bruce (1996). Applied cryptography : protocols, algorithms, and source code in C (2. ed., [Nachdr.] ed.). New York [u.a.]: Wiley. ISBN 978-0-471-11709-4.

^ Eli Biham; Orr Dunkelman; Nathan Keller (2007). "Improved Slide Attacks" (PDF).

^ Orhun Kara (2008). "Reflection Cryptanalysis of Some Ciphers".

^ Courtois, Nicolas T. (9 May 2011). "Security Evaluation of GOST 28147-89 In View Of International Standardisation". Cryptology ePrint Archive. IACR. Until 2011 researchers unanimously agreed that GOST could or should be very secure, which was summarised in 2010 in these words: despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken". Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher

^ Nicolas T. Courtois; Michał Miształ (2011). "Differential Cryptanalysis of GOST". IACR.

^ Nicolas T. Courtois (2012). "An Improved Differential Attack on Full GOST" (PDF). IACR.

^ Courtois, Nicolas T. (Jun 13, 2011). "Algebraic Complexity Reduction and Cryptanalysis of GOST" (PDF). Cryptology ePrint Archive. IACR.

^ Nicolas T. Courtois; Jerzy A. Gawinecki; Guangyan Song (2012). "CONTRADICTION IMMUNITY AND GUESS-THEN-DETERMINE ATTACKS ON GOST" (PDF). Versita. Retrieved 2014-08-25.

^ Isobe, Takanori (2011). "A Single-Key Attack on the Full GOST Block Cipher". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 6733. pp. 290–305. doi:10.1007/978-3-642-21702-9_17. ISBN 978-3-642-21701-2.

^ Dinur, Itai; Dunkelman, Orr; Shamir, Adi (2012). "Improved Attacks on Full GOST". Fast Software Encryption. Lecture Notes in Computer Science. Vol. 7549. pp. 9–28. doi:10.1007/978-3-642-34047-5_2. ISBN 978-3-642-34046-8.

^ "Draft of ISO/IEC JTC 1/SC 27 Standing Document No. 12 (SD12) on the Assessment of Cryptographic Techniques and Key Lengths, 4th edition" (PDF). 2016.

External links

[edit]

Description, texts of the standard, online GOST encrypt and decrypt tools
SCAN's entry for GOST
An open source implementation of PKCS#11 software device with Russian GOST cryptography standards capabilities
https://github.com/gost-engine/engine — open-source implementation of Russian GOST cryptography for OpenSSL.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=GOST_(block_cipher)&oldid=1218930816" Categories: ●Block ciphers ●Broken block ciphers ●Feistel ciphers ●GOST standards Hidden categories: ●CS1 errors: missing periodical ●Articles with short description ●Short description matches Wikidata ●This page was last edited on 14 April 2024, at 18:53 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view