Cryptanalysis of GOST2: Can Updated Key Schedule Solve all of...

GOST GOST2 Attacks Summary

Cryptanalysis of GOST2:

Can Updated Key Schedule

Solve all of GOST’s Problems?

Orr Dunkelman(joint work with Achiya Bar-On and Tomer Ashur)

University of Haifa

June 29, 2016

Orr Dunkelman Cryptanalysis of GOST2 1/ 24

GOST GOST2 Attacks Summary Definition Attacks Standardization

History of the GOST Block Cipher

◮ GOST 28147-89 defined a block cipher (A.K.A. Magmathese days)

◮ 64-bit block, 256-bit key

◮ 32-round Feistel

◮ With different secret S-boxes for each industry (a fewleaked)



The GOST Block Cipher

✛✛

✛

✛

✛

✛

✛

✛

✛

✛

S1

S2S3

S4S5

S6S7

S8

✛≪ 11✛✐

✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥✥

❵❵❵❵❵❵❵❵❵❵

❵❵❵❵❵❵❵❵❵❵

❄

SKr



The GOST Key Schedule

◮ The key schedule takes a 256-bit key (eight 32-bit words— K0,K2,K3, . . . ,K7) and uses them according to:

K0 K1 K2 K3 K4 K5 K6 K7

K0 K1 K2 K3 K4 K5 K6 K7

K0 K1 K2 K3 K4 K5 K6 K7

K7 K6 K5 K4 K3 K2 K1 K0

◮ The descending order — probably to defeat slide attacks



Attacks on GOST (Short and Partial History)

◮ Related-key differential attacks on reduced-round GOST(specific S-boxes) [KSW96]

◮ Chosen-key S-box recovery attacks [S99]

◮ Related-key differential attacks on reduced-round GOST[KS00]

◮ Related-key differential attacks on full GOST [K+04]

◮ Slide attacks on first 24 rounds [BW00]

◮ Slide attacks on full GOST for a weak key class of 2128

keys [BW00]

◮ Slide attacks on first 30 rounds [BDK07]



Attacks on GOST (Short and Partial History)

Attack Data Memory Time S-boxesReflection [I11] 232CP 264 2224 BijectiveFixed point/Algebraic [C11] 264KP 264 2248 Russian BanksDifferential [CM11] 264KP 264 2226 Russian BanksFixed point [DDS12] 264KP 236 2192 anyFixed point [DDS12] 264KP 219 2204 anyReflection [DDS12] 232KP 236 2224 anyReflection [DDS12] 232KP 219 2236 any



Very Quick Summary of the Reflection Attack

◮ Assume that at the entrance to round 25, theintermediate encryption value is (x , x)

◮ Then round 25 cancels round 24, round 26 cancelsround 23, etc.

+SR⊕

+SR⊕x x

x

x

K7

K7

y

y

x

x

x ⊕ y

x ⊕ y



Very Quick Summary of the Reflection Attack

◮ Isobe noticed that for a reflection point, the intermediateencryption value after 16 rounds is equal to the ciphertext

◮ This allows for attacking 16-round GOST (using meet inthe middle, or any attack you wish for)



ISO SC27 (Parallel Work)

◮ The Russian federation has submitted GOST (Magma)for standardization in 2010 to ISO SC27 (18033)

◮ Several issues spotted:◮ S-boxes were not defined◮ Related-key attacks

◮ By the time they were “addressed”, Isobe’s attack cameout



In Mother Russia, Cipher Encrypts You!

◮ Following the failure of standardizing GOST, a new cipherwas suggested

◮ Kuznyechik (Grasshopper) — 128-bit block, 256-bit keySPN

◮ Secret design process◮ Interesting properties revealed by [BP15,BPU16] about

how the S-box was designed◮ And then came a new proposal. . .


GOST GOST2 Attacks Summary Specs Claims

The GOST2 Block Cipher

◮ Dmukh, Dygin, and Marshalko offered a variant of GOSTon eprint report 2015/065

◮ Two main changes with respect to GOST:◮ S-boxes are fully specified◮ Key schedule changed to:

K0 K1 K2 K3 K4 K5 K6 K7

K3 K4 K5 K6 K7 K0 K1 K2

K5 K6 K7 K0 K1 K2 K3 K4

K6 K5 K4 K3 K2 K1 K0 K7



The Security Claims

Both Isobe and Dinur-Dunkelman-Shamir attacks exploit thereflection property for the last 16 iterations. For the proposedalgorithm the probability of the corresponding event isnegligible: P{K0 = K2 = K4 = K6,K1 = K3 = K5 = K7)} =2−192 (if keys are selected at random).

The first Dinur-Dunkelman-Shamir method works ifK0 = K2 = K4 = K6 = K1 = K3 = K5 = K7. The probabilityof such event is 2−224.

Since the new key schedule could be represented as aconcatenation of different shifts of (K0, . . . ,K7), 2-GOST(together with original GOST) is subjected to related-keyattacks. At the same time, such attacks are difficult forpractical implementation, since the probabilities of relationsare negligible (see, for example, [5]), when keys are selectedrandomly.

. . . Eprint report 2015/065



The Security Claims


GOST GOST2 Attacks Summary Reflection Fixed

A Reflection Property for GOST2 (Weak Key

Class)

◮ Consider the key schedule of rounds 18–31, whenK5 = K6:

K5 K6 K7 K0 K1 K2 K3 K3 K4 K4

K6 K6 K5K5 K4 K4 K3 K3 K2 K1 K0 K7

◮ Hence, if the intermediate encryption value after 25rounds is (x , x), the ciphertext is equal to the value after18 rounds



A Reflection Attack on GOST2 (Weak Key Class)

Require: 232 pairs of known plaintexts and ciphertexts - {Pi ,Ci}.

for S3,K5 = K6 do

for (Pi ,Ci),K0 do

K1,K2 ← Solve(Pi , S3,K0)S13 ← R−1

SK13(R−1

SK14(R−1

SK15(R−1

SK16(R−1

SK17(Ci = S18)))))

T [S13]← (Pi ,K0,K1,K2)end for

for K3,K4,K7 do

S13 ←RSK12(RSK11(RSK10(RSK9(RSK8(RSK7(RSK6(RSK5(RSK4(RSK3(S3))))))))))(Pi ,K0,K1,K2)← T [S13]TRY(K0,K1,K2,K3,K4,K5,K6,K7)

end for

end for



A Reflection Attack on GOST2 (Weak Key Class)

P Rounds 0–2

K0,K1,K2

K0 K1,K2

S3

S3Rounds 3–12

K3, . . . ,K12

K3,K4, . . . ,K7

S13Rounds 13–17

K13, . . . ,K17

C

K0,K1,K2,K5 “ K6

S13

Rounds 18–24

K18, . . . ,K24

L25 “ R25

S25Rounds 25–31

K25, . . . ,K31

C

◮ Data complexity: 232 KPs

◮ Memory complexity: 264 blocks

◮ Time complexity: 2192

◮ Weak Key Size: 2224

◮ Attack can be transformed into an impossible reflectionattack for all other keys (data increased to 264, saves afactor of 5.4 on exhaustive search)



A Fixed Point Property for GOST2

◮ Consider the key schedule of rounds 10–22:

K3 K4 K5 K6 K7 K0 K1 K2

K5 K6 K7 K0 K1 K2 K3 K4

◮ The keys of rounds 10–15 are the same as 16–21

◮ Hence, a fixed point of rounds 10–15 is a fixed point forrounds 10–21



A Fixed-Point Attack on GOST2

Require: 264 pairs of known plaintexts and ciphertexts.for (Pi ,Ci ), SK0, SK1, SK2, SK7 do

S28 ← R−1SK28

(R−1SK29

(R−1SK30

(R−1SK31

(Ci ))))S3 ← RK2(RK1(RK0(Pi )))T [S3||S28]← (K0,K1,K2,K7)

end for

for S10 = S16 = S22,K3,K4,K5,K6,K7 do

S13 ← RSK12(RSK11(RSK10(S10)))for K0[0–11],K2[0–11],K1[10] do

(K0[0–11],K1[12–19],K2[0–11])←SOLVE(S16, S13,K0[0–11],K2[0–11],Carry)

end for

S3 ← R−1SK3

(R−1SK4

(R−1SK5

(R−1SK6

(R−1SK7

(R−1SK8

(R−1SK9

(S10)))))))S28 ← RSK27(RSK26(RSK25(RSK24(RSK23(RSK22(S22))))))(K0,K1,K2,K7)← T [S3||S28]Filter(K0,K1,K2,K7)TRY(K0,K1,K2,K3,K4,K5,K6,K7)

end forOrr Dunkelman Cryptanalysis of GOST2 18/ 24


A Fixed-Point Attack on GOST2

P Rounds 0–2

K0,K1,K2

K0,K1,K2

P S3

S3

S3Rounds 3–9

K3, . . . ,K9

K3, . . . ,K7

S10

XRounds 10–15

K10, . . . ,K15

S16

X

K0r0-11s,K2r0-11sK1r12-19s

X X X

Rounds 16–21

K16, . . . ,K21

S22

XRounds 22–27

K22, . . . ,K28

K3, . . . ,K7

Rounds 28–31

K28, . . . ,K31

C

K7, . . . ,K2

CS28

S28

◮ Data complexity: 264 KPs

◮ Memory complexity: 2160 blocks

◮ Time complexity: 2237

We are working on reducing memory consumption.



Summary

◮ New GOST2 does not offer full security againstfixed-point and reflection attacks

◮ Same related-key attacks can be applied (includingcomplementation property)

◮ Simple ways to handle these issues exist



Summary of Attacks

Type of attack Time Data Memory No. of keys(blocks)

Fixed point 2237 264KP 2160 AllReflection 2192 232KP 264 2224

Impossible reflection 2253.56 263CP 2160 2256 − 2224

Impossible reflection 2254.56 264KP 2160 2256 − 2224



Some Aftermath

◮ We posted our results (not including some optimizationswe now have) on eprint (report 2016/532)

◮ And we got an interesting email from Grigory Marshalko:

. . . It was clear from the very beginning that with

such a slight change of the key schedule it would be

impossible to fully protect the cipher from these

attacks since the reflection property still exists.

Nevertheless the figures you obtained shows that it is

really possible to mitigate the security threats in a

way. . . .



Summary 2

Wait!

◮ The security analysis does not really say that there are noshortcut attacks

◮ It just implies that fact

◮ and the designer admits they assumed security will not beperfect

◮ Let’s leave the conspiracy theorists what they think ofthat. . .



Questions?

Thank you

for your Attention!


Cryptanalysis of GOST2: Can Updated Key Schedule Solve all of...

Documents

Transcript of Cryptanalysis of GOST2: Can Updated Key Schedule Solve all of...