Security Evaluation of GOST 28147-89 in View of International Standardisation

Abstract

GOST 28147-89 is a well-known 256-bit block cipher that is a plausible alternative for AES-256 and triple DES, which, however, has a much lower implementation cost. GOST is implemented in standard crypto libraries, such as OpenSSL and Crypto++, and is increasingly popular and is used also outside of its country of origin and on the Internet. In 2010, GOST was submitted to ISO 18033 to become a worldwide industrial encryption standard. Until 2011, researchers unanimously agreed that GOST could or should be very secure, which was summarized at CHES 2010 conference in these words: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken.” Unhappily, it was recently discovered that GOST can be broken and is a deeply flawed cipher. One attack was already presented in February at FSE 2011. In this short paper, we describe another attack to illustrate the fact that there are now attacks on GOST, which require much less memory, and don't even require the so called ‘reflection property’ to hold, without which the recent attack from FSE 2011 wouldn't work. We are also aware of many substantially faster attacks and of some special, even weaker, cases. These will be published in appropriate peer-reviewed cryptography conferences but we must warn the ISO committees right now. More generally, our ambition is to do more than just point out that a major encryption standard is flawed. We would like to present and suggest a new general paradigm for effective symmetric cryptanalysis of so called “Algebraic Complexity Reduction.” We also explain the precise concept of “Black-box Algebraic Complexity Reduction.” This new paradigm builds on many already known attacks on symmetric ciphers, such as fixed point, slide, involution, cycling, and other self-similarity attacks, but the exact attacks we obtain could never be developed previously, because only in the most recent 5 years did it become possible to show the existence of an appropriate last step for many such attacks, which is a low data complexity software algebraic attack. This methodology leads to a large number of new attacks on GOST, cf. [12]. One example of such an attack is given in the present paper.